aspose file tools*
The moose likes Tomcat and the fly likes get the remote IP address from a LoginModule Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "get the remote IP address from a LoginModule" Watch "get the remote IP address from a LoginModule" New topic
Author

get the remote IP address from a LoginModule

Arnaud Burlet
Ranch Hand

Joined: Oct 08, 2004
Posts: 31
Hi, I'm trying to write a custom LoginModule for tomcat that will be used to authenticate users before they can use some servlets...

The authentication depends on the remote IP (IP of the user) and I couldn't yet find a way to get that IP Address from the loginModule's code ! Could you help me on that ?

my : "LoginModule extends RealmBase implements LoginModule, Realm"


Arnaud
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12823
    
    5
The ServletRequest class getRemoteAddr() is what you want.
Bill
Arnaud Burlet
Ranch Hand

Joined: Oct 08, 2004
Posts: 31
Well, that's my ethernal problem with java, I perfectly know that getRemoteAddr() is what I need! But I'm alway stuck when I try to find a reference to a ServletRequest from within LoginModule.login() method, that's where I need your help !

thanks, Arnaud
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12823
    
    5
The only LoginModule I can find is an Interface in javax.security.auth.spi.

Now, I have not used this interface, but it looks to me like this:
If you are implementing LoginModule, then you are supposed to implement CallbackHandler in a class that also knows about the request. That appears to be the way you are supposed to handle communication between LoginModule and an application. See javax.security.auth.callback.Callback

Bill
Arnaud Burlet
Ranch Hand

Joined: Oct 08, 2004
Posts: 31
Well, to understand what I'm trying to achieve, you can look for org.apache.catalina.realm.JAASMemoryLoginModule which is a LoginModule. And the CallbackHandler you are talking about is already implemented in Tomcat, I have nothing to do with it except use it.

And that's my problem, I still don't know how to find a reference to the servletRequest !

Arnaud
Mike Curwen
Ranch Hand

Joined: Feb 20, 2001
Posts: 3695

well... this interested me, so I've been chewing on it for a while. I'm by no means an expert, so this is all just thinking out loud.

It seems to me that the activity of authentication is merely (and apparently strictly) about taking a username and some provided credentials (perhaps a password, perhaps a certificate?) and determining whether or not that person is "real". ie: Whatever is providing authentication services will say "I authenticate that you are who you claim to be, because the info you provided 'passes' whatever tests I'm running". That is *all* authentication does.

The next part of AA is authorization. Now because all systems are different (and because tomcat is after all, in the business of responding to URI/URLs), one of the things Tomcat must provide authorization for (according to servlet spec and common sense) is requests for resources. And there you have the first ever mention of anything regarding a ServletRequest, from which you can obtain the IP. Check out methods like org.apache.catalina.realm.RealmBase#findSecurityRestraints(Request ...)

You might be thinking: "Well, I don't even want them to be able to login if they're not from an internal, non-routable IP". I hear you. And at first glance, I would have wanted to implement a custom Login module as well. But from my reading, it doesn't appear trivial (or perhaps even possible).

The thing you *could* do however, is to use a javax.servlet.Filter, mapped to "/*". In this filter (which will be run after the user has authenticated, and perhaps even authorized?) you can check for the IP of the incoming request. If you see something you don't like, then you can send back an un-authorized response, and stop processing the chain.

If you need to tie exact and differing permissions to different IP's... hmm.. this is where I run out of steam. I keep looking at that findSecurityRestraints(Request ...) method and wondering if there's something there you can extend and override.
Arnaud Burlet
Ranch Hand

Joined: Oct 08, 2004
Posts: 31
thanks Mike,

the Filter solution *could* save my life when I can't find another way, but in my case, that would clearly be a hack !

I'll try to find some docs about findSecurityConstraints(...) and see if it helps. I assume you did a mistake or we are not looking at the same tomcat version when you talk about findSecurityRestraints(...)

Thanks again, Arnaud
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: get the remote IP address from a LoginModule