How to block access to a specific URL at Tomcat

Atlassian Knowledge Base

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.

The content on this page relates to platforms which are not supported. Consequently, Atlassian Support cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.


In some cases, you may wish to restrict access to a specific URL within your Atlassian Applications - for example, if clients are accessing a URL that causes load on the application server. If you don't have access to the reverse proxy (or are not using a reverse proxy) you can modify Tomcat directly.

tip/resting Created with Sketch.

This solution is only applicable for Atlassian Applications that run under Apache Tomcat - such as Jira, Confluence, Crowd.


  • Shut down the application, and backup your $application-install/atlassian-jira/WEB-INF/web.xml file
  • Locate this comment element at the end:

All session-config, mime-mapping, welcome-file-list, error-page, taglib,
resource-ref, security-constraint, login-config, security-role,
env-entry, and ejb-ref elements should follow this fragment.

  • Add the following block inside the <web-app> element, after the comment block above:
      <auth-constraint />
  • Note that the context path should not be in the url-pattern. Multiple url-pattern elements can be added. For URL's with parameters, the wildcard is not used.

DescriptionHow to block access to a specific URL at Tomcat when the reverse proxy is unavailable or not used

Last modified on Jan 24, 2020

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.