Hi, On Fri, Apr 15, 2016 at 6:20 PM, Alaric Snell-Pym <[email protected]> wrote: > For my application, I need to disallow connections to certain IP ranges. > I need to do this check with the actual IP that Jetty is about to > connect to; I can't just resolve the hostname and check all its IPs are > valid, then pass the URL on to Jetty, because the hostname->IP mappings > could be changed at that point by a sufficiently clever attacker. > > My first attempt was to pass in my own HttpClientTransport to the > HttpClient constructor. I subclassed the default > HttpClientTransportOverHttp, overriding the > connect(InetSocketAddress,Map<String,Object>) method with one that > performed my IP address validation on the provided address, threw a > SecurityException if it was bad, and otherwise delegated to > super.connect(...). > > However, connect() never seemed to actually be called, so my IP address > validation never happened.
That would be strange. HttpClientTransport.connect() is the sole way to open a *new* connection to a host. HttpClient pools connections, so perhaps you made an initial request that opened the connection, and you were expecting the checks to happen on a second request to the same destination ? > What I ended up doing was... Too complicated :) HttpClientTransport.connect() *is* being called, and perhaps that's the way to go. Alternatively you can provide your own SocketAddressResolver to HttpClient. -- Simone Bordet ---- http://cometd.org http://webtide.com Developer advice, training, services and support from the Jetty & CometD experts. _______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
