堆栈内存溢出
  简体   繁体   English

如何确保Java Play应用程序仅接受来自特定主机的HTTP请求?

[英]How do I ensure my Java Play application only accepts HTTP requests from a particular host?

 原文  2017-03-14 15:47:16       java/ security/ playframework/ playframework-2.0

问题描述

I'm using the Play framework for Java for an app. 我正在使用适用于JavaPlay框架 I am attempting to make it distributed by deploying copies of the application across several servers and having a configurable list of nodes in the database, which must be able to communicate between each other. 我试图通过在几台服务器之间部署应用程序副本并在数据库中具有可配置的节点列表来使其分布,这些节点必须能够相互通信。 In MongoDB, the list is stored in JSON like so: 在MongoDB中,列表像这样存储在JSON中: 

{
  "master": "host1.com:2678",
  "nodes": ["host2.com:2678", "host3.com:2678", "host4.com:2678"]
}

The code deployed on each server is identical, but the scheduler is enabled only on the master node and will schedule particular work to nodes depending on how busy they are. 部署在每个服务器上的代码是相同的,但是调度程序仅在主节点上启用,并且将根据节点的繁忙程度来调度特定的工作。 Code not provided here as the specifics of the scheduler's operation isn't important for my question. 对于我的问题,此处未提供作为调度程序操作细节的代码并不重要。

In order to know how busy they are, to schedule things and for other status updates, the nodes need to be able to communicate with each other. 为了知道它们的繁忙程度,安排时间并进行其他状态更新,节点需要能够相互通信。 Play Framework's Web Service client allows me to do this by making HTTP requests from within one node to the other like so Play Framework的Web服务客户端允许我通过从一个节点到另一个节点发出HTTP请求来做到这一点,就像这样 

HttpResponse res = WS.url("http://host2.com").get();

But the idea is for specific HTTP requests (such as those used for scheduling) to be allowed only if coming from another one of the nodes (Be it the master or slave nodes) but not from a web browser, curl, etc. How do I do that securely? 但是这个想法是,仅当来自另一个节点(无论是主节点还是从节点)但不来自Web浏览器,curl等时,才允许特定的HTTP请求(例如用于调度的请求)。我可以安全地这样做吗? I can check for the host of the incoming request or particular headers but surely those are easy to forge? 我可以检查传入请求的主机或特定的标头,但是肯定可以轻松伪造这些标头吗?

2 个解决方案

解决方案1
 2  2017-03-15 11:27:10

If you want this to be enforced on all controllers, Check out play allowed hosts filter . 如果要在所有控制器上强制执行此操作,请检出允许播放的主机过滤器

If you want to enforce this filter on a specific Controller \\ method you can try to do this: 如果要在特定的Controller \\方法上强制使用此过滤器,则可以尝试执行以下操作: 

class MyController @Injects()(filter: AllowedHostsFilter) extends Controller {
  def get = filter.apply(Action.async { implicit request =>
    Future.successful(Ok)
  })
}

解决方案2
 0  2017-03-14 17:00:05

You could have a look into pac4j.org they have a lot of options to implement security features on play. 您可以查看pac4j.org,他们有很多选项可以实现安全功能。

You could maybe filter by ip address: 您可以按IP地址进行过滤:

http://www.pac4j.org/1.9.x/docs/authenticators/ip.html http://www.pac4j.org/1.9.x/docs/authenticators/ip.html

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何设置安全性,以便我的服务器只接受来自我的应用程序的请求 - How can I put in security so that my server only accepts requests coming from my app Java Spring MVC应用程序仅接受带有斜杠的POST请求 - Java Spring MVC application accepts POST requests only with trailing slash 如何将 http 入口点设置为我的 Java 应用程序 - How do I set http entry point to my java application 如何从Java小程序确定主机? - How do I determine the host from my Java applet? 如何在Java Play中删除HTTP请求! 过滤? - How to drop HTTP requests in a Java Play! filter? 如何确保在主机捆绑包之前安装我的OSGi片段? - How do I ensure my OSGi fragments get installed before the host bundle? 如何从 java.net.HttpClient 请求的响应中获取 http 状态消息 - How do I get the http status message from responses on java.net.HttpClient requests Fiddler没有从Java应用程序捕获HTTP请求 - Fiddler not capturing HTTP requests from Java Application 如何为我的Android应用程序托管Java udp程序? - How can i host java udp program for my android application? 如何从我的 Java 应用程序与控制台应用程序交互? - How do I interact with a console application from my Java app?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM