Filter IP How to Guide

From Swivel Knowledgebase
Jump to: navigation, search


The Swivel Administration Console can be protected by allowing access to a defined IP or range of IP addresses. The administrative filter is included as part of the Swivel 3.2 software and all subsequent releases.


Swivel 3.2 onwards

Swivel 3.1.x filter can be added

How to use the IP Filter


Swivel Core File location

The filter configuration is controlled by two files found in the conf folder, Determines the way the filter behaves when access is denied or granted.

ranges.xml, is a list of IP ranges that can access the Admin Console.

These files are located in:

Swivel version 3.9.1 onwards, see Transient Data Storage, <path to .swivel>/conf

Earlier versions of Swivel <path to Tomcat>/webapps/pinsafe/WEB-INF/conf:

Swivel Applications File Location

Applications such as the Sivel Authentication manager will have their filter located under home/swivel/<application_name>/security.properies and is similar to the ranges.xml file.


The default file is shown below.

 # Admin Console Filter Localization
 # Commented lines will result in no message being logged
 # ALLOWED = Access Allowed
 DENIED = Access Denied
 ERROR = Page Not Found
 # FILTERING = Filtering
 STATUS = 404

The entries are as follows:

ALLOWED Message written to TOMCAT console with request IP address when the filter allows access. When Commented out; filter is silent. Default: Commented out

DENIED Message written to TOMCAT console with request IP address when the filter denies access. Default: Access Denied

ERROR Message reported back to browser when access is denied. If not set, no response is sent and the browser will eventually time out. Default: Page Not Found

FILTERING Message written to TOMCAT console followed by address ranges as TOMCAT initializes the filter. When Commented out; filter is silent. Default: Commented out

STATUS The http status code reported back when access is denied. This should match the error message. Default: 404

Editing ranges.xml

The ranges.xml file holds the list of IP addresses that are allowed to access the admin console

The default ranges.xml file is shown below.

 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE properties SYSTEM "">
 	<entry key="anyone">0/0</entry>
 	<entry key="anyone6">::0/0</entry>
 	<entry key="localhost"></entry>
 	<entry key="localhost6">::1/128</entry>

The default configured ranges.are named “anyone” and “localhost” and represent access from any IP address and localhost only respectively.

An address range is specified as an IP address followed (optionally) by a mask. The mask can be a single integer representing the number of significant address bits that must match for access to be allowed or it can be an IP-style dotted decimal. Both styles are present in the default file, but further examples are shown below.

The default entries allow access from all IP addresses. Removing the entry for “anyone” will restrict access to localhost. Further ranges can be added to ease administration. All ranges should have a unique name.

IP Range Meaning

A /0 mask means that no bits need to match in the address. This allows access from all IP addresses.

Example 1:


A /32 mask means all 32 bits must match. The equivalent dotted-decimal is Specifying no mask is the same as specifying a /32 mask.

Example 2:

To allow access from any address on the 192.168.0 subnet.

Example 3:

The values for <entry key="anyone6">::0/0</entry> and <entry key="localhost6">::1/128</entry> are for IPv6

Editing what is filtered

By default all access to the admin port is filtered. It is possible to define specific access using the filter. What is filtered is controlled by the web.xml file, this file is usually located as follows:

Appliance: /usr/local/tomcat/webapps/pinsafe/WEB-INF/web.xml

Software only: C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps\pinsafe\WEB-INF\web.xml

Look for the following entry:


To filter just the TURing image request, change this to:


Activating the filter

Restart Tomcat


When someone attempts to access any part of the admin console they are redirected to the admin log-in page. At this point the filter intercepts the request and checks to see if the IP address is on the allowed list. If it is not allowed then a message will display Swivel is running. Click here to open Swivel admin console. but clicking on the link has no effect. Older versions return the error code and message defined in the file.

Known Issues

Swivel version 3.10.4 increases the filtering and additional access may need to be added for Agents and other resources accessing Swivel.

More recent versions display Swivel is running. Click here to open Swivel admin console. instead of the messages in the file.

Windows Server 2008 by default treats "localhost" as an IPv6 address (::1), rather than IPv4 (, so if the ranges file doesn't include the IPv6 address, it will fail. The one that comes with Swivel 3.8 includes additional entries to cover IPv6 addresses.

If you have customised your ranges.xml, then you can try the following:

Connect to Swivel using rather than localhost

Disable IPv6 on the server

Add the following entries to ranges.xml:

 ::1/128 (to allow localhost on IPv6)
 ::0/0 (to allow any address on IPv6)


Check the Tomcat logs, these are located under <path to Tomcat>/logs. The localhost.<date> log will contain failed connection attempts

INFO: Access Denied x.x.x.x