JAAS tomcat login module possible method to pass ip address

Question

I've been looking into a way of passing the client ip as well as the userid and password from a JAAS login page to the JAAS login module implementation in my web code. JAAS only allows the user id and password to be passed to the login module. My idea is to have a java script code to append the ip address to the user id and then call the form submit. I just don't have the right java script code to do this. Can you help?

The web page has two input fields, j_userid and j_password, which the JAAS code knows to look it. So what javaScript code can I use to add the ip address to the j_userid field before the form submit. I was thinking of 'ip-address#userid' and then in my login module I'd take the ip address off the userid.

Answer 1

Sorry, I don't think there is a way to obtain the ip on the client side, in plain Javascript.

Testing the remote ip on the server side is probably not a solution if you don't control the infrastructure between the client and the server (load-balancers, proxies...). If you're confident the remote ip is the ip of the client, you should be able to hack a tomcat Valve or a servlet filter.

Answer 2

I created these two javaScript functions.

function addIpSubmit() 
{                 
 var theForm = document.getElementById("login_form");
 var userName = theForm.username.value;
 userName = theForm.clientip.value + "#" + userName;
 theForm.j_username.value = userName;
 if( validate_required( theForm.username, "User ID is required" ) )
 {
  if(  validate_required( theForm.j_password, "Password is required" ) )
  {
   theForm.submit();
  }
 }
}  

function validate_required( field, alerttxt )
{
 with (field)
   {
    if (value==null||value=="")
     {
      alert(alerttxt);
      return false;
     }
    else
     {
      return true;
     }
   }
}

addIpSubmit is called from a login button. You can see I have a bean to put the ip address into a hidden field. The j_username JAAS field is also hidden and is filled in by the addIpSubmit() function.

<input id="clientip" type="hidden" name="clientip" value="#{loginMBean.ip}"/>
<input id="j_username" type="hidden" name="j_username" />
<input type="button" name="OtherLogin" value="Login" onclick="addIpSubmit()" />

It mungs the ip to the user name and calls the JAAS submit functions. Then in the login module I get the ip address and user name out.

String userid = username;

if( username.contains( "#" ) )
{
 ip = username.split( "#" )[0];
 userid = username.split( "#" )[1];
}

Just remember that the FacesContext.getCurrentInstance().getExternalContext().getRemoteUser() now has the ip#userid in it.