I'm new in JBoss and Jaas, but I've read a lot of documentation about this and I think that isn't possible.
You can configure access/deny an user by his role. This user may be authenticate in the system, with a system login.
Just a little help, maybe a walkaround:
when i worked with Tomcat i re-wrote the authenticator class (you can modify org.apache.catalina.authenticator.BasicAuthenticator). You can put in the password field (if you use DB based authentication) even the ip, like: "password:xxx.xxx.xxx.xxx" and then in the authenticator class can test password+":"+ip as it is the password stored in the db...
String password = parsePassword(authorization)+"@"+request.getRequest().getRemoteAddr();
String password = parsePassword(authorization);
If you make so the following statement
principal = context.getRealm().authenticate(username, password);
check password and the IP for you!
Surely there is an easier way thant that?
I have a simple JBoss installation that contains a small number of servlets. How do I restrict some of them so that they can only be accessed from localhost? I would think that this is easy, but I cannot find this capability.
Also is there a easy way to reject http PUT's for the whole server instead of having to add http-method elements to web.xml?
Wow, no answer. After coming from the Apache world, I am surprised that JBoss cannot limit access to particular servlets by IP.
We are running on RedHat Linux; should this filtering be done at the OS level instead. I did not see a way to do this in iptables.
Should I use a good, old servlet filter? Obviously this would require some Java code, but it seems simple to do (and I have used them before): http://www.jboss.org/community/docs/DOC-11257
Or should I use a <web:context-filter...> and subclass JBoss's Generic Handler? Or is this just for web services: http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4162661
Try adding the standard Apache Tomcat "RemoteAddress/RemoteHost" valves in a context.xml in WEB-INF of your web application.
Thanks Anil, that was exactly what I was looking for! A very nice solution.