You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@wicket.apache.org by John <mu...@gmail.com> on 2008/10/17 13:25:39 UTC

IP address range locking

hi, i am implementing IP address range locking for my application as i
have a number of offices that need to access the application and
everyone else needs to be kept out.

i am using WicketAuthRoles and have placed the code into my login
page... before attempting authentication i match the client's IP
against a number of defined ranges that i deem safe so can throw
incorrect connections out with an error("message here") and it will
redisplay the login page with the message in the FeedbackPanel.

i am thinking however that this is not really correct... really the IP
range locking should be more of a system thing rather than a component
thing.  i want my users to be able to stay logged in so have a cookie
holding auth info but this means they will bypass the login screen if
they take their laptops to a different network which is not good.

it sounds like i need to put the code into the Session or something
but that would mean i could never throw a message back to the user to
say what the problem is as the "error" page would have to come from
me.  i guess i could have a single JSP page holding the error message
and throw the user out of the Wicket application into this page but
i'd prefer to keep everything inside my Wicket application if at all
possible...

does anyone have any ideas on how best to handle this?

John

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: IP address range locking

Posted by John <mu...@gmail.com>.

hi, yes that makes a lot of sense. unfortunately i have to implement
it in the application in this instance.  i need to alter the ranges at
runtime with as little complexity as possible... anything that acts
outside the application makes everything more complicated than i can
handle right now...  also it would be nice to be able to set different
IP ranges for different users in the end so i can allow certain people
to log in from their home network.

because of this, i guess this must be in the auth stage somewhere.
maybe the login page is the best place for it primarily but i need to
find some way to intercept the cookie check as well?  what do you
think?

John



On Fri, Oct 17, 2008 at 12:56 PM, Martijn Dashorst
<ma...@gmail.com> wrote:
> you should do this on httpd server level or even firewall level.
>
> In our app we restrict access to specific private pages to just our
> corporate IP using mod_jk with <locationMatch ...> rules.
>
> Martijn
>
> On Fri, Oct 17, 2008 at 1:25 PM, John <mu...@gmail.com> wrote:
>> hi, i am implementing IP address range locking for my application as i
>> have a number of offices that need to access the application and
>> everyone else needs to be kept out.
>>
>> i am using WicketAuthRoles and have placed the code into my login
>> page... before attempting authentication i match the client's IP
>> against a number of defined ranges that i deem safe so can throw
>> incorrect connections out with an error("message here") and it will
>> redisplay the login page with the message in the FeedbackPanel.
>>
>> i am thinking however that this is not really correct... really the IP
>> range locking should be more of a system thing rather than a component
>> thing.  i want my users to be able to stay logged in so have a cookie
>> holding auth info but this means they will bypass the login screen if
>> they take their laptops to a different network which is not good.
>>
>> it sounds like i need to put the code into the Session or something
>> but that would mean i could never throw a message back to the user to
>> say what the problem is as the "error" page would have to come from
>> me.  i guess i could have a single JSP page holding the error message
>> and throw the user out of the Wicket application into this page but
>> i'd prefer to keep everything inside my Wicket application if at all
>> possible...
>>
>> does anyone have any ideas on how best to handle this?
>>
>> John
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
>
>
> --
> Become a Wicket expert, learn from the best: http://wicketinaction.com
> Apache Wicket 1.3.4 is released
> Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: IP address range locking

Posted by Martijn Dashorst <ma...@gmail.com>.

you should do this on httpd server level or even firewall level.

In our app we restrict access to specific private pages to just our
corporate IP using mod_jk with <locationMatch ...> rules.

Martijn

On Fri, Oct 17, 2008 at 1:25 PM, John <mu...@gmail.com> wrote:
> hi, i am implementing IP address range locking for my application as i
> have a number of offices that need to access the application and
> everyone else needs to be kept out.
>
> i am using WicketAuthRoles and have placed the code into my login
> page... before attempting authentication i match the client's IP
> against a number of defined ranges that i deem safe so can throw
> incorrect connections out with an error("message here") and it will
> redisplay the login page with the message in the FeedbackPanel.
>
> i am thinking however that this is not really correct... really the IP
> range locking should be more of a system thing rather than a component
> thing.  i want my users to be able to stay logged in so have a cookie
> holding auth info but this means they will bypass the login screen if
> they take their laptops to a different network which is not good.
>
> it sounds like i need to put the code into the Session or something
> but that would mean i could never throw a message back to the user to
> say what the problem is as the "error" page would have to come from
> me.  i guess i could have a single JSP page holding the error message
> and throw the user out of the Wicket application into this page but
> i'd prefer to keep everything inside my Wicket application if at all
> possible...
>
> does anyone have any ideas on how best to handle this?
>
> John
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>



-- 
Become a Wicket expert, learn from the best: http://wicketinaction.com
Apache Wicket 1.3.4 is released
Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org