I have some Apache CXF Web services published to the Internet, but I want one of them to be only visible to a specific IP through a VPN.
I modified the CXF XML file so that my Web service is only visible when accessing through that IP, but it is already accessible through the net.
How can I publish my Web service to only the IP only visible through the VPN?
Thanks in advance.
IP filtering should ideally not be done on your application layer. Think about it - You need to process the request to find out if your business code should run. You are using application resources for a request that should never have come to the application.
Use a firewall rule to filter the requests instead (Assuming of course that your firewall resides elsewhere). This will reduce the load on your server and centralize the IP filtering rules for a particular group of servers (Application / DB / File etc).
If your service is available on the internet, the rule to block requests via a specific IP do not make sense. You will need to get a list of IPs to white-list if you intend to restrict access by IP for everyone.
Related
I am developing a web service and a client for it. I want to get the client information from the request in the web service's code. For example, I can fetch the client IP from its HTTP request.
Is there any other parameter (like client application name) of a client except IP or client hostname which I can fetch in a web service's code? I can add any configuration in the servers to pass parameters also. I am open all solutions.
Thanks
Thank you for your answer. Actually, i am searching a solution using configurations without any code changing in client side. Solution can be a lower level of OSI or it can be a change in the servers conf. I will apply the solution for a huge system after all. I am just trying with one client and one service now. But actually in the system there are 1500 clients+services. So i don't want to change code in client side.
I am trying to block certain websites using a web application. So, when a I type a url suppose "http://www.google.com" it should first check whether google is blocked by my application or not. If not open the website otherwise reject the browser request to open it. I am unable to find a way to capture all HTTP request from browser so that I can process it.
I Know proxies are the most suitable option but is there any alternative solution to this. After some searching I found a library - jpcap (a network packet capture library) and I was wondering if this could help me or not?
What you are trying to create is a proxy-server.
You have to configure the browser to go through the proxy, then you can deny websites, reroute them etc.
There are many proxies already there (open source and commercial) that offer what you want.
For example: Squid http://www.squid-cache.org/
See Wikipedia description of a proxy here: https://en.wikipedia.org/wiki/Proxy_server
Many firewall products offer the service of a transparent proxy, redirecting all http/https traffic going through the firewall into a proxy server. It seems, you have a direct connection but your packages are really filtered. Aka transparent proxy.
If your assignment does not allow this context, you need to check the assignment again, if you really got the scope of filtering right.
You cannot take over the browser's ip communication from a servlet or servlet filter. Using a (servlet) filter, you can only filter requests directed to your application. One step above, using an application server valve (Tomcat uses this term, others may use a different one), you can only filter requests directed at that server. One step above (or below) your application server is the physical server and the network it is running in.
If your client does not share the same network as your server, you can't even apply transparent proxy to it. Since browsers are running on the client computer, most clients in the world do not share the same network zone as the server.
It just does not work as you expect it.
I have an web application (Java-html5/js) which runs on our servers that is accessed simply by its URL, no login options or checks. I have been asked to secure it, but I have no access to its source code and I have not managed to contact the developer behind it. It is widely being used on the company, so there is no option to shut it down. The other applications on the network require authentication, so I can use those credentials for this app as well, by redirecting him from a another page. But once he logins, how can I stop him from just accessing the actual unsecured url?
If you're unable to change anything on this server, you may do the following:
Install a proxy server with authentication on another machine - if there's not already one in the company
restrict access to the app server to this proxy's IP address by putting it behind a firewall or changing routing rules
You need to go through the proxy to access and you need to authenticate. Way complicated but should work
My question is upper) I'm building Client-Server app on java and want to try implement OAuth2.0 authentication. Yet there is a problem - I haven't static IP address. Could I implement it whith such services like Google or Facebook when my app is on localhost?
First off, some of the OAuth providers won't even accept IP addresses, so even if you have a static IP it won't work.
You can try to use localhost, but that is not always possible or desirable, for instance when you want to test over a local network.
There is another way to get around this. What you can do is:
Pick a domain name which will never exist. For example: random.rubbish
Setup your OAuth apps with this domain name, i.e. register with Facebook and Google using http://random.rubbish/ as your domain and you can add a path if you want. This is only an example, you can change http and random.rubbish to whatever you need.
Now on your local system, you can edit the HOSTS file and put an entry for random.rubbish as follows: random.rubbish 127.0.0.1
Now in your browser when you go to http://random.rubbish, it will take you to localhost (port 80 because of http). This is because the first check the system performs to resolve a domain name is the HOSTS file.
If you want to test over a local network, you can add this entry to your DHCP server, or you can edit the HOSTS file on every machine where you will be accessing the server.
This question might have been asked before as it is quite a common exercise, but I am not sure what to search with.
I have a rest client app hosted on one instance of Tomcat and a rest server hosted on a different tomcat instance on another hostname. This works well, but currently I have the hostname hardcoded in the java classes. How can I parameter-ize the host name inside the rest client so that it allows for a future change without restarting the tomcat on which the rest client is hosted ?
There are a number of solutions you could employ including (but not limited to):
look up the server hostname in a properties or xml file on the client server (each time you want to make a REST call)
provide a mechanism in the client app to configure the server hostname and store it in memory
look up the server hostname in a directory such as LDAP or AD or in a database (each time you want to make a REST call)
You could employ a caching mechanism if you don't want to look up the value every time - perhaps once it is read it only expires after a number of seconds/minutes, or after a number of calls.
A quite common technique to pass environment variables and even hostname is define a System variable that you could read using java.lang.System.getenv() or java.lang.System.getProperty() if you are using Maven once your application startup read this variable in a static class of constants so the value will be set at the beginning and remain until the end of the application there other techniques that involve, web.xml but to keep it simple this will work. Just add the var to the enviroment and read it.
You can always pass the host name in arguments during client process startup and then read those arguments using System.getProperty("hostName").