There is a caveat when using RemoteAddrValve with IPv6 addresses

- see thread "tomcat 7.0.21: bug in RemoteAddrValve?" of 2011-09-14 on users@
Document it and update configuration examples in manager and host-manager apps.
Add usage examples to valve.html, filter.html.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1175633 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml
index 49bd27f..707c667 100644 (file)
--- a/webapps/docs/config/filter.xml
+++ b/webapps/docs/config/filter.xml
@@ -531,6 +531,15 @@ FINE: Request "/docs/config/manager.html" with response status "200" content-typ
     package. Please consult the Java documentation for details of the
     expressions supported.</p>
 
+    <p><strong>Note:</strong> There is a caveat when using this filter with
+    IPv6 addresses. Format of the IP address that this valve is processing
+    depends on the API that was used to obtain it. If the address was obtained
+    from Java socket using Inet6Address class, its format will be
+    <code>x:x:x:x:x:x:x:x</code>. That is, the IP address for localhost
+    will be <code>0:0:0:0:0:0:0:1</code> instead of the more widely used
+    <code>::1</code>. Consult your access logs for the actual value.</p>
+
+    <p>See also: <a href="#Remote_Host_Filter">Remote Host Filter</a>.</p>
   </subsection>
 
   <subsection name="Filter Class Name">
@@ -569,6 +578,24 @@ FINE: Request "/docs/config/manager.html" with response status "200" content-typ
 
   </subsection>
 
+  <subsection name="Example">
+    <p>To allow access only for the clients connecting from localhost:</p>
+<pre>
+    &lt;filter>
+      &lt;filter-name>Remote Address Filter&lt;/filter-name>
+      &lt;filter-class>org.apache.catalina.filters.RemoteAddrFilter&lt;/filter-class>
+      &lt;init-param>
+        &lt;param-name>allow&lt;/param-name>
+        &lt;param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1&lt;/param-value>
+      &lt;/init-param>
+    &lt;/filter>
+    &lt;filter-mapping>
+      &lt;filter-name>Remote Address Filter&lt;/filter-name>
+      &lt;url-pattern>/*&lt;/url-pattern>
+    &lt;/filter-mapping>
+</pre>
+  </subsection>
+
 </section>
 
 
@@ -586,6 +613,7 @@ FINE: Request "/docs/config/manager.html" with response status "200" content-typ
     package. Please consult the Java documentation for details of the
     expressions supported.</p>
 
+    <p>See also: <a href="#Remote_Address_Filter">Remote Address Filter</a>.</p>
   </subsection>
 
   <subsection name="Filter Class Name">

diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml
index 3272733..9572e6a 100644 (file)
--- a/webapps/docs/config/valve.xml
+++ b/webapps/docs/config/valve.xml
@@ -509,6 +509,16 @@
     package. Please consult the Java documentation for details of the
     expressions supported.</p>
 
+    <p><strong>Note:</strong> There is a caveat when using this valve with
+    IPv6 addresses. Format of the IP address that this valve is processing
+    depends on the API that was used to obtain it. If the address was obtained
+    from Java socket using Inet6Address class, its format will be
+    <code>x:x:x:x:x:x:x:x</code>. That is, the IP address for localhost
+    will be <code>0:0:0:0:0:0:0:1</code> instead of the more widely used
+    <code>::1</code>. Consult your access logs for the actual value.</p>
+
+    <p>See also: <a href="#Remote_Host_Filter">Remote Host Filter</a>,
+    <a href="#Remote_IP_Valve">Remote IP Valve</a>.</p>
   </subsection>
 
   <subsection name="Attributes">
@@ -544,6 +554,14 @@
 
   </subsection>
 
+  <subsection name="Example">
+    <p>To allow access only for the clients connecting from localhost:</p>
+<pre>
+    &lt;Valve className="org.apache.catalina.valves.RemoteAddrValve"
+       allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/&gt;
+</pre>
+  </subsection>
+
 </section>
 
 
@@ -565,6 +583,7 @@
     package. Please consult the Java documentation for details of the
     expressions supported.</p>
 
+    <p>See also: <a href="#Remote_Address_Filter">Remote Address Filter</a>.</p>
   </subsection>
 
   <subsection name="Attributes">

diff --git a/webapps/docs/manager-howto.xml b/webapps/docs/manager-howto.xml
index 81ae2b0..bcfd7fd 100644 (file)
--- a/webapps/docs/manager-howto.xml
+++ b/webapps/docs/manager-howto.xml
@@ -159,7 +159,9 @@ the role <strong>manager-script</strong>.</p>
 
 <p>In addition to the password restrictions the Manager web application
 could be restricted by the remote IP address or host by adding a
-<code>RemoteAddrValve</code> or <code>RemoteHostValve</code>.  Here is
+<code>RemoteAddrValve</code> or <code>RemoteHostValve</code>.
+See <a href="config/valve.html#Remote_Address_Filter">valves documentation</a>
+for details. Here is
 an example of restricting access to the localhost by IP address:</p>
 <pre>
 &lt;Context privileged="true"&gt;

diff --git a/webapps/host-manager/META-INF/context.xml b/webapps/host-manager/META-INF/context.xml
index 1019dc4..3390e96 100644 (file)
--- a/webapps/host-manager/META-INF/context.xml
+++ b/webapps/host-manager/META-INF/context.xml
@@ -22,6 +22,6 @@
   -->
   <!--
   <Valve className="org.apache.catalina.valves.RemoteAddrValve"
-         allow="127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|::1" />
+         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
   -->
 </Context>
\ No newline at end of file

diff --git a/webapps/manager/META-INF/context.xml b/webapps/manager/META-INF/context.xml
index 99276a2..21d9bac 100644 (file)
--- a/webapps/manager/META-INF/context.xml
+++ b/webapps/manager/META-INF/context.xml
@@ -22,6 +22,6 @@
   -->
   <!--
   <Valve className="org.apache.catalina.valves.RemoteAddrValve"
-         allow="127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|::1" />
+         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
   -->
 </Context>