Hi, Having broken the back of the token based MFA, my next quest in bolting down my app is to add configurable IP-based restrictions. I'm thinking of a realm which reads a list of IPs or ranges (v4 or v6) from a DB then checks if the host matches.
Two questions: 1. Is there any interest in my producing a generic / re-usable JdbcHostRestrictionRealm and kicking it back upstream? I can probably do this by cribbing from JdbcRealm. 2. My app is sat behind a load balancer which changes the IP address. Since we control the load balancer we can trust the X-Forwarded-For header in a downstream app. Is there a preferable place to hook in the logic to read it from the request and set it on the token? Richard
