-
1. Re: Limit IP access to a session beans (EAR)
mikioma Jun 26, 2009 7:03 AM (in response to xmedeko)I don't know J2EE deep enough to be sure... but I don't think you can, I'm affraid.
Web applications have concepts like "HttpRequest" with which you can get things like IP addresses... but AFAIK there is no such concept in EJB.
Anyway, I think the point in J2EE applications is to grant or deny access through the concepts of authentication, authoritation, users, roles... I don't know of a specific security mechanism in which IP addresses is in mind... -
2. Re: Limit IP access to a session beans (EAR)
xmedeko Jun 26, 2009 7:06 AM (in response to xmedeko)Well, JEE does not specify this, I was thinking something JBoss specific. Like Tomcat has http://www.jboss.org/community/wiki/LimitAccessToCertainClients
-
3. Re: Limit IP access to a session beans (EAR)
mikioma Jun 26, 2009 7:15 AM (in response to xmedeko)I see... I'm sorry I can't help you further. I don't know much abuout JBoss specific configuration.
However, I'll keep an eye on this thread as your question is very interesting :-)
Good luck, xmedeko!! -
4. Re: Limit IP access to a session beans (EAR)
wolfgangknauf Jun 26, 2009 7:16 AM (in response to xmedeko)Hi,
I think XACML could help (I don't know it, just stumbled across this article):
http://server.dzone.com/articles/security-features-jboss-510-1
Best regards
Wolfgang -
5. Re: Limit IP access to a session beans (EAR)
wolfc Jun 26, 2009 9:36 AM (in response to xmedeko)An AOP interceptor can access the client address: https://jira.jboss.org/jira/browse/JBREM-758.
It's not yet available through an EJB API yet: https://jira.jboss.org/jira/browse/EJBTHREE-902.
So you can write an AOP interceptor, put it into ejb3-interceptors-aop.xml and push the client address somewhere where you can pick it up in the bean. -
6. Re: Limit IP access to a session beans (EAR)
xmedeko Jun 26, 2009 9:46 AM (in response to xmedeko)Well, the client address is accessible from thread name :-). So, I can write the Around Invoke Interceptor Method to check this IP. I was just asking if there is some nice JBoss solution for this. You know, some config with IP addresses like 10.1.1.128/20 :-)
BTW. about accessing IP from session beans: I think BEA or Oracle AS put client IP somewhere into the session context. Or I was thinking that some ThreadLocal variable could do the trick. But it is solution for the JEE session beans, that would not work for the JBoss service bean, I guess.