Tomcat uses a mechanism called valves to filter IP source addresses. A particular type of valve element called a remote address filter, can be inserted into the Tomcat processing stream to allow or deny access to the server. The remote address filter may be used in several different containers: Engine, Host, or Context.

If you wish to secure your server for localhost use only, add the following lines to the engine container. Edit the $CATALINA_HOME/conf/server.xml configuration file. Find the lines ....

<!-- Define the top level container in our container hierarchy -->
<Engine name="Catalina" defaultHost="localhost" debug="0">

Add the following statements underneath ..

<!-- Allow only localhost to access this server -->
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow=",0:0:0:0:0:0:0:1%0,::1" />

For a complete description on the use of this mechanism see the Server Configuration Reference.