I've been following the documentation and training videos for setting up a limited access DMZ deployment of Jamf Pro, which for the most part has been easy to follow. I've updated web.xml to block access to the api servlet, but wanted to remove the documentation as well. The relevant step in that training instructs you to remove the API directory from the web root to stop the API documentation being accessible... only there is no API directory on my deployment. If I access: https://jamfproserver:8443/api I'm presented with a page that allows me to choose between "classic API" and "JAMF Pro API" pages. I've removed the classicapi directory, so it 404s, but the JAMF Pro API link takes me to active documentation.
I assume this folder has simply been moved and the training / documentation is lagging behind, in which case I'd love to know where it's now located. Any help appreciated!
Best answer by boberito
Here are my notes on how I disabled it. But you had to perform these steps EVERY update. It became much easier to put a load balancer or proxy in front of it.
On JSS versions later than 10.22:
On the JSS server:
(Linux) Go to /usr/local/jss/tomcat/webapps/ROOT/WEB-INF/
(Windows) Go to c:\\program files\\JSS\\Tomcat\\webapps\\ROOT\\WEB-INF\\
Open the web.xml in a text editor (vi for Linux, notepad++ for Windows). The second line in the file will look similar to this:
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
Add a new line after the above line and insert the text below:
<filter>
<filter-name>API Restrictions Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>deny</param-name>
<param-value>.*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>API Restrictions Filter</filter-name>
<url-pattern>/api/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>UAPI Restrictions Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>deny</param-name>
<param-value>.*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UAPI Restrictions Filter</filter-name>
<url-pattern>/uapi/doc/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>UAPI-RemoteAddrFilter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>127\\.\\d+\\.\\d+\\.\\d+|::1|0:0:0:0:0:0:0:1</param-value>
</init-param>
<init-param>
<param-name>denyStatus</param-name>
<param-value>404</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UAPI-RemoteAddrFilter</filter-name>
<url-pattern>/uapi/doc/*</url-pattern>
</filter-mapping>
Find filter-name AccessFilter-Other and add - usually the second "AccessFilter-Other" - the area looks similar to this.
<servlet-name>EnrollmentController</servlet-name>
<servlet-name>RestletServlet</servlet-name>
<servlet-name>SpringUAPIDispatcher</servlet-name>
<servlet-name>default</servlet-name>
<servlet-name>PerformanceAutomationTriggers</servlet-name>
Once the web.xml file is updated with the filter settings, save it, close the editor.
Then sudo mv /usr/local/jss/tomcat/webapps/ROOT/classicapi /usr/local/jss/tomcat/webapps/ROOT/.apigone
restart tomcat.
Here are my notes on how I disabled it. But you had to perform these steps EVERY update. It became much easier to put a load balancer or proxy in front of it.
On JSS versions later than 10.22:
On the JSS server:
(Linux) Go to /usr/local/jss/tomcat/webapps/ROOT/WEB-INF/
(Windows) Go to c:\\program files\\JSS\\Tomcat\\webapps\\ROOT\\WEB-INF\\
Open the web.xml in a text editor (vi for Linux, notepad++ for Windows). The second line in the file will look similar to this:
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
Add a new line after the above line and insert the text below:
<filter>
<filter-name>API Restrictions Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>deny</param-name>
<param-value>.*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>API Restrictions Filter</filter-name>
<url-pattern>/api/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>UAPI Restrictions Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>deny</param-name>
<param-value>.*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UAPI Restrictions Filter</filter-name>
<url-pattern>/uapi/doc/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>UAPI-RemoteAddrFilter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>127\\.\\d+\\.\\d+\\.\\d+|::1|0:0:0:0:0:0:0:1</param-value>
</init-param>
<init-param>
<param-name>denyStatus</param-name>
<param-value>404</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UAPI-RemoteAddrFilter</filter-name>
<url-pattern>/uapi/doc/*</url-pattern>
</filter-mapping>
Find filter-name AccessFilter-Other and add - usually the second "AccessFilter-Other" - the area looks similar to this.
<servlet-name>EnrollmentController</servlet-name>
<servlet-name>RestletServlet</servlet-name>
<servlet-name>SpringUAPIDispatcher</servlet-name>
<servlet-name>default</servlet-name>
<servlet-name>PerformanceAutomationTriggers</servlet-name>
Once the web.xml file is updated with the filter settings, save it, close the editor.
Then sudo mv /usr/local/jss/tomcat/webapps/ROOT/classicapi /usr/local/jss/tomcat/webapps/ROOT/.apigone
restart tomcat.
We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.
