IP based security, second try..

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

IP based security, second try..

Colin Canfield
I posted this a few weeks ago with no response, hopefully it was just overlooked rather than really hard!

I am try to set up a security method for jetty that will allow requests from certain IPs to go through without requiring authentication, while all others will go through normal basic auth.

So far I have implemented this by subclassing the SecurityHandler and overriding the checkSecurityConstraints method. If the request does not come from my list of IPs pass the request up.

There a couple of issues with this;

I'm not sure if there are any unexpected side effects caused by me not calling checkSecurityConstraints in the parent class when the IP matches.


and

This seems inefficient as I'm checking the IP list for every call, rather than only when the security authentication first occurs on session set up.


Is there a better way to implement this?

Thanks, Colin

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support
Reply | Threaded
Open this post in threaded view
|

Re: IP based security, second try..

Chris Haynes

Basic security checks the id / password on every received call, so you appear to be no less inefficient than that!

Chris Haynes


On Monday, November 12, 2007 at 8:23:44 AM, Colin Canfield wrote:
> I posted this a few weeks ago with no response, hopefully it was
> just overlooked rather than really hard!

> I am try to set up a security method for jetty that will allow
> requests from certain IPs to go through without requiring
> authentication, while all others will go through normal basic auth.

> So far I have implemented this by subclassing the SecurityHandler
> and overriding the checkSecurityConstraints method. If the request
> does not come from my list of IPs pass the request up.

> There a couple of issues with this;

> I'm not sure if there are any unexpected side effects caused by me
> not calling checkSecurityConstraints in the parent class when the IP matches.


> and

> This seems inefficient as I'm checking the IP list for every call,
> rather than only when the security authentication first occurs on session set up.


> Is there a better way to implement this?

> Thanks, Colin


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support