how to restrict acces to specific servlet by ip - via container configuration

Question

My public web app has a special servlet to generate a digest of published documents and saves them to a configured file path on server. This servlet must only be available by ip's specified by administrator of the app.

My hope is/was that this kind of stuff could be configured via tomcats security manager (a special servlet/ url should only be "listen" to a specific ip-(range)). Is this possible?

Or in general: i don't want to implement "security" in my code (the servlet it self could filter the ip). it should be a matter of container configuration or system configuration.

so how to achieve that

Answer 1

Tomcat already comes with Remote Address Filter valve that filters all requests to match a pattern. If you only need to provide filtering for a single URI, it is probably best to extend RequestFilterValve class and embed the logic in the extension. Something like this should work (haven't tested locally but you should be able to get the idea):

public class YourValve extends org.apache.catalina.valves.RequestFilterValve {
  public void invoke(Request request, Response response) throws IOException, ServletException {
    if (request.getRequestURI().startsWith("/path/to/your/secure/servlet") {
      process(request.getRequest().getRemoteAddr(), request, response);
    } else {
      // no need to filter anything
    }
  }   
}

You would have to configure this valve to provide allow regex, as explained in Remote Address Filter documentation. It could be something like

<Valve className="YourValve" allow="127\.\d+\.\d+\.\d+"/>
(above only allows localhost)

This article, chapter 4.1 explains how to install valves.