Hello there... I would like to implement ip-based authentication. I currently use the security-constraint feature of web.xml (Tomcat's built-in authentication module). I understand that I can get the ip address from the HttpServletRequest object. But here's the question: Is IP-based authentication built into Tomcat? If not, what is the best way to implement it? Perhaps modifying the Tomcat authentication module? Thanks!
IPs can be - and often are - spoofed. Also, U believe that all users who are connected indirectly to the Interner via any sort of address translation (NAT) - and probably proxies, for that matter will not have unique IP addresses - they'll have the translated address (or the address of the proxy machine or whatever). Doesn't give much incentive to use IPs as a reliable means of identification. Also, anyone accessing via a dialup or other DHCP-type system won't have a constant IP address.
Customer surveys are for companies who didn't pay proper attention to begin with.
Joined: Dec 19, 2000
Right Tim thanks. Those are serious concerns, but I'm not sure how else to approach this. The company purchasing this product (obviously a subscription web resource) would like their authentication to be seamless, i.e. if they're in their offices, they don't want to see a login screen. How else to do this, besides ip-based authentication? By the way, this is not the only authenticatoin mechanism that will be used; I will continue to use the standard user/password authentication for most users. [This message has been edited by Michael Mendelson (edited October 31, 2001).]
Hmmm.... That's a good one. I have no quick and certain answer, but there are some possibilities. One, of course, is to simply use the standard userid/password scheme and tell them to get used to it. (As you can see, diplomacy is something I'm great at ). You can place their userIDs in a favored security group if you like. This actually has some advantages, since people who think they're too important for passwords often think that at the same time, they should be able to access the system anytime and anywhere. Another is to use special cookies. This is a "locks are for honest people" approach, since the cookie file could be lifted by a savvy user, but they'd pretty much have to have physical access to the machine. You might tighten that up by binding the cookie to a NIC address (some serious client-side code needed here), but to be secure, you'd need a mechanism to invalidate machines when they're retired. A less convoluted version of that would be to issue client-side certificates, which your server should be able to handle pretty much automatically. Of course, all this assumes that the clients are truly using the Internet. If everything's behind a firewall that blocks spoofed internal IPs, you're pretty safe doing the IP-authentication trick. In fact, a recent system design I did was based on that idea.
Joined: Dec 19, 2000
Thanks for your help, Tim. I ended up implementing this, by extending tomcat's JDBCRealm class, and checking a list of ip's. So it's just an extension of tomcat's form-based authentication. The ip list lives in an xml file which is read in with the first authentication attempt. Each ip (or ip block) is mapped to a user name/password. I'm working on the assumption that the worst thing that anyone could steal here is access to the site. However, just in case, there's a mechanism that prevents mapping of ip addresses to users with certain roles (e.g. administrator). If you (or anyone else, for that matter) would like the code, just drop me an e-mail. Michael