IP Authentication

[Lon Varscsak <lo...@gmail.com>]

I have a need to build some apps (or mount points) to check if the source
is coming from an internal IP and if not, present the user with an
"unauthorized" request.  I know how to check client IP and what not, but
I'm not sure how to generate programmatically a simple WebResponse that is
just some text with a status code.

1) I'm currently using IRequestCycleListener to listen and then hijack the
response.  Not sure if this is the appropriate place.
2) How do you programmatically generate a response without implementing all
the methods of WebResponse.  At the point that the IRequestCycleListener
the response that is in the cycle already has content.  Basically I want to
throw that away and return "Unauthorized"/401.

Any thoughts or suggestions?

Thanks!

Lon

Re: IP Authentication

[Martin Grigorov <mg...@apache.org>]

On Wed, Apr 11, 2018 at 7:53 PM, Lon Varscsak <lo...@gmail.com>
wrote:

> Perfect, this is what I was looking for.  So if I wanted to hijack the
> whole response (for other purposes), I would do the same thing, but with a
> custom request handler?
>

Yes!


>
> On Tue, Apr 10, 2018 at 11:24 PM, Martin Grigorov <mg...@apache.org>
> wrote:
>
> > Hi,
> >
> > On Tue, Apr 10, 2018 at 11:49 PM, Lon Varscsak <lo...@gmail.com>
> > wrote:
> >
> > > I have a need to build some apps (or mount points) to check if the
> source
> > > is coming from an internal IP and if not, present the user with an
> > > "unauthorized" request.  I know how to check client IP and what not,
> but
> > > I'm not sure how to generate programmatically a simple WebResponse that
> > is
> > > just some text with a status code.
> > >
> > > 1) I'm currently using IRequestCycleListener to listen and then hijack
> > the
> > > response.  Not sure if this is the appropriate place.
> > >
> >
> > This is the Wicket way.
> > You can also use plain Servlet Filter to do it even before Wicket has a
> > chance to see the request.
> >
> >
> > > 2) How do you programmatically generate a response without implementing
> > all
> > > the methods of WebResponse.  At the point that the
> IRequestCycleListener
> > > the response that is in the cycle already has content.  Basically I
> want
> > to
> > > throw that away and return "Unauthorized"/401.
> > >
> >
> > requestCycle.replaceAllRequestHandlers(new ErrorCodeRequestHandler(401,
> > "Unauthorized"))
> >
> >
> > >
> > > Any thoughts or suggestions?
> > >
> > > Thanks!
> > >
> > > Lon
> > >
> >
>

Re: IP Authentication

[Lon Varscsak <lo...@gmail.com>]

Perfect, this is what I was looking for.  So if I wanted to hijack the
whole response (for other purposes), I would do the same thing, but with a
custom request handler?

On Tue, Apr 10, 2018 at 11:24 PM, Martin Grigorov <mg...@apache.org>
wrote:

> Hi,
>
> On Tue, Apr 10, 2018 at 11:49 PM, Lon Varscsak <lo...@gmail.com>
> wrote:
>
> > I have a need to build some apps (or mount points) to check if the source
> > is coming from an internal IP and if not, present the user with an
> > "unauthorized" request.  I know how to check client IP and what not, but
> > I'm not sure how to generate programmatically a simple WebResponse that
> is
> > just some text with a status code.
> >
> > 1) I'm currently using IRequestCycleListener to listen and then hijack
> the
> > response.  Not sure if this is the appropriate place.
> >
>
> This is the Wicket way.
> You can also use plain Servlet Filter to do it even before Wicket has a
> chance to see the request.
>
>
> > 2) How do you programmatically generate a response without implementing
> all
> > the methods of WebResponse.  At the point that the IRequestCycleListener
> > the response that is in the cycle already has content.  Basically I want
> to
> > throw that away and return "Unauthorized"/401.
> >
>
> requestCycle.replaceAllRequestHandlers(new ErrorCodeRequestHandler(401,
> "Unauthorized"))
>
>
> >
> > Any thoughts or suggestions?
> >
> > Thanks!
> >
> > Lon
> >
>

Re: IP Authentication

[Martin Grigorov <mg...@apache.org>]

On Wed, Apr 11, 2018 at 9:26 AM, Maxim Solodovnik <so...@gmail.com>
wrote:

> Martin,
>
> Will
> throw new AbortWithHttpErrorCodeException(410, "Unauthorized");
> also do the job?
>

Probably.
But I remember a ticket saying that throwing (WicketRuntime?!)Exception
doesn't work well in IRequestCycleListener#onBeginRequest


