Secure Railo Administration
(railo-context) on your Railo Server
2 minutes
August 2014: Tested to work with the latest Railo and UrlRewriteFilter versions
Or help me out by engaging with any advertisers that you find interesting
In this example I will show you how to quickly and dynamically lock down your server to block access to the Railo administration features that are enabled by default. This modification will require an additional download and the restarting of each Railo web server you wish to protect.
You will require the popular UrlRewriteFilter by Paul Tuckey (http://tuckey.org/urlrewrite/) to be installed on your server.
The install instructions and download link for the filter application can be found at http://tuckey.org/urlrewrite/#install.
If you are using Railo Express you need to create a /lib sub-directory in the webapps/www/WEB-INF directory and place urlrewritefilter-4.0.3.jar in there. Both web.xml and urlwrite.xml need to be created and placed in webapps/www/WEB-INF.
Copy and insert this code below into your web.xml. It will tell your server to load the UrlRewriteFilter and to rescan the urlwrite.xml every 60 seconds for any changes. This is important in case in the future you need to re-enable the Railo administration without the need of restarting the server.
The GitHub repository of the XML entries used in this article https://github.com/bengarrett/devtidbits.com/tree/main/post_321.
<?xml version="1.0" encoding="utf-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<!-- UrlRewriteFilter -->
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
<!-- set the amount of seconds the conf file will be checked for reload
can be a valid integer (0 denotes check every time,
empty/not set denotes no reload check) -->
<init-param>
<param-name>confReloadCheckInterval</param-name>
<param-value>60</param-value>
</init-param>
<!-- you can disable status page if desired
can be: true, false (default true) -->
<init-param>
<param-name>statusEnabled</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
Now edit your urlwrite.xml to look something like this.
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 4.0//EN"
"http://www.tuckey.org/res/dtds/urlrewrite4.0.dtd">
<!--
Configuration file for UrlRewriteFilter
http://tuckey.org/urlrewrite/
-->
<urlrewrite>
<rule enabled="true">
<name>Disable Railo</name>
<from>^/railo-context/admin/(.*)$</from>
<to>null</to>
<!-- HTTP Status code 404 equals Not found -->
<!-- You could also change it to 401 = Unauthorized or 403 = forbidden -->
<set type="status">403</set>
</rule>
</urlrewrite>
You can now restart your server and then try to access http://www.example.com/railo-context/admin/web.cfm or http://www.example.com/railo-context/admin/server.cfm. Hopefully if all went well both pages will return a HTTP status 403. If you need to re-enable these pages, edit your urlwrite.xml and change the rule enabled attribute value to false.
Written by Ben Garrett