CSDN博客

img samlover

限制客户端ip访问

发表于2004/12/30 15:25:00  1151人阅读

When securing HTTP traffic, you may wish to consider limiting access to clients with a certain IP address. You can do this at many levels.

Limiting client access using Tomcat (Engine, Host, or Context level)

If you want to limit client access at a high level such as the entire server, you will use a Tomcat valve.

Tomcat has two valves that will filter traffic based on the clinet's IP address. They are the RemoteAddrValve and the RemoteHostValve. Both of these valves are extended from RequestFilterValve.

For a discussion of how to configure Tomcat valves see http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/index.html.

To configure Tomcat in JBoss, you will need to either edit server.xml or jboss-service.xml based on JBoss version.

  • For JBoss 3.2.4 and higher server.xml is found in <jboss install dir>/server/<configuration>/deploy/jbossweb-tomcat50.sar
  • For JBoss 3.2.3 and lower jboss-server.xml is found in <jboss install dir>/server/<configuration>/deploy/jbossweb-tomcat41.sar/META-INF

Limiting client access using a servlet filter (Servlet or url-pattern level)

If you want to limit client access to a particular servlet or to requests that match a url pattern, you can use the servlet filter attached to this page. This requires JDK 1.4 or higher.

To install, place the attached jar in your WEB-INF/lib directory. If you want to use it in multiple web applications then you can instead put it in your <jboss install>/server/<configuration>/lib directory.

There is also an attached example web.xml file that shows how to configure the filter. The main part to look at is the filter definition:

  <filter>
     <filter-name>RemoteHostFilter</filter-name>
     <filter-class>org.jboss.remotehostfilter.RemoteHostFilter</filter-class>
     <init-param>        
        <param-name>deny</param-name>
        <param-value>150.0.0.*</param-value>
     </init-param>
     <init-param>        
        <param-name>allow</param-name>
        <param-value>192.4.5.6,127.0.0.*</param-value>
     </init-param>
  </filter>

This filter is configured by setting the "allow" and/or "deny" properties to a comma-delimited list of regular expressions(in the syntax supported by the java.util.regex package) to which the client IP address will be compared.

Evaluation proceeds as follows:

  • If there are any deny expressions configured, the IP will be compared to each expression. If a match is found, this request will be rejected with a "Forbidden" HTTP response.
  • If there are any allow expressions configured, the IP will be compared to each such expression. If a match is NOT found, this request will be rejected with a "Forbidden" HTTP response.
  • Otherwise, the request will continue normally.


Attachments:
hostfilter.jar Info on hostfilter.jar 3771 bytes
web.xml Info on web.xml 1538 bytes
RemoteHostFilter.java Info on RemoteHostFilter.java 5239 bytes
TestServlet.java Info on TestServlet.java 2592 bytes


0 0

相关博文

我的热门文章

img
取 消
img即使是一小步
也想与你分享
打开
img