>
> On Wed, Apr 11, 2018 at 1:24 PM, Martin Grigorov <mg...@apache.org>
> wrote:
>
> > Hi,
> >
> > On Tue, Apr 10, 2018 at 11:49 PM, Lon Varscsak <lo...@gmail.com>
> > wrote:
> >
> > > I have a need to build some apps (or mount points) to check if the
> source
> > > is coming from an internal IP and if not, present the user with an
> > > "unauthorized" request.  I know how to check client IP and what not,
> but
> > > I'm not sure how to generate programmatically a simple WebResponse that
> > is
> > > just some text with a status code.
> > >
> > > 1) I'm currently using IRequestCycleListener to listen and then hijack
> > the
> > > response.  Not sure if this is the appropriate place.
> > >
> >
> > This is the Wicket way.
> > You can also use plain Servlet Filter to do it even before Wicket has a
> > chance to see the request.
> >
> >
> > > 2) How do you programmatically generate a response without implementing
> > all
> > > the methods of WebResponse.  At the point that the
> IRequestCycleListener
> > > the response that is in the cycle already has content.  Basically I
> want
> > to
> > > throw that away and return "Unauthorized"/401.
> > >
> >
> > requestCycle.replaceAllRequestHandlers(new ErrorCodeRequestHandler(401,
> > "Unauthorized"))
> >
> >
> > >
> > > Any thoughts or suggestions?
> > >
> > > Thanks!
> > >
> > > Lon
> > >
> >
>
>
>
> --
> WBR
> Maxim aka solomax
>

Re: IP Authentication

[Maxim Solodovnik <so...@gmail.com>]

Martin,

Will
throw new AbortWithHttpErrorCodeException(410, "Unauthorized");
also do the job?

On Wed, Apr 11, 2018 at 1:24 PM, Martin Grigorov <mg...@apache.org>
wrote:

> Hi,
>
> On Tue, Apr 10, 2018 at 11:49 PM, Lon Varscsak <lo...@gmail.com>
> wrote:
>
> > I have a need to build some apps (or mount points) to check if the source
> > is coming from an internal IP and if not, present the user with an
> > "unauthorized" request.  I know how to check client IP and what not, but
> > I'm not sure how to generate programmatically a simple WebResponse that
> is
> > just some text with a status code.
> >
> > 1) I'm currently using IRequestCycleListener to listen and then hijack
> the
> > response.  Not sure if this is the appropriate place.
> >
>
> This is the Wicket way.
> You can also use plain Servlet Filter to do it even before Wicket has a
> chance to see the request.
>
>
> > 2) How do you programmatically generate a response without implementing
> all
> > the methods of WebResponse.  At the point that the IRequestCycleListener
> > the response that is in the cycle already has content.  Basically I want
> to
> > throw that away and return "Unauthorized"/401.
> >
>
> requestCycle.replaceAllRequestHandlers(new ErrorCodeRequestHandler(401,
> "Unauthorized"))
>
>
> >
> > Any thoughts or suggestions?
> >
> > Thanks!
> >
> > Lon
> >
>



-- 
WBR
Maxim aka solomax

Re: IP Authentication

[Martin Grigorov <mg...@apache.org>]

Hi,

On Tue, Apr 10, 2018 at 11:49 PM, Lon Varscsak <lo...@gmail.com>
wrote:

> I have a need to build some apps (or mount points) to check if the source
> is coming from an internal IP and if not, present the user with an
> "unauthorized" request.  I know how to check client IP and what not, but
> I'm not sure how to generate programmatically a simple WebResponse that is
> just some text with a status code.
>
> 1) I'm currently using IRequestCycleListener to listen and then hijack the
> response.  Not sure if this is the appropriate place.
>

This is the Wicket way.
You can also use plain Servlet Filter to do it even before Wicket has a
chance to see the request.


> 2) How do you programmatically generate a response without implementing all
> the methods of WebResponse.  At the point that the IRequestCycleListener
> the response that is in the cycle already has content.  Basically I want to
> throw that away and return "Unauthorized"/401.
>

requestCycle.replaceAllRequestHandlers(new ErrorCodeRequestHandler(401,
"Unauthorized"))


>
> Any thoughts or suggestions?
>
> Thanks!
>
> Lon
>

AW: IP Authentication

[Thomas Rohde <tr...@ordix.de>]

Hi Lon!

What about using the container features for this? If you are using Tomcat you could add a RemoteAdressValve (https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Remote_Address_Valve).

Example:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
   allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>

The allow attribute needs a regular expression with the ip adresses from your whitelist. In the example only requests from localhost are accepted.

Regards,
Thomas


-----Ursprüngliche Nachricht-----
Von: Lon Varscsak [mailto:lon.varscsak@gmail.com] 
Gesendet: Dienstag, 10. April 2018 22:49
An: users@wicket.apache.org
Betreff: IP Authentication

I have a need to build some apps (or mount points) to check if the source is coming from an internal IP and if not, present the user with an "unauthorized" request.  I know how to check client IP and what not, but I'm not sure how to generate programmatically a simple WebResponse that is just some text with a status code.

1) I'm currently using IRequestCycleListener to listen and then hijack the response.  Not sure if this is the appropriate place.
2) How do you programmatically generate a response without implementing all the methods of WebResponse.  At the point that the IRequestCycleListener the response that is in the cycle already has content.  Basically I want to throw that away and return "Unauthorized"/401.

Any thoughts or suggestions?

Thanks!

Lon


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org