Configuring jetty: restricting service from certain IP addresses

[Steve Sobol]

How can I restrict access to Jetty from certain IP addresses (or allow
only from specific subnet)?

I haven't done this. You may want to ask on the Jetty-support mailing list
as I'm not sure exactly how to do it

Anoter issue I have is how to enable Jetty to work as http server?

http://docs.codehaus.org/display/JETTY/Newbie+Guide+to+Jetty

The jetty XML config files are pretty cool. Each chunk of XML represents a
call to a Jetty API function. They way they set it up is quite slick.

Subscribe to the mailing list, it's a good resource. I'd offer more help
but I'm at work right now and don't have a ton of time... if I can, I'll post
more on the subject later.

 

[Mika]

How can I restrict access to Jetty from certain IP addresses (or allow
only from specific subnet)?

Anoter issue I have is how to enable Jetty to work as http server?

Thanks,
Mika

 

[nebulous99]

How can I restrict access to Jetty from certain IP addresses (or allow
only from specific subnet)?

Anoter issue I have is how to enable Jetty to work as http server?

First, ask yourself why you want to selectively refuse service to
people. If it's spambots posting linkspam to dynamic pages, consider a
captcha rather than anything more drastic such as IP-level blackholing
of people; spambots are usually running on zombie PCs with a
legitimate user and on a dynamic IP shared with a whole ISP full of
other legitimate users.

If you decide to go ahead with it, the firewall is probably the best
place to do this rather than at the protocol layer.

 

[Mika]

I think the reason is obvious. My server (running Jetty) is offering
different services for different groups of people. Some services need
to be restricted to, say institutional subnets or similar. And for
this, the firewall is definetely not a good solution.

-Mika

 

[Lew]

(Top-posting corrected. You're welcome.)

Does Jetty let you use, say, Apache HTTP Server in front of it, as Tomcat does
(typically via the AJP connector)?

Apache HTTP Server has directives for that sort of thing.
<http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow>
<http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny>

 

[Steve Sobol]

Does Jetty let you use, say, Apache HTTP Server in front of it, as Tomcat does

Yes, it does.

 

[nebulous99]

I think the reason is obvious. My server (running Jetty) is offering
different services for different groups of people. Some services need
to be restricted to, say institutional subnets or similar. And for
this, the firewall is definetely not a good solution.

For this, a suitable user login and authentication mechanism is a good
solution. I assume this is for your LAN or a VPN-tunnel-based WAN, in
which case, stick it behind the corporate firewall and use password-
based authentication. What if an authorized person wants to access
this service from other than his usual location for whatever reason --
or an unauthorized person gets physical access to one of the machines
you'd be whitelisting?

Also ask what the purpose of the access restrictions is. If it's for
crass commercial reasons then I won't be very sympathetic, although if
it's to keep confidential information confidential, like patient
records or financial data or credit-card numbers or what-have-you,
then it's another story. It may be the case that the restrictions are
gratuitous or unnecessary to carrying out your primary purpose and
will just inconvenience or cost people needlessly (e.g. if it costs
very little in resources per access and organization-wide access would
do no harm and might benefit some people, but it's going to be
restricted to a subset of the organization, or people will have to pay
for access). If the restrictions are absolutely necessary,
particularly for security of confidential data or trade secrets or
something, though, figure out who needs access and set up a system
with user or group accounts and passwords.

 

[nebulous99]

Yes, it does.

In that case, .htaccess (GIYF) can do the IP-based blocking you
originally requested. Still, consider the possible costs versus
benefits of either a) loosened or no restrictions (within your
corporate LAN or whatever other private network) and/or b) access
control by username/password accounts, i.e. by person rather than by
chunk of hardware.

 

[Joshua Cranmer]

If it's spambots posting linkspam to dynamic pages, consider a
captcha rather than anything more drastic [ ... ]

Perhaps you missed the W3C note on CAPTCHAs:
http://www.w3.org/TR/turingtest/ ?

Or maybe the fact that the only CAPTCHAs really capable of preventing
spambots have < 70% success rates on humans?

 

[nebulous99]

If it's spambots posting linkspam to dynamic pages, consider a
captcha rather than anything more drastic [ ... ]

Perhaps you missed the W3C note...[snip remainder of gratuitously-snarky response]

My, my, with this newsgroup's regulars the fun and sarcasm never
stops!

I never said anything about using bitmapped image based captchas.
There are other kinds, such as verbal math problem captchas, that
avoid the accessibility problems. Also there's the target-audience
factor. If the page is meant to be used by, say, a bunch of US Marines
sharpshooters, or fighter pilots, I doubt they'll have problems with
bitmap captchas.