Restrict incoming connections per Application Tomcat 6.0.37

Question

I'm developing a permission system in Tomcat and I would like to restrict incoming connections per application. I mean, I want to restrict incoming connections in some applications and permit them in others.

I have tried to do it with the Security Manager (SocketPermission), but it doesn't restrict all incoming connections. And also I have tried with RemoteAddrValve and RemoteHostValve () but it restricts all connections, not only the incoming ones. I have been searching other way to do that but I couldn't find anything.

Is it possible? Could anybody help me?

Comments

I'm going to try to explain myself better.

What I'm trying to do is create a permission system in Tomcat. This permission system must allow or avoid the next connections:
- Receive from IP. The application with this permission only can accept connections (or receive information) from an IP. It can't send anything or connect to anywhere.
- Receive All. The application with this permission can accept connections (or receive information) from any IP. It can't send anything or connect to anywhere.
- Send and Receive IP. The application with this permission can accept connection and connect to an IP.
- Send to IP. The application with this permission only can connect or send information to an IP. It can't receive information or accept connections from anywhere.
- Send to All. The application with this permission can connect or send information to any IP. It can't receive information or accept connections from anywhere.

With the SocketPermission, I can avoid that one application connects to an specific IP or any IP (not granting SocketPermission "connect"). But if I try to avoid that one IP connects to the application (not granting SocketPermission "accept"), it doesn't restrict all connections. For example, I can connect to the application from a browser in another host. (I'm using the Security Manager in a correct way because it works with others permissions).

If I add  to the context.xml, I can restrict the previous example, but with this I restrict all connections, so it doesn't allow me to do what I want.

If I combine the SocketPermission with the RemoteHostValve I can grant the first three permissions (or connections) in my list above. But I need to restrict the incoming connections (accept connections) to grant the last two.

Answer 1

So you want one application to disallow all connections, but others can receive incoming requests? Why not just un-deploy the application you don't want to be accessible?

I have tried to do it with the Security Manager (SocketPermission), but it doesn't restrict all incoming connections.

Really? You must have done it incorrectly, because disabling SocketPermission should have prevented Tomcat from binding to the port in the first place. No connection would be possible at all. Note that you need to enable a SecurityManager in order to use SockerPermission, and that Tomcat's default security configuration is to allow the appropriate SocketPermissions, so you'd have to seriously damage your Tomcat installation in order to do that. I don't recommend it.

And also I have tried with RemoteAddrValve and RemoteHostValve () but it restricts all connections, not only the incoming ones.

What other kinds of connections are there, other than incoming ones?

I have been searching other way to do that but I couldn't find anything.

You haven't really described what you want to accomplish. "Restrict incoming connections per application" could mean a range of things. Do you want to prohibit certain connections (e.g. non-localhost), throttle connection rates, or require authentication for certain applications?