How to block access to a specific URL at Tomcat
Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.
The content on this page relates to platforms which are not supported. Consequently, Atlassian Support cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.
In some cases, you may wish to restrict access to a specific URL within your Atlassian Applications - for example, if clients are accessing a URL that causes load on the application server. If you don't have access to the reverse proxy (or are not using a reverse proxy) you can modify Tomcat directly.
This solution is only applicable for Atlassian Applications that run under Apache Tomcat - such as Jira, Confluence, Crowd.
- Shut down the application, and backup your $application-install/atlassian-jira/WEB-INF/web.xml file
- Locate this comment element at the end:
All session-config, mime-mapping, welcome-file-list, error-page, taglib,
resource-ref, security-constraint, login-config, security-role,
env-entry, and ejb-ref elements should follow this fragment.
- Add the following block inside the <web-app> element, after the comment block above:
<security-constraint> <web-resource-collection> <url-pattern>/path/to/block/without/context/root/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint /> </security-constraint>
- Note that the context path should not be in the url-pattern. Multiple url-pattern elements can be added. For URL's with parameters, the wildcard is not used.