stackoom
  简体   繁体   中英

Restricting access to localhost for Java Servlet endpoint

 原文  2016-01-26 13:58:04       java/ servlets

Question

In short - I would like to add such service endpoints to my servlet that can only be called from localhost. The restriction should be coded in the servlet itself, ie it should not depend on Tomcat/Apache to be configured in a certain way. At the same time, there are many other, existing endpoints that should be reachable externally.

Longer description - I am creating an HTTP API that 3rd parties can implement to integrate with my application. I am also supplying a default implementation, bundled together with my app, that customers with simple requirements can use, without having to implement anything.

The endpoints of my default implementation should be reachable only for my app, which happens to be the same servlet as the one supplying the implementation, ie it runs on the same host. So for security reasons (the API is security related), I want my implementation to be usable only for my app, which in the first round means restricting access to localhost for a set of HTTP endpoints.

At the same time, I don't want to rely on customers setting up their container/proxy properly, but do the restriction in my servlet, so that there are no changes required for existing installations.

So far the only idea I had was to check the requestor's IP addess in a servlet filter - so I am wondering if there is a better, more sophisticated way.

1 answers

solution1
 1 ACCPTED  2016-01-26 14:51:38

I think you should add Web Filter to your application and check your url in doFilter method. Check request.getRemoteAddr() and endpoint link you can put in urlPattern.

Like this: 

@WebFilter(urlPatterns = "/*")
public class RequestDefaultFilter implements Filter {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        if (isForbidden(request, response))
                return;
        else
            chain.doFilter(request, response);
    }
}

isForbidden implementation is up to you. In response you just send 403 error code for example.

You can check make same check in servlet and send in response 403 error.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Restricting Access to Java Servlet Restricting access of classes in Java Java, servlet access restriction Logging access to Java servlet Restricting Access to method in Play Framework with Authorization - Java Java Class variables are not immutable despite restricting access Design Pattern for restricting access to methods in Java Can't access Java Servlet Java servlet access to config file Restricting Roles in JSP-Servlet
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM