You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Lon Varscsak <lo...@gmail.com> on 2018/04/10 20:49:07 UTC
IP Authentication
I have a need to build some apps (or mount points) to check if the source
is coming from an internal IP and if not, present the user with an
"unauthorized" request. I know how to check client IP and what not, but
I'm not sure how to generate programmatically a simple WebResponse that is
just some text with a status code.
1) I'm currently using IRequestCycleListener to listen and then hijack the
response. Not sure if this is the appropriate place.
2) How do you programmatically generate a response without implementing all
the methods of WebResponse. At the point that the IRequestCycleListener
the response that is in the cycle already has content. Basically I want to
throw that away and return "Unauthorized"/401.
Any thoughts or suggestions?
Thanks!
Lon
Re: IP Authentication
Posted by Martin Grigorov <mg...@apache.org>.
On Wed, Apr 11, 2018 at 7:53 PM, Lon Varscsak <lo...@gmail.com>
wrote:
> Perfect, this is what I was looking for. So if I wanted to hijack the
> whole response (for other purposes), I would do the same thing, but with a
> custom request handler?
>
Yes!
>
> On Tue, Apr 10, 2018 at 11:24 PM, Martin Grigorov <mg...@apache.org>
> wrote:
>
> > Hi,
> >
> > On Tue, Apr 10, 2018 at 11:49 PM, Lon Varscsak <lo...@gmail.com>
> > wrote:
> >
> > > I have a need to build some apps (or mount points) to check if the
> source
> > > is coming from an internal IP and if not, present the user with an
> > > "unauthorized" request. I know how to check client IP and what not,
> but
> > > I'm not sure how to generate programmatically a simple WebResponse that
> > is
> > > just some text with a status code.
> > >
> > > 1) I'm currently using IRequestCycleListener to listen and then hijack
> > the
> > > response. Not sure if this is the appropriate place.
> > >
> >
> > This is the Wicket way.
> > You can also use plain Servlet Filter to do it even before Wicket has a
> > chance to see the request.
> >
> >
> > > 2) How do you programmatically generate a response without implementing
> > all
> > > the methods of WebResponse. At the point that the
> IRequestCycleListener
> > > the response that is in the cycle already has content. Basically I
> want
> > to
> > > throw that away and return "Unauthorized"/401.
> > >
> >
> > requestCycle.replaceAllRequestHandlers(new ErrorCodeRequestHandler(401,
> > "Unauthorized"))
> >
> >
> > >
> > > Any thoughts or suggestions?
> > >
> > > Thanks!
> > >
> > > Lon
> > >
> >
>
Re: IP Authentication
Posted by Lon Varscsak <lo...@gmail.com>.
Perfect, this is what I was looking for. So if I wanted to hijack the
whole response (for other purposes), I would do the same thing, but with a
custom request handler?
On Tue, Apr 10, 2018 at 11:24 PM, Martin Grigorov <mg...@apache.org>
wrote:
> Hi,
>
> On Tue, Apr 10, 2018 at 11:49 PM, Lon Varscsak <lo...@gmail.com>
> wrote:
>
> > I have a need to build some apps (or mount points) to check if the source
> > is coming from an internal IP and if not, present the user with an
> > "unauthorized" request. I know how to check client IP and what not, but
> > I'm not sure how to generate programmatically a simple WebResponse that
> is
> > just some text with a status code.
> >
> > 1) I'm currently using IRequestCycleListener to listen and then hijack
> the
> > response. Not sure if this is the appropriate place.
> >
>
> This is the Wicket way.
> You can also use plain Servlet Filter to do it even before Wicket has a
> chance to see the request.
>
>
> > 2) How do you programmatically generate a response without implementing
> all
> > the methods of WebResponse. At the point that the IRequestCycleListener
> > the response that is in the cycle already has content. Basically I want
> to
> > throw that away and return "Unauthorized"/401.
> >
>
> requestCycle.replaceAllRequestHandlers(new ErrorCodeRequestHandler(401,
> "Unauthorized"))
>
>
> >
> > Any thoughts or suggestions?
> >
> > Thanks!
> >
> > Lon
> >
>
Re: IP Authentication
Posted by Martin Grigorov <mg...@apache.org>.
On Wed, Apr 11, 2018 at 9:26 AM, Maxim Solodovnik <so...@gmail.com>
wrote:
> Martin,
>
> Will
> throw new AbortWithHttpErrorCodeException(410, "Unauthorized");
> also do the job?
>
Probably.
But I remember a ticket saying that throwing (WicketRuntime?!)Exception
doesn't work well in IRequestCycleListener#onBeginRequest
>
> On Wed, Apr 11, 2018 at 1:24 PM, Martin Grigorov <mg...@apache.org>
> wrote:
>
> > Hi,
> >
> > On Tue, Apr 10, 2018 at 11:49 PM, Lon Varscsak <lo...@gmail.com>
> > wrote:
> >
> > > I have a need to build some apps (or mount points) to check if the
> source
> > > is coming from an internal IP and if not, present the user with an
> > > "unauthorized" request. I know how to check client IP and what not,
> but
> > > I'm not sure how to generate programmatically a simple WebResponse that
> > is
> > > just some text with a status code.
