Client Authentication(How to limit the computer to access to j2ee application)
Joined: Mar 28, 2008
A j2ee application is deployed in tomcat, user in parent company(Intranet) or child company(Internet) will access to this application,
Here is a requirement:
Just specific computers can access to this application located in parent company,
that is, just the computer in company can access to this application, other computers outside of company can not access to application.
PS: The IP Address of child company is dynamic.
Do you have any experience about this kind of requirement?
Do you have any solution for this requirement?
Thank you very much!!!
Joined: Aug 02, 2008
i think that a more appropriate way is to use JAAS.
In login mechanism you can add as "parameter" the name of this computer/s or its MAC address/es.
Joined: Mar 22, 2005
For users on the internal network you can just look at the IP address - they will generally be something like "192.168.x.y".
If the users on the outside don't have a common IP then I'd add username/password scheme to authenticate them (which is probably a good ideas to use for everyone, actually).
Is having username/password not considered safe enough?
Well, I did have such a requirement in one of my previous client(A Bank) due to sensitive data and they had put a restriction on the computers that can access the system. This was handled using client side certificates. It is a painful process as each system that would interface with the secure system would need to request for a client certificate. Here we had a server connecting to another server and we had limited number of servers.
In your case, the solution below might provide some pointers:
Have a user register a computer using a registration screen that would save a flash object on the user system. When the user logs in, read the flash object and the data stored in it to identify if this is a registered computer and registered to a specific user. This is similar to storing a cookie, but cookies can be deleted easily.