 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / September 2007Configuring jetty: restricting service from certain IP addresses
How can I restrict access to Jetty from certain IP addresses (or allow only from specific subnet)? Anoter issue I have is how to enable Jetty to work as http server? Thanks, Mika > How can I restrict access to Jetty from certain IP addresses (or allow > only from specific subnet)? I haven't done this. You may want to ask on the Jetty-support mailing list as I'm not sure exactly how to do it > Anoter issue I have is how to enable Jetty to work as http server? http://docs.codehaus.org/display/JETTY/Newbie+Guide+to+Jetty The jetty XML config files are pretty cool. Each chunk of XML represents a call to a Jetty API function. They way they set it up is quite slick. :) Subscribe to the mailing list, it's a good resource. I'd offer more help but I'm at work right now and don't have a ton of time... if I can, I'll post more on the subject later.  SignatureSteve Sobol, Victorville, California PGP:0xE3AE35ED "Drench yourself in words unspoken / Live your life with arms wide open Today is where your book begins / The rest is still unwritten" - Natasha Beddingfield > How can I restrict access to Jetty from certain IP addresses (or allow > only from specific subnet)? > > Anoter issue I have is how to enable Jetty to work as http server? First, ask yourself why you want to selectively refuse service to people. If it's spambots posting linkspam to dynamic pages, consider a captcha rather than anything more drastic such as IP-level blackholing of people; spambots are usually running on zombie PCs with a legitimate user and on a dynamic IP shared with a whole ISP full of other legitimate users. If you decide to go ahead with it, the firewall is probably the best place to do this rather than at the protocol layer. I think the reason is obvious. My server (running Jetty) is offering different services for different groups of people. Some services need to be restricted to, say institutional subnets or similar. And for this, the firewall is definetely not a good solution. -Mika > > How can I restrict access to Jetty from certain IP addresses (or allow > > only from specific subnet)? [quoted text clipped - 10 lines] > If you decide to go ahead with it, the firewall is probably the best > place to do this rather than at the protocol layer. (Top-posting corrