5 Replies Latest reply on Apr 3, 2003 7:03 PM by vmarco

    JBoss Specific IP Based Security

    michaeljbergin

      I'm working on a government application that requires the logging of username/ip address for all login attempts. Our deployment environment is definitely going to be JBoss so I'm not worried about strict adherence to the EJB spec. I've written my own login module and got that working but I haven't found a way of determining the client's IP other than having the client send it which for obvious reasons is completely unacceptable. This functionality needs to be, at the very least, accessible by the application because we need to know if the login attempt was successful or unsuccessful.
      If this functionality is not current present in JBoss and someone from the JBoss group reads this I would be willing to write it myself so if you could provide me with some direction. I would of course put this out for everyone to download as well. Thanks.

        • 1. Re: JBoss Specific IP Based Security

          What kind of clients? Servlet/HTML clients or stand-alone java applications connecting to EJBs directly?

          • 2. Re: JBoss Specific IP Based Security

            Indeed, if the client's only means of accessing your info is through the web, then you can simply use the ServletRequest "getRemoteAddr()" method. If there's another way for the client to access the info, you guys should probably write it. Since it would theoretically be running on the client's machine (invoked by them) you can query the runtime for the ip address and include that in the remote call.

            • 3. Re: JBoss Specific IP Based Security
              michaeljbergin

              the client is a stand-alone java applet, or application. the client uses jax-rpc to communicate with the server-side components. there is one web services interface exposed by the server that implements a type of command pattern so all of the communication with the server-side go through this component.
              so is there any built-in/jboss-specific way of accomplishing this? if not i would appreciate any guidance that any jboss experts could provide in writing this piece. thanks.

              • 4. Re: JBoss Specific IP Based Security

                Are you using AXIS? I've only run it locally, but tcpmon displays the "Request Host" address (127.0.0.1 in my case). You can dig around and find out how they did it or modify the AXIS servlet to provide that info directly.

                hth.

                • 5. Re: JBoss Specific IP Based Security
                  vmarco

                  I, too, have a need to get the HttpServletRequest over to my custom LoginModule.

                  I need to log the results of each validation attempt and need to include the IP address of the user. Unfortunately the LoginModule doesn't have access to the HttpServletRequest which has the IP. Now I've created a new CallbackHander and Callback classes to obtain the HttpServletRequest (in addition to the Username and Password), so the LoginModule is coded and ready to go.

                  What I need is a way to use the new CallbackHandler. I've got code which creates the LoginContext passing in the CallbackHandler, but the servlet 2.3 spec indicates that my action for FORM authentication must use "j_security_check" as the action, instead of my own servlet or Struts action. This prevents me from putting in my own CallbackHandler as the j_security_check servlet only uses a CallbackHandler which passes Callbacks for the Name and Password.

                  Any ideas? Has anyone done this?

                  Thanks,

                  Vince