stackoom
  简体   繁体   中英

How do I ensure my Java Play application only accepts HTTP requests from a particular host?

 原文  2017-03-14 15:47:16       java/ security/ playframework/ playframework-2.0

Question

I'm using the Play framework for Java for an app. I am attempting to make it distributed by deploying copies of the application across several servers and having a configurable list of nodes in the database, which must be able to communicate between each other. In MongoDB, the list is stored in JSON like so: 

{
  "master": "host1.com:2678",
  "nodes": ["host2.com:2678", "host3.com:2678", "host4.com:2678"]
}

The code deployed on each server is identical, but the scheduler is enabled only on the master node and will schedule particular work to nodes depending on how busy they are. Code not provided here as the specifics of the scheduler's operation isn't important for my question.

In order to know how busy they are, to schedule things and for other status updates, the nodes need to be able to communicate with each other. Play Framework's Web Service client allows me to do this by making HTTP requests from within one node to the other like so 

HttpResponse res = WS.url("http://host2.com").get();

But the idea is for specific HTTP requests (such as those used for scheduling) to be allowed only if coming from another one of the nodes (Be it the master or slave nodes) but not from a web browser, curl, etc. How do I do that securely? I can check for the host of the incoming request or particular headers but surely those are easy to forge?

2 answers

solution1
 2  2017-03-15 11:27:10

If you want this to be enforced on all controllers, Check out play allowed hosts filter .

If you want to enforce this filter on a specific Controller \\ method you can try to do this: 

class MyController @Injects()(filter: AllowedHostsFilter) extends Controller {
  def get = filter.apply(Action.async { implicit request =>
    Future.successful(Ok)
  })
}

solution2
 0  2017-03-14 17:00:05

You could have a look into pac4j.org they have a lot of options to implement security features on play.

You could maybe filter by ip address:

http://www.pac4j.org/1.9.x/docs/authenticators/ip.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I put in security so that my server only accepts requests coming from my app Java Spring MVC application accepts POST requests only with trailing slash How do I set http entry point to my java application How do I determine the host from my Java applet? How to drop HTTP requests in a Java Play! filter? How do I ensure my OSGi fragments get installed before the host bundle? How do I get the http status message from responses on java.net.HttpClient requests Fiddler not capturing HTTP requests from Java Application How can i host java udp program for my android application? How do I interact with a console application from my Java app?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM