Well, that's my ethernal problem with java, I perfectly know that getRemoteAddr() is what I need! But I'm alway stuck when I try to find a reference to a ServletRequest from within LoginModule.login() method, that's where I need your help !
Author and all-around good cowpoke
Joined: Mar 22, 2000
The only LoginModule I can find is an Interface in javax.security.auth.spi.
Well, to understand what I'm trying to achieve, you can look for org.apache.catalina.realm.JAASMemoryLoginModule which is a LoginModule. And the CallbackHandler you are talking about is already implemented in Tomcat, I have nothing to do with it except use it.
And that's my problem, I still don't know how to find a reference to the servletRequest !
well... this interested me, so I've been chewing on it for a while. I'm by no means an expert, so this is all just thinking out loud.
It seems to me that the activity of authentication is merely (and apparently strictly) about taking a username and some provided credentials (perhaps a password, perhaps a certificate?) and determining whether or not that person is "real". ie: Whatever is providing authentication services will say "I authenticate that you are who you claim to be, because the info you provided 'passes' whatever tests I'm running". That is *all* authentication does.
The next part of AA is authorization. Now because all systems are different (and because tomcat is after all, in the business of responding to URI/URLs), one of the things Tomcat must provide authorization for (according to servlet spec and common sense) is requests for resources. And there you have the first ever mention of anything regarding a ServletRequest, from which you can obtain the IP. Check out methods like org.apache.catalina.realm.RealmBase#findSecurityRestraints(Request ...)
You might be thinking: "Well, I don't even want them to be able to login if they're not from an internal, non-routable IP". I hear you. And at first glance, I would have wanted to implement a custom Login module as well. But from my reading, it doesn't appear trivial (or perhaps even possible).
The thing you *could* do however, is to use a javax.servlet.Filter, mapped to "/*". In this filter (which will be run after the user has authenticated, and perhaps even authorized?) you can check for the IP of the incoming request. If you see something you don't like, then you can send back an un-authorized response, and stop processing the chain.
If you need to tie exact and differing permissions to different IP's... hmm.. this is where I run out of steam. I keep looking at that findSecurityRestraints(Request ...) method and wondering if there's something there you can extend and override.
Joined: Oct 08, 2004
the Filter solution *could* save my life when I can't find another way, but in my case, that would clearly be a hack !
I'll try to find some docs about findSecurityConstraints(...) and see if it helps. I assume you did a mistake or we are not looking at the same tomcat version when you talk about findSecurityRestraints(...)