Ashish wrote:
Was working on implementing a Filter for allowing restricted access
based on IP and User Credentials.
Though about sharing it with dev community
Need - Wanted a filter that would allow restricted access to Server
based on a) IP and b) User Name
This a common requirement on a lot of enterprise platforms.
Was using Blacklist filter for this. The default implementation uses a
list of addresses to block and traverses the list each time.
Hmm, could afford this iteration each time. Using hashmap for storing
user names was a messy implementation.
This is what I did
1. Used hashmap for storing allowed IP's (they are very less in
number, even a 100 won't hurt)
2. Used embedded ApacheDS for storing the User credentials (LDAP is a
better choice as its better organized, fast and can later use it for
a)
Now the filter uses both to allow a connection. I am still in the
process of implementation of this
My queries are
1. Is there a better way to store and manage IP Addresses. Can I get
rid of hashmap ?
Technically, this will be the fastest way to manage IPs (but use a
ConcurrentHashMap as you may have concurrent access to this structure).
The problem I see is that you may have a huge table to manage. Some
different strategies may have to be implemented, like white list (you
just store the accepted IP addresses), or multi level filtering (for
instance, you just keep the last byte or last two bytes, and if the IP
address fits, you lookup on a slow storage - disk or LDAP -). It all
depends on which kind of protection you want to offer.
In any case, using MINA to protect your system from incoming connection
without using a firewall in front of it is insane, IMHO.
2. Is there a better approach for allowing access on select keys like
user name, state or attributes that can be read from input packets
Difficult question... As you are at a pretty low level with MINA, you
can only filter on IP. Otherwise, you will have to implement a
authentication system, which is generally tightly linked with your
implemented protocol.
The only big problem that I see is, ApacheDS 1.5.4 come bundled with
MINA 1.1.6 jars and I am using MINA 2.0 M3
ADS 1.5.5. comes with MINA 2.0.0-M4 bundled (soon)
For now I can afford to have LDAP outside, but eventually would like
to have it embedded within the implementation
Just wait a few weeks :) Or wait until next monday, if the vote for
2.0.0-M4 is positive, as this will allow us to merge the branch to the
trunk, and you will be able to build a version of ADS using MINA 2.
FYI: Its just a standalone filter implementation and writing it just for fun.
Suggestions.....
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
