My suggestion would be to use a security manager and only give the permission to accept connections from the same machine (should be something like permission java.net.SocketPermission "your_local_host:*" "accept,connect,listen,resolve";).
However, you may encounter two problems :
- I don't know if a security manager is set by Jonas on the server side, and you may have to set one ;
- if someone tries to connect to the app server from a different machine, a security exception will be raised, and this will stop Jonathan. To avoid this, you will have to patch the file org/objectweb/jonathan/libs/resources/tcpip/IPv4ConnectionFactory.java, and more precisely the newSrvConnection(IpSession) method of the SrvConnectionFactory inner class (should be at line 453).
The line 456 :
Socket socket = server_socket.accept();should be replaced by :
Socket socket = null;
while (socket == null) {try {socket = server_socket.accept();} catch (SecurityException e) {if (verbose) {System.err.println("Warning: security exception :");e.printStackTrace();}}}If you prefer to modify the code at this point to directly close sockets created from other hosts (without using the standard security mechanisms), then it is clearly the place where it should be done.Regards,
Bruno
Erez Nahir wrote:
Thanks, I do like Miro's suggestion more (don't want to be bound by
platforms :-( ).If you can give me a starting point: where to look both in the JOnAS and
Jonathan sources it will be great.Thanks,
Erez-----Original Message-----
From: Halas, Miroslav [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 04, 2001 5:11 PM
To: 'Calvin Varney'; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Disable remote access (from different machine)Hmm, I think the better solution would be to modify Jonathan to accept calls
only from local host, I know for sure (since we discovered bug when running
on localhost, which Bruno fixed for us) that Jonathan recognizes the local
host, because it treats it differently than calls from remote hosts.Miro
-----Original Message-----
From: Calvin Varney [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 04, 2001 6:13 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Disable remote access (from different machine)I'm not aware of any way to achieve this from within jonas however you could
use a packet filter and write rules to deny packets with source address not
equal to localhost and destination port equal to those you are using for
jonas rmi/jeremie.Packet filters are readily available for most unixs, probably even something
out there for NT. Their implementation is very platform specific so if
interested your best bet would be to start with the documentation for your
own system.Calvin.
----- Original Message -----
From: "Erez Nahir" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, May 04, 2001 7:26 PM
Subject: Disable remote access (from different machine)> Hello all,
>
> Our application is combined from a webserver (Tomcat 3.2.1) and jonas
> (2.2.7), located both on a single machine.
>
> Tomcat is actually the only client that will call Jonas.
> Is there a way to limit the access to the appserver just form the local
> machine?
>
> Regards,
>
> Erez
>
> ----
> To unsubscribe, send email to [EMAIL PROTECTED] and
> include in the body of the message "unsubscribe jonas-users".
> For general help, send email to [EMAIL PROTECTED] and
> include in the body of the message "help".
>----
To unsubscribe, send email to [EMAIL PROTECTED] and
include in the body of the message "unsubscribe jonas-users".
For general help, send email to [EMAIL PROTECTED] and
include in the body of the message "help".----
To unsubscribe, send email to [EMAIL PROTECTED] and
include in the body of the message "unsubscribe jonas-users".
For general help, send email to [EMAIL PROTECTED] and
include in the body of the message "help".begin:vcard n:Dumant;Bruno tel;cell:06 75 20 76 64 tel;fax:33 1 49 26 09 76 tel;work:33 1 42 44 40 74 x-mozilla-html:FALSE url:www.kelua.com org:Kelua SA adr:;;55 rue Sainte Anne;Paris;;75002;France version:2.1 email;internet:[EMAIL PROTECTED] x-mozilla-cpt:;1 fn:Bruno Dumant end:vcard
