Get IP address in Realm

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

I've been doing some work over the past few years to make it possible
for me to abandon securityfilter[1], a project that allows
applications to do some things that, historically, haven't been
possible with container-managed security.

Specifically, that project was started to allow drive-by logins but,
with servlet-3.0 adding
HttpServletRequest.authenticate(HttpServletResponse), it is no longer
necessary to have a 3rd-party component to provide that feature.

sf also allowed custom realms to be built more conveniently, and
recent changes to Tomcat have added CredentialHandlers which simply
the pluggability of different credential-handling algorithms (and
bundle access to some better algorithms in the distribution, such as
PBKDF2).

The last missing piece is being able to get the user's IP address for
both successful and unsuccessful logins. I don't believe Tomcat
provides any way to do that with a standard Realm. I believe it can be
done using JASPIC, but ... it seems like there is a lot of complexity
in there.

Are there any techniques others are using to get user-IP during login?
I'm not particularly interested in using another 3rd-party
authentication library (e.g. Spring-security) -- I'm looking for
something out-of-the-box or a maybe little custom code that I could
add to my application or server.

If there is any appetite for such a thing in Tomcat, I'd be happy to
propose a change to bring e.g. an AuthenticationListener interface
which could listen for events of this type and include information
such as username, IP address, and possibly other useful information.

Thanks,
- -chris

[1] http://securityfilter.sourceforge.net/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlosPIYACgkQHPApP6U8
pFjozxAAtONxT7Qr6J5ThNG3EV00vMavZsYbuhMdRWq1Yud77hkGKuadVhC4DPmW
Mvho4H0U2TZpHdffQpVB3Uhcvf4kEp5DltPVs9VKU+OT5kWyOoxO5TBhD36+0082
F2mGLHM0/j0GcKiDJHvsIw78qeMxoSn8+TfL4th3wfTvnDJCJ3+9+qf35metyfMA
1E0UNzi3G4QXAqnTIu7xZwsvTOLVVhKJhfmoa0fChg09m5P2et7zJw3I8h1zTuP6
KFaw/ZqgrYiL6xdz9QvFPwEMzV8hrr9x9E5BnpLJGnCNqOLFvEa1oUbyxTCsDU20
mOjuwShFRiFQYGPYFLGdSWU2NGR3ZjCvIhl0hvgM/ORzb+x7IxuupieKP21MMB3+
/Ylop9KaROjvhmDG5DMCJbkEyn1mBVFPDTPUFEYIGFrkGzosVh6zYohPMi5jUy1G
f0Or3dgYUNSP4n8lfpPbkusEOSIiv5LmtnqU+/TM7poXVjc7KAvBK52FZdCYvNB6
UKbc1d3IORCFoLIcM9lTOulTugVpo5JN+VU6Qqgd/c97iraCGwUuHQKvq2/vwgaC
I/i74xZYrciig9J+R1UPmTTBXDL8tTq8IPdbOPFCg3O4Vuvwld8ZpaYZpxkOcI1a
o3+CtT6OGMM/JZwIXApwB7nWk69rhh3Cf74Awfoq9OapJmj0/7A=
=a7+J
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Get IP address in Realm

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 12/10/17 3:11 PM, Mark Thomas wrote:
> On 09/12/17 19:41, Christopher Schultz wrote:
> 
> <snip/>
> 
>> If there is any appetite for such a thing in Tomcat, I'd be happy
>> to propose a change to bring e.g. an AuthenticationListener
>> interface which could listen for events of this type and include
>> information such as username, IP address, and possibly other
>> useful information.
> 
> I think this is a specific case of this more general request:
> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

+1

> Now is a good time to implement that, before 9.0.x becomes final
> and the API is (mostly) fixed.
> 
> There are a couple of different ways of doing this, depending on
> how backwards compatible we want to be. I'm currently leaning
> towards:
> 
> - add new methods to Realm (duplicate existing authentication
> methods and add HttpServlet)
> 
> - implement the new methods in RealmBase that simply defaulted to 
> calling the old methods minus the HttpServlet
Securityfilter basically provided an interface that included the
HttpServletRequest, and if the "Realm" implemented that interface, the
more-specific method was called instead of e.g.
authenticate(String,String).

