On 19.11.2015 21:26, Christopher Schultz wrote:
Ognjen,

On 11/19/15 10:14 AM, Ognjen Blagojevic wrote:
My webapp have a set of resources, let's call that set R. Some of those
resources need to be accessed only from certain source IP addresses,
let's call that subset R'. And some subset of R' (let's call it R'')
needs authentication.

I have a reqirement to check source IP address before authentication.

Right now, R' is specified in web.xml RemoteAddrFilter <url-pattern>s,
and R'' is specified in web.xml <security-constraint> <url-pattern>s.

The problem is, filters are executed after container-managed
authentication, so login form is presented to the user before
RemoteAddrFilter kicks in, and check source IP address. That is not what
I need. Users outside trusted IP ranges should not be able to even know
about the protected resources, let alone to guess passwords.

RemoteAddrValve, on the other hand, is called before container-managed
authentication, but it does not allow specifying <url-pattern>s.

What would be a good solution for the above requirement? Extend
RemoteAddrValve with the ability to specify <url-pattern>s?

I think that may be the only way to do it. IIRC, someone did some work
to allow Filters to be used in the valve chain, but I don't think there
is any facility for specifying <url-pattern>s for those.

-chris


Or, you could switch from container-based AAA, to application-based AAA.
You can create a servlet filter which "wraps" your application(s), and in it apply any rules you want. This is totally portable, not Tomcat-specific, and doesn't require any change to server.xml for instance (nor to your application).

Servlet Spec 3.0 has this to say :
13.3 Programmatic Security
Programmatic security is used by security aware applications when declarative
security alone is not sufficient to express the security model of the 
application.

To avoid having to redo what others have already done, you may also want to have a look at : http://tuckey.org/urlrewrite/manual/3.0/#filterparams
     see : <condition> element
           --> remote-addr  (for instance)

(I'm not saying that urlrewrite fills /all/ your needs, but you could combine urlrewrite with some simple code of your own, to fill all your needs. Servlet filters are "stackable").



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to