• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

get the remote IP address from a LoginModule

 
Arnaud Burlet
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, I'm trying to write a custom LoginModule for tomcat that will be used to authenticate users before they can use some servlets...

The authentication depends on the remote IP (IP of the user) and I couldn't yet find a way to get that IP Address from the loginModule's code ! Could you help me on that ?

my : "LoginModule extends RealmBase implements LoginModule, Realm"


Arnaud
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13064
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The ServletRequest class getRemoteAddr() is what you want.
Bill
 
Arnaud Burlet
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, that's my ethernal problem with java, I perfectly know that getRemoteAddr() is what I need! But I'm alway stuck when I try to find a reference to a ServletRequest from within LoginModule.login() method, that's where I need your help !

thanks, Arnaud
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13064
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The only LoginModule I can find is an Interface in javax.security.auth.spi.

Now, I have not used this interface, but it looks to me like this:
If you are implementing LoginModule, then you are supposed to implement CallbackHandler in a class that also knows about the request. That appears to be the way you are supposed to handle communication between LoginModule and an application. See javax.security.auth.callback.Callback

Bill
 
Arnaud Burlet
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, to understand what I'm trying to achieve, you can look for org.apache.catalina.realm.JAASMemoryLoginModule which is a LoginModule. And the CallbackHandler you are talking about is already implemented in Tomcat, I have nothing to do with it except use it.

And that's my problem, I still don't know how to find a reference to the servletRequest !

Arnaud
 
Mike Curwen
Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
well... this interested me, so I've been chewing on it for a while. I'm by no means an expert, so this is all just thinking out loud.

It seems to me that the activity of authentication is merely (and apparently strictly) about taking a username and some provided credentials (perhaps a password, perhaps a certificate?) and determining whether or not that person is "real". ie: Whatever is providing authentication services will say "I authenticate that you are who you claim to be, because the info you provided 'passes' whatever tests I'm running". That is *all* authentication does.

The next part of AA is authorization. Now because all systems are different (and because tomcat is after all, in the business of responding to URI/URLs), one of the things Tomcat must provide authorization for (according to servlet spec and common sense) is requests for resources. And there you have the first ever mention of anything regarding a ServletRequest, from which you can obtain the IP. Check out methods like org.apache.catalina.realm.RealmBase#findSecurityRestraints(Request ...)

You might be thinking: "Well, I don't even want them to be able to login if they're not from an internal, non-routable IP". I hear you. And at first glance, I would have wanted to implement a custom Login module as well. But from my reading, it doesn't appear trivial (or perhaps even possible).

The thing you *could* do however, is to use a javax.servlet.Filter, mapped to "/*". In this filter (which will be run after the user has authenticated, and perhaps even authorized?) you can check for the IP of the incoming request. If you see something you don't like, then you can send back an un-authorized response, and stop processing the chain.

If you need to tie exact and differing permissions to different IP's... hmm.. this is where I run out of steam. I keep looking at that findSecurityRestraints(Request ...) method and wondering if there's something there you can extend and override.
 
Arnaud Burlet
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thanks Mike,

the Filter solution *could* save my life when I can't find another way, but in my case, that would clearly be a hack !

I'll try to find some docs about findSecurityConstraints(...) and see if it helps. I assume you did a mistake or we are not looking at the same tomcat version when you talk about findSecurityRestraints(...)

Thanks again, Arnaud
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic