编写此IP阀的正确方法是什么?
[英]What's the correct way to write this IP valve?
问题描述
I am trying to control access to my tomcat (version 8) sever by the requestor's ip address using a valve. 
我试图使用阀门通过请求者的ip地址控制对我的tomcat(版本8)服务器的访问。 What I want is to allow all addresses that do not start with 10 and all addresses that start with 10.10. 我想要的是允许所有不以10开头的地址以及所有以10.10开头的地址。 Here is what I have. 这就是我所拥有的。
<valve className="org.apache.catalina.valves.RemoteAddrValve"> allow="[^10]\\.\\d+\\.\\d+\\.\\d+|10\\.10\\.\\d+\\.\\d+" />
It is not working, it allows access only to addresses starting with 10.10. 它不起作用,它仅允许访问以10.10开头的地址。
Regular expressions are not my best thing, what am I doing wrong? 正则表达式不是我的最佳选择,我在做什么错?
Thanks. 谢谢。
2 个解决方案
解决方案1
2 已采纳 2015-01-23 21:37:58
To allow all addresses starting with 10.10. 允许所有以10.10开头的地址。 you can use the following regular expression: 您可以使用以下正则表达式:
10\.10\..*
\\. corresponds to the "dot" character and .* corresponds to anything. 对应于“点”字符, .*对应于任何字符。
To forbid all addressed starting with 10. you must write something more complex: [^1].* corresponds to anything which is not started with 1 . 要禁止所有以10.开头的地址,您必须编写更复杂的内容: [^1].*对应于不是以1开头的任何内容。 That's fine, if IP address does not start with 1 we will allow it. 很好,如果IP地址不以1开头,我们将允许它。 1[^0].* corresponds to any IP address which starts with 1 but second character is not 0 . 1[^0].*对应以1开头但第二个字符不为0任何IP地址。 11xxx , 15xxx , etc. But we must allow addresses like 101.xxx . 11xxx , 15xxx等。但是我们必须允许使用101.xxx地址。 So we will have to write 10[^.].* . 所以我们将不得不写10[^.].* 。 This expression will allow anything but 10.xxx which is fine. 该表达式将允许除10.xxx任何内容,这很好。
So the final regular expression will look like alternative between all expressions above: 因此,最终的正则表达式看起来像上述所有表达式之间的替代:
10\.10\..*|[^1].*|1[^0].*|10[^.].*
or to slightly simplify: 或稍微简化一下:
(10\.10\.|[^1]|1[^0]|10[^.]).*
Now it's better to add ^ in the beginning and $ in the end, just to be sure that this expression will check the entire IP address: 现在最好在开头添加^ ,在末尾添加$ ,只是要确保此表达式将检查整个IP地址:
^(10\.10\.|[^1]|1[^0]|10[^.]).*$
I didn't check that input value is IP address at all, but I'm sure that tomcat won't pass anything but IP address for this check. 我根本没有检查输入值是IP地址,但是我确定除了此检查的IP地址外,tomcat不会传递任何东西。
解决方案2
0 2015-01-23 21:28:28
[^10] won't exclude the strings starting with 10, it will match any character which is different from one or zero. [^ 10]不会排除以10开头的字符串,它将匹配任何一个非零或零的字符。 So the first part of your pattern would accept the following IP addresses: 2.XYZ, 3.XYZ, ..., 9.XYZ 因此,模式的第一部分将接受以下IP地址:2.XYZ,3.XYZ,...,9.XYZ
To achieve your goal, you could try something like this: 为了实现您的目标,您可以尝试执行以下操作:
d\.\d+\.\d+\.\d+|[02-9]d\.\d+\.\d+\.\d+|[1-9]dd\.\d+\.\d+\.\d+|10\.10\.\d+\.\d+
In this way, the first alternative will accept any IP's that start with a single digit. 这样,第一种选择将接受以一位开头的任何IP。 The second one, any IP's with start with two digits, excluding 10. The third one, any IP's which start with three digits (and thus cannot be 10 either). 第二个是任何以两位数字开头的IP(不包括10)。第三个是任何以三位数字开头的IP(因此也不能为10)。
One more remark, though: by using d+ to match the number, even invalid values might be accepted as IP components (which should be between 0-255), such as 257, 3848 etc. But that might be ok for your problem domain. 不过,还要再说一遍:通过使用d +来匹配数字,甚至无效值也可以被接受为IP组件(应该在0-255之间),例如257、3848等。但这对于您的问题域可能是可以的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.