I'm not sure which is faster: an "instanceof" check or a dispatch to a
method which re-dispatches to another method. I'd guess they are
roughly equivalent and the performance difference doesn't matter much.
It's much more of an architectural decision.

I have to say that I'm not super-happy with using HttpServletRequest
for that purpose (because it then ties Tomcat Realms to HTTP) but,
honestly, when are these realms going to be used outside the context
of Tomcat, where HTTP is the primary protocol to be serviced?

> Then custom Realms could extend RealmBase, override those methods
> and gain access to the additional info.
> 
> It isn't the only option. Is there a
> 
> It is TBD if we deprecate the old methods. Maybe deprecate in 9.0.x
> with a view to dropping in 10.0.x

I see no need to deprecate the old methods, especially if we provide a
default implementation that merely passed-through to the old
authenticate() method(s).

As for custom Realms, I'm more interested in obtaining the IP address
of the user attempting to authenticate *without* having to implement
my own custom realm. This was the whole point of the CredentialHandler
interface: to allow users to implement the smallest part of the
process in a custom way. I'd like to do the same for IP-address
handling... there's no particular reason why a user should have to
subclass + re-implement a bunch of (admittedly, mostly delegate)
methods just to record failed logins from a particular IP address.

What do you think about a Listener interface for login success/failure?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlouraQACgkQHPApP6U8
pFhAnRAAv3TtegBG0jTXE1Gfh/UDJRJE3uBRm1tBwdrjGpO8ObVrJDqb9JaDQqVL
EA2hqJ4wrkDb2SPcZBclCrHWF+5nrTJRINLsI8nsx4LSVlPzsZihACMks18tYxyx
HA3l3GYiHnD2ULboU6bnh9a8mtCCDVDNSPVYfN+yeGREkbPvYgtv2rmr2N7b32/A
s8ziGsbB2N7KnPsALXJUzlNAu6x26laFqlX1cN/irmBRhLP4/wIB+X5pPdxnDvna
aVbZH137dvb7Whlrt3oMCBqLKGw4u+kh25UIhbKfyjRO1DPQRIaSy9ozUpqtgLfG
CwEn8ac/xuULVDz+DuMjGFJr1OUOYXUsfvATJzxU+swVqSc4Yjj52+v+wunPe9ag
wj6TMAGY0Gcmju5AOet/AvRTsZf5J/ar+MYnvga3py10m6mIlDJZG7TkIZfR0xvB
u69yNcHOMdfF5kQMc4ONhGo29q4w+0apKw/4Mxhe6oF72ybr+QNQGFUEGlWKKJmV
q8b2QJFkl+hDEYb83D+Sn5yFK8dqecR6aOTUuCeoa+DYbRRw3FgHqqvDzvl3Z0ci
qnrwzyc3c7viJStEKAE+4ILqKFgowZSaaB2RQjSoEQcOAUXYL3zAjR26MwEY0n15
ZucvDwdB6Hc5kiBllEBNt/ugARb/IV1IVUa9xBf9E+mXq3OkIaw=
=Z4Ym
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Get IP address in Realm

[Mark Thomas <ma...@apache.org>]

On 09/12/17 19:41, Christopher Schultz wrote:

<snip/>

> If there is any appetite for such a thing in Tomcat, I'd be happy to
> propose a change to bring e.g. an AuthenticationListener interface
> which could listen for events of this type and include information
> such as username, IP address, and possibly other useful information.

I think this is a specific case of this more general request:

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

Now is a good time to implement that, before 9.0.x becomes final and the
API is (mostly) fixed.

There are a couple of different ways of doing this, depending on how
backwards compatible we want to be. I'm currently leaning towards:

- add new methods to Realm (duplicate existing authentication methods
  and add HttpServlet)

- implement the new methods in RealmBase that simply defaulted to
  calling the old methods minus the HttpServlet

Then custom Realms could extend RealmBase, override those methods and
gain access to the additional info.

It isn't the only option. Is there a

It is TBD if we deprecate the old methods. Maybe deprecate in 9.0.x with
a view to dropping in 10.0.x

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org