2 Replies Latest reply on Jul 10, 2008 11:45 AM by cardel

    Web service security, how to filter client IP address?

    cardel

      I am using basic authentication (username, password) in my web services. So client have to authenticate to endpoint provider. But I would like to know, how to secure my web service endpoint servlet. I would like to allow connection only to clients with specified IP address.

      my web.xml

       <!-- START WS authentication -->
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>All webservices</web-resource-name>
       <url-pattern>/ws/*</url-pattern>
       <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
       <role-name>wsrole</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      
       <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>Security Realm</realm-name>
       </login-config>
      
       <security-role>
       <role-name>wsrole</role-name>
       </security-role>
       <!-- END WS authentication -->
      
       <servlet>
       <servlet-name>BareEndpoint</servlet-name>
       <servlet-class>hcp.service.BareEndpointBean</servlet-class>
       </servlet>
      
       <servlet-mapping>
       <servlet-name>BareEndpoint</servlet-name>
       <url-pattern>/ws/bareservice</url-pattern>
       </servlet-mapping>
      


      I would like to use this kind of security to deny access to BareEndpoit servlet and only client(s) with specified IP can read wsdl from /ws/bareservice?wsdl address and call some endpoint actions.

      Thank you for some useful tips.


        • 1. Re: Web service security, how to filter client IP address?
          scruffyminds

          First, you write a class derived from org.jboss.ws.core.jaxws.handler.GenericHandler:

          public class IPConstraintHandler
           extends GenericHandler
          {
           @Override
           protected boolean handleInbound( MessageContext msgContext )
           {
           HttpServletRequest request = (HttpServletRequest)msgContext.get( MessageContext.SERVLET_REQUEST );
           String ip = request.getRemoteAddr();
          
           if ( ipAddressIsOK( ip ))
           return super.handleInbound( msgContext );
          
           return false;
           }
          }
          


          Next, add the following extra annotations to your web service implementation:

          @SecurityDomain( "myDomain" )
          @WebContext( authMethod="BASIC", secureWSDLAccess=true, contextRoot="/myRoot", urlPattern="/myPattern" )
          @HandlerChain( file="jaxws-handlers.xml" )
          public class MyWebServiceImpl
           implements MyWebService
          {
           ....
          }
          


          And finally, you place a file called "jaxws-handlers.xml" (or whatever you used in your @HandlerChain annotation) in the package with your web service implementation class:

          <?xml version='1.0'?>
          <handler-chains
           xmlns="http://java.sun.com/xml/ns/javaee"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://java.sun.com/xml/ns/javaee javaee_web_services_1_2.xsd">
          
           <handler-chain>
           <protocol-bindings>##SOAP11_HTTP</protocol-bindings>
           <handler>
           <handler-name>IP Constraint Handler</handler-name>
           <handler-class>my.package.IPConstraintHandler</handler-class>
           </handler>
           </handler-chain>
          
          </handler-chains>
          


          • 2. Re: Web service security, how to filter client IP address?
            cardel

            Yes, thank you.. it works... but not only partial.

            When I have created my own handler for IP restriction. When I invoke some webmethod from client, endpoint is contacted and client handler checks clients IP. Other actions in my code are successful executed but at the end I have this exception. Without handler everything works ok. It seems it will be something with my webservice URL (/ws/bareservice), may be to add some Seam filter? I have only context filter in my components.xml

            <web:context-filter url-pattern="/ws/*"/>
            


            23:53:49,546 ERROR [ContextualHttpServletRequest] ended request due to exception
            java.lang.IllegalStateException: No active event context
             at org.jboss.seam.core.Manager.instance(Manager.java:250)
             at org.jboss.seam.servlet.ContextualHttpServletRequest.run(ContextualHttpServletRequest.java:55)
             at org.jboss.seam.web.ContextFilter.doFilter(ContextFilter.java:37)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:85)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:147)
             at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:256)
             at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:362)
             at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:488)
             at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:60)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:58)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
             at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
             at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
             at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
             at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
             at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524)
             at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
             at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
             at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
             at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
             at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
             at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
             at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
             at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
             at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
             at java.lang.Thread.run(Thread.java:595)
            23:53:49,547 ERROR [ExceptionFilter] handling uncaught exception
            javax.servlet.ServletException: java.lang.IllegalStateException: No active event context
             at org.jboss.seam.servlet.ContextualHttpServletRequest.run(ContextualHttpServletRequest.java:74)
             at org.jboss.seam.web.ContextFilter.doFilter(ContextFilter.java:37)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:85)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:147)
             at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:256)
             at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:362)
             at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:488)
             at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:60)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:58)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
             at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
             at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
             at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
             at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
             at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524)
             at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
             at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
             at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
             at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
             at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
             at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
             at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
             at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
             at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
             at java.lang.Thread.run(Thread.java:595)
            Caused by: java.lang.IllegalStateException: No active event context
             at org.jboss.seam.core.Manager.instance(Manager.java:250)
             at org.jboss.seam.servlet.ContextualHttpServletRequest.run(ContextualHttpServletRequest.java:55)
             ... 36 more
            23:53:49,548 ERROR [ExceptionFilter] exception root cause
            java.lang.IllegalStateException: No active event context
             at org.jboss.seam.core.Manager.instance(Manager.java:250)
             at org.jboss.seam.servlet.ContextualHttpServletRequest.run(ContextualHttpServletRequest.java:55)
             at org.jboss.seam.web.ContextFilter.doFilter(ContextFilter.java:37)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:85)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:147)
             at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:256)
             at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:362)
             at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:488)
             at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:60)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:58)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
             at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
             at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
             at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
             at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
             at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524)
             at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
             at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
             at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
             at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
             at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
             at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
             at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
             at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
             at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
             at java.lang.Thread.run(Thread.java:595)
            23:53:49,677 ERROR [[BareEndpoint]] Servlet.service() for servlet BareEndpoint threw exception
            java.lang.IllegalArgumentException: no file extension in servlet path: /ws/bareservice
             at org.jboss.seam.mock.MockViewHandler.getActionURL(MockViewHandler.java:44)
             at org.jboss.seam.jsf.SeamViewHandler.getActionURL(SeamViewHandler.java:74)
             at org.jboss.seam.faces.FacesManager.redirect(FacesManager.java:154)
             at org.jboss.seam.faces.Navigator.redirect(Navigator.java:46)
             at org.jboss.seam.exception.RedirectHandler.handle(RedirectHandler.java:51)
             at org.jboss.seam.exception.Exceptions.handle(Exceptions.java:75)
             at org.jboss.seam.web.ExceptionFilter.endWebRequestAfterException(ExceptionFilter.java:114)
             at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:70)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:147)
             at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:256)
             at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:362)
             at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:488)
             at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:60)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:58)
             at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
             at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
             at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
             at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
             at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
             at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
             at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524)
             at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
             at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
             at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
             at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
             at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
             at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
             at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
             at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
             at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
             at java.lang.Thread.run(Thread.java:595)