Shulou(Shulou.com)06/01 Report--

How to avoid the use of Manager applications, for this problem, this article introduces the corresponding analysis and solutions in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible way.

When using Tomcat, you must find that Tomcat's webapps directory comes with many applications, including demo features and samples, application management, and so on, including Manager applications.

In our previous article, we analyzed the internal implementation of Manager applications, which can be found here:

Go deep into the Manager of Tomcat

In the META-INF/context.xml of Tomcat's manager application, there is a comment on this line:

Someone in Tomcat's email group happens to be asking the same question. The questioner said that someone was guessing his administrator password and wanted to log in to the Manager app through this. However, Manager applications can directly control the life cycle of applications in containers, and can directly start, stop and de-deploy applications in Tomcat, which is still very dangerous.

With the configuration in context.xml above, you can restrict local access to manager applications, so that manager applications will not be directly utilized unless your host is dropped by hack.

This solves the danger of illegal exploitation of Manager applications.

Let's dig into the source code to see how Tomcat is handled internally to achieve this function.

From the configuration above, we can see that the nature of the implementation is based on the Valve component of Tomcat to filter requests. About Valve, I have written before:

Introduction to AccessLogValve of Tomcat

This time in RemoteAddrValve, the invoke method annotation for the call is written as follows:

/ * *

* Extract the desired request property, and pass it (along with the

* specified request and response objects) to the protected

* process () method to perform the actual filtering.

* This method must be implemented by a concrete subclass.

, /

That is, parse out the required parameters and pass them to the process method. This method is its parent class

Method of RequestFilterValve, and the parameter passed in is the remote request address in request:

Request.getRequest () .getRemoteAddr ()

Let's take a look at the process method, which is as follows:

Void process (String property, Request request, Response response) {

If (isAllowed (property)) {

GetNext () .invoke (request response)

Return

}

/ / Deny this request

DenyRequest (request, response)

}

The basic logic is like the blacklist and whitelist that we often talk about. You can configure what is allowed and which is prohibited.

If you turn to the above to see the configuration of the Manager application, you can see that the allow attribute is configured and the allowed request address is set. Other requests that are not in this scope will be rejected.

IsAllow method, using java.util.regex to make regular judgment. The first step is to perform specific property parsing and matching based on whether allow or deny is configured.

Public boolean isAllowed (String property) {

/ / Use local copies for thread safety

Pattern deny = this.deny

Pattern allow = this.allow

/ / Check the deny patterns, if any

If (deny! = null & & deny.matcher (property) .matches ()) {

Return false

}

/ / Check the allow patterns, if any

If (allow! = null & & allow.matcher (property) .matches ()) {

Return true

}

/ / Allow if denies specified but not allows

If (deny! = null & & allow = = null) {

Return true

}

/ / Deny this request

Return false

}

For RemoteFilterValve, there is an example in the official documentation that you can jump to the specified port when a request for hospitality is refused.

Separated by a semicolon, followed by the port that jumps.

Similar to RemoteAddrValve, Tomcat also provides a RemoteHostValve that can filter remote hosts, and the configuration and functionality are basically the same as what we described above.

Tomcat has built-in rich Valve, which can be used in a variety of situations.

And Tomcat Learning Design pattern | Facade pattern and request processing

This is the answer to the question on how to prevent Manager applications from being used. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.