I am trying to control access to my tomcat (version 8) sever by the requestor's ip address using a valve. What I want is to allow all addresses that do not start with 10 and all addresses that start with 10.10. Here is what I have.
<valve className="org.apache.catalina.valves.RemoteAddrValve">
allow="[^10]\.\d+\.\d+\.\d+|10\.10\.\d+\.\d+" />
It is not working, it allows access only to addresses starting with 10.10.
Regular expressions are not my best thing, what am I doing wrong?
Thanks.
To allow all addresses starting with 10.10. you can use the following regular expression:
10\.10\..*
\.
corresponds to the "dot" character and .*
corresponds to anything.
To forbid all addressed starting with 10.
you must write something more complex: [^1].*
corresponds to anything which is not started with 1
. That's fine, if IP address does not start with 1
we will allow it. 1[^0].*
corresponds to any IP address which starts with 1
but second character is not 0
. 11xxx
, 15xxx
, etc. But we must allow addresses like 101.xxx
. So we will have to write 10[^.].*
. This expression will allow anything but 10.xxx
which is fine.
So the final regular expression will look like alternative between all expressions above:
10\.10\..*|[^1].*|1[^0].*|10[^.].*
or to slightly simplify:
(10\.10\.|[^1]|1[^0]|10[^.]).*
Now it's better to add ^
in the beginning and $
in the end, just to be sure that this expression will check the entire IP address:
^(10\.10\.|[^1]|1[^0]|10[^.]).*$
I didn't check that input value is IP address at all, but I'm sure that tomcat won't pass anything but IP address for this check.