1 Reply Latest reply on Feb 26, 2012 1:58 AM by anmalhot

    Controlling application access based on remote IP

    anmalhot Newbie

      Hi,

       

      We have a requirement to control application (WAR) access based on requesting IP. Our servers are behind load balancers, so we tried making use of the X-Forwarded-for parameter in the jboss-web.xml. (suggested here: https://community.jboss.org/message/634165)

       

      Our jboss-web.xml looks something like this:

       

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
             <valve>
              <class-name>org.apache.catalina.valves.RemoteIpValve</class-name>
               <param>
                  <param-name>remoteIPHeader</param-name>
                  <param-value>x-forwarded-for</param-value>
              </param>
               <param>
                  <param-name>protocolHeader</param-name>
                  <param-value>x-forwarded-proto</param-value>
              </param>
             </valve>
            <valve>
              <class-name>org.apache.catalina.valves.AccessLogValve</class-name>
              <param>
                  <param-name>prefix</param-name>
                  <param-value>http_access_log.</param-value>
              </param>
              <param>
                  <param-name>suffix</param-name>
                  <param-value>.log</param-value>
              </param>
              <param>
                  <param-name>pattern</param-name>
                  <param-value>%a %A %h %U %{X-Forwarded-For}i</param-value>
              </param>
              <param>
                  <param-name>directory</param-name>
                  <param-value>log</param-value>
              </param>
              <param>
                  <param-name>resolveHosts</param-name>
                  <param-value>false</param-value>
              </param>
              <param>
                  <param-name>buffered</param-name>
                  <param-value>false</param-value>
              </param>
              <param>
                  <param-name>requestAttributesEnabled</param-name>
                  <param-value>true</param-value>
              </param>
            </valve>
             <valve>
                    <class-name>org.apache.catalina.valves.RemoteAddrValve</class-name>
                    <param>
                           <param-name>allow</param-name>
                           <param-value>a specific IP</param-value>
                    </param>
                    <param>
                           <param-name>deny</param-name>
                           <param-value>*</param-value>
                    </param>
                    <param>
                           <param-name>denyStatus</param-name>
                           <param-value>404</param-value>
                    </param>
             </valve>
      </jboss-web>
      

       

      We want our application ot be accesible by the allowed IP. However, we are not able to access from the allowed IP in the RemoteAddrValve valve. Even the access log does not log the X-forwarded-for field (shown as '- ' in the access log)

       

      What needs to be corrected to get it working.

       

      Thanks!