I am trying to control access to my tomcat (version 8) sever by the requestor's ip address using a valve. What I want is to allow all addresses that do not start with 10 and all addresses that start with 10.10. Here is what I have.
<valve className="org.apache.catalina.valves.RemoteAddrValve">
allow="[^10]\.\d+\.\d+\.\d+|10\.10\.\d+\.\d+" />
It is not working, it allows access only to addresses starting with 10.10.
Regular expressions are not my best thing, what am I doing wrong?
Thanks.
To allow all addresses starting with 10.10. you can use the following regular expression:
10\.10\..*
\. corresponds to the "dot" character and .* corresponds to anything.
To forbid all addressed starting with 10. you must write something more complex: [^1].* corresponds to anything which is not started with 1. That's fine, if IP address does not start with 1 we will allow it. 1[^0].* corresponds to any IP address which starts with 1 but second character is not 0. 11xxx, 15xxx, etc. But we must allow addresses like 101.xxx. So we will have to write 10[^.].*. This expression will allow anything but 10.xxx which is fine.
So the final regular expression will look like alternative between all expressions above:
10\.10\..*|[^1].*|1[^0].*|10[^.].*
or to slightly simplify:
(10\.10\.|[^1]|1[^0]|10[^.]).*
Now it's better to add ^ in the beginning and $ in the end, just to be sure that this expression will check the entire IP address:
^(10\.10\.|[^1]|1[^0]|10[^.]).*$
I didn't check that input value is IP address at all, but I'm sure that tomcat won't pass anything but IP address for this check.