How to configure tomcat to use different ports for different endpoints in a single application?

Question

I have a tomcat .war application that has a number of endpoints. Let's say they are:

http://myapp.com/myapp/endpoint.a
http://myapp.com/myapp/endpoint.b

I want http://myapp.com/myapp/endpoint.a to be available over port 80, and http://myapp.com:8080/myapp/endpoint.b to only be available over port 8080.

I can't have apache in front of tomcat, and it is unacceptable for /myapp/endpoint.b to be accessible on the same port as /myapp/endpoint.a.

Splitting the endpoints into different application contexts is also not possible.

So far:

• Spring boot allows setting the management endpoint to be accessible on a different port but we're not using springboot and I'm not sure at what level it achieves this. http://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-monitoring.html#production-ready-customizing-management-server-address
• I've been looking at the tomcat connector docs https://tomcat.apache.org/tomcat-7.0-doc/config/http.html but they all seem to connect a port/protocol to an entire application and do not allow specific endpoints, e.g. use only port:8080 for *.b
• It's possible to achieve this with apache and JKMount by allowing everything on port 8080 in tomcat, and then forwarding *.a* from 80 to 8080 in apache. But as I said a requirement is to not use apache.
• I am using spring if this helps.

Answer 1

It is solvable at the application level with a combination of:

• A custom PortAuthorisationFilter configured in web.xml with a filter-mapping of the endpoints we want to restrict:

<url-pattern>*.b</url-pattern>

• Inside the filter we check ServletRequest.getLocalPort() is equal to :8080 and reject the request otherwise. This method claims to be the port used in the TCP connection so cannot be spoofed.

At the tomcat level, we have http connectors at ports 80 and 8080, that apply to the entire application.