tags:

views:

49

answers:

3
+1  Q: 

How to block an IP with Seam and JBoss AS?

Hi,

for security reasons, we want to block users by IP adress in our application, if they are trying to login as admin and they type in the a wrong password 3 times.

It is very easy to get the IP Adress of the user trying to login. I use this code snippet to get the IP:

ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
HttpServletRequest request = (HttpServletRequest)context.getRequest();
String ip = request.getRemoteAddr();

We are using JBoss 5.1.0 GA and Seam 2.2.1.CR2. As far as I know, there is no way to block IP addresses in Seam. But is it possible to call JBoss functions to block a specific IP?

Please let me know if Seam has some support for this :)

+1  A: 

I dont know nothing for that. But you could create a simple Filter (javax.servlet.Filter) and block requests from a set of IPs. It's really simple.

Plínio Pantaleão  2010-09-16 17:53:16
+1  A: 

If you have an Apache server in front of your Jboss Server then calling request.getRemoteAddr(); will just give you the IP of the Apache server.

Instead use the X-Forwarded-For header

As Plinio says, you can use a filter. If you don't want to do that then you could also use a page action.

Damo  2010-09-20 04:42:21
thanks for the tip with the x-forwarded-for header. Very useful :)
Dominik Obermaier  2010-09-20 11:13:23
+1  A: 

This should be very easy to do.

Assuming you have an application scoped Set with all the ip's you want to block you can use this filter:

@Startup
@Scope(ScopeType.APPLICATION)
@Name("ipFilter")
@BypassInterceptors
@Filter(around ="org.jboss.seam.web.ajax4jsfFilter")
public class IpFilter extends AbstractFilter {

  public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
          throws IOException, ServletException {

      if (!(req instanceof HttpServletRequest)) {
          chain.doFilter(req, res);
          return;
      }

      HttpServletRequest request = (HttpServletRequest) req;

      Set<String> ips = (Set<String>)Component.getInstance("blockedIps");
      if(ips.contains(request.getRemoteAddr())) {
        throw new ServletException("Permission denied");
      }

      chain.doFilter(req, res);

    }
}
Shervin  2010-09-21 09:14:02
There is probably a better way of denying access instead of throwing exception. Probably using the response to send error, but for simplicity I just showed throwing exception in the code
Shervin  2010-09-21 09:17:42
Thanks for this great answer, I'll give it a try. :)
Dominik Obermaier  2010-09-22 10:47:10
You're welcome.
Shervin  2010-09-22 11:30:07

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java