Restricting access to the View Admin Console

I received an email from a colleague asking if it was possible to restrict access to the View Admin console (https://<viewserver>/admin) to specific IP addresses. It was not something I’d come across but was an interesting requirement. I knew that it runs on tomcat so a quick bit of searching and I found the answer.

Firstly we need the web.xml file for the admin console which is located at (by default):

C:\Program Files\VMware\VMware View\Server\broker\webapps\admin\WEB-INF\web.xml

Now we need to insert the filter for the IP Addresses. I inserted it at the end of the existing filters, which was just above the   <!– MessageBroker Servlet –> line.

<filter>
<filter-name>Remote Address Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>10\.0\.0\.21</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Remote Address Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

The <param-value>10\.0\.0\.21</param-value> is where we define addresses and we include multiple addresses or wild cards, for example <param-value>10\.0\.0\.21|10\.0\.0\.22</param-value>

In the above example not even the localhost would be able to access the admin console. More details for people far more experienced than myself with tomcat can be found here:

http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_Address_Filter

Again this is unsupported, but that’s never stopped people in the past!

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s