[jira] [Commented] (SHIRO-485) Restrict HTTP requests to localhost

Tue, 11 Feb 2014 13:44:11 -0800 

    [ 
https://issues.apache.org/jira/browse/SHIRO-485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13898354#comment-13898354
 ] 

Andy Seaborne commented on SHIRO-485:
-------------------------------------

The javadoc is a clue - the code of HostFilter.isAccessAllowed throws 
UnsupportedOperationException always, and the internal state Maps are never 
initialized so will NPE.

I'm not clear how reliable the servlet remote host is in a world of (reverse) 
proxies, caches, and load balancers.  But while remote host is a bit suspect, 
the special case of localhost is (I hope) better as it requires software on the 
same machine to be involved.  Not impossible to cause a problem with that but 
it's stronger than the general situation.  In my case, I wanted a moderately 
secure out-of-the-box before configuration setup. After that the user should go 
in and configure a proper password (or etc).

LocalhostFilter is simple and direct.  If it could be a subclass of HostFilter, 
that would have been great but I'm not confident enough about the full 
implications of the general case.



> Restrict HTTP requests to localhost
> -----------------------------------
>
>                 Key: SHIRO-485
>                 URL: https://issues.apache.org/jira/browse/SHIRO-485
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authorization (access control) , Web
>         Environment: HTTP
>            Reporter: Andy Seaborne
>            Priority: Minor
>         Attachments: AuthorizationFilter403.java, DenyFilter.java, 
> LocalhostFilter.java
>
>
> I needed a way to restrict administration operations on a HTTP-based system; 
> it has to be out-of-the-box configuration (the user can then make changes).  
> The solution was to limit access to localhost.
> Attached are:
> * LocalhostFilter for HTTP requests - request must come from localhost (IPV4 
> or IPv6).  Unlike HostFilter, this is specifically localhost.
> * AuthorizationFilter403 for HTTP requests - if denied, give a 403 response.
> * DenyFilter - deny, always (for testing).
> Tested with Jetty.
> Taken from 
> https://svn.apache.org/repos/asf/jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/.
>   This location should to (probably) 
> https://svn.apache.org/repos/asf/jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/authz/
>  at some point in the future.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to