wood burning stoves*
The moose likes Servlets and the fly likes IP-based authentication in Tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "IP-based authentication in Tomcat" Watch "IP-based authentication in Tomcat" New topic
Author

IP-based authentication in Tomcat

Michael Mendelson
Ranch Hand

Joined: Dec 19, 2000
Posts: 73

Hello there...
I would like to implement ip-based authentication. I currently use the security-constraint feature of web.xml (Tomcat's built-in authentication module).
I understand that I can get the ip address from the HttpServletRequest object. But here's the question:
Is IP-based authentication built into Tomcat? If not, what is the best way to implement it? Perhaps modifying the Tomcat authentication module?
Thanks!
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15950
    
  19

IPs can be - and often are - spoofed. Also, U believe that all users who are connected indirectly to the Interner via any sort of address translation (NAT) - and probably proxies, for that matter will not have unique IP addresses - they'll have the translated address (or the address of the proxy machine or whatever).
Doesn't give much incentive to use IPs as a reliable means of identification.
Also, anyone accessing via a dialup or other DHCP-type system won't have a constant IP address.


Customer surveys are for companies who didn't pay proper attention to begin with.
Michael Mendelson
Ranch Hand

Joined: Dec 19, 2000
Posts: 73
Right Tim thanks.
Those are serious concerns, but I'm not sure how else to approach this.
The company purchasing this product (obviously a subscription web resource) would like their authentication to be seamless, i.e. if they're in their offices, they don't want to see a login screen.
How else to do this, besides ip-based authentication?
By the way, this is not the only authenticatoin mechanism that will be used; I will continue to use the standard user/password authentication for most users.
[This message has been edited by Michael Mendelson (edited October 31, 2001).]
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15950
    
  19

Hmmm.... That's a good one. I have no quick and certain answer, but there are some possibilities.
One, of course, is to simply use the standard userid/password scheme and tell them to get used to it. (As you can see, diplomacy is something I'm great at ). You can place their userIDs in a favored security group if you like. This actually has some advantages, since people who think they're too important for passwords often think that at the same time, they should be able to access the system anytime and anywhere.
Another is to use special cookies. This is a "locks are for honest people" approach, since the cookie file could be lifted by a savvy user, but they'd pretty much have to have physical access to the machine. You might tighten that up by binding the cookie to a NIC address (some serious client-side code needed here), but to be secure, you'd need a mechanism to invalidate machines when they're retired.
A less convoluted version of that would be to issue client-side certificates, which your server should be able to handle pretty much automatically.
Of course, all this assumes that the clients are truly using the Internet. If everything's behind a firewall that blocks spoofed internal IPs, you're pretty safe doing the IP-authentication trick. In fact, a recent system design I did was based on that idea.
Michael Mendelson
Ranch Hand

Joined: Dec 19, 2000
Posts: 73
Thanks for your help, Tim. I ended up implementing this, by extending tomcat's JDBCRealm class, and checking a list of ip's. So it's just an extension of tomcat's form-based authentication.
The ip list lives in an xml file which is read in with the first authentication attempt. Each ip (or ip block) is mapped to a user name/password.
I'm working on the assumption that the worst thing that anyone could steal here is access to the site. However, just in case, there's a mechanism that prevents mapping of ip addresses to users with certain roles (e.g. administrator).
If you (or anyone else, for that matter) would like the code, just drop me an e-mail.
Michael
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: IP-based authentication in Tomcat
 
Similar Threads
login authentication
Tomcat/Struts authentication, newbie
IP based authentication
Custom JAAS Login Module
Adding New Users