> > >
> > > 1) I'm currently using IRequestCycleListener to listen and then hijack
> > the
> > > response. Not sure if this is the appropriate place.
> > >
> >
> > This is the Wicket way.
> > You can also use plain Servlet Filter to do it even before Wicket has a
> > chance to see the request.
> >
> >
> > > 2) How do you programmatically generate a response without implementing
> > all
> > > the methods of WebResponse. At the point that the
> IRequestCycleListener
> > > the response that is in the cycle already has content. Basically I
> want
> > to
> > > throw that away and return "Unauthorized"/401.
> > >
> >
> > requestCycle.replaceAllRequestHandlers(new ErrorCodeRequestHandler(401,
> > "Unauthorized"))
> >
> >
> > >
> > > Any thoughts or suggestions?
> > >
> > > Thanks!
> > >
> > > Lon
> > >
> >
>
>
>
> --
> WBR
> Maxim aka solomax
>
Re: IP Authentication
Posted by Maxim Solodovnik <so...@gmail.com>.
Martin,
Will
throw new AbortWithHttpErrorCodeException(410, "Unauthorized");
also do the job?
On Wed, Apr 11, 2018 at 1:24 PM, Martin Grigorov <mg...@apache.org>
wrote:
> Hi,
>
> On Tue, Apr 10, 2018 at 11:49 PM, Lon Varscsak <lo...@gmail.com>
> wrote:
>
> > I have a need to build some apps (or mount points) to check if the source
> > is coming from an internal IP and if not, present the user with an
> > "unauthorized" request. I know how to check client IP and what not, but
> > I'm not sure how to generate programmatically a simple WebResponse that
> is
> > just some text with a status code.
> >
> > 1) I'm currently using IRequestCycleListener to listen and then hijack
> the
> > response. Not sure if this is the appropriate place.
> >
>
> This is the Wicket way.
> You can also use plain Servlet Filter to do it even before Wicket has a
> chance to see the request.
>
>
> > 2) How do you programmatically generate a response without implementing
> all
> > the methods of WebResponse. At the point that the IRequestCycleListener
> > the response that is in the cycle already has content. Basically I want
> to
> > throw that away and return "Unauthorized"/401.
> >
>
> requestCycle.replaceAllRequestHandlers(new ErrorCodeRequestHandler(401,
> "Unauthorized"))
>
>
> >
> > Any thoughts or suggestions?
> >
> > Thanks!
> >
> > Lon
> >
>
--
WBR
Maxim aka solomax
Re: IP Authentication
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
On Tue, Apr 10, 2018 at 11:49 PM, Lon Varscsak <lo...@gmail.com>
wrote:
> I have a need to build some apps (or mount points) to check if the source
> is coming from an internal IP and if not, present the user with an
> "unauthorized" request. I know how to check client IP and what not, but
> I'm not sure how to generate programmatically a simple WebResponse that is
> just some text with a status code.
>
> 1) I'm currently using IRequestCycleListener to listen and then hijack the
> response. Not sure if this is the appropriate place.
>
This is the Wicket way.
You can also use plain Servlet Filter to do it even before Wicket has a
chance to see the request.
> 2) How do you programmatically generate a response without implementing all
> the methods of WebResponse. At the point that the IRequestCycleListener
> the response that is in the cycle already has content. Basically I want to
> throw that away and return "Unauthorized"/401.
>
requestCycle.replaceAllRequestHandlers(new ErrorCodeRequestHandler(401,
"Unauthorized"))
>
> Any thoughts or suggestions?
>
> Thanks!
>
> Lon
>
AW: IP Authentication
Posted by Thomas Rohde <tr...@ordix.de>.
Hi Lon!
What about using the container features for this? If you are using Tomcat you could add a RemoteAdressValve (https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Remote_Address_Valve).
Example:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>
The allow attribute needs a regular expression with the ip adresses from your whitelist. In the example only requests from localhost are accepted.
Regards,
Thomas
-----Ursprüngliche Nachricht-----
Von: Lon Varscsak [mailto:lon.varscsak@gmail.com]
Gesendet: Dienstag, 10. April 2018 22:49
An: users@wicket.apache.org
Betreff: IP Authentication
I have a need to build some apps (or mount points) to check if the source is coming from an internal IP and if not, present the user with an "unauthorized" request. I know how to check client IP and what not, but I'm not sure how to generate programmatically a simple WebResponse that is just some text with a status code.
1) I'm currently using IRequestCycleListener to listen and then hijack the response. Not sure if this is the appropriate place.
2) How do you programmatically generate a response without implementing all the methods of WebResponse. At the point that the IRequestCycleListener the response that is in the cycle already has content. Basically I want to throw that away and return "Unauthorized"/401.
Any thoughts or suggestions?
Thanks!
Lon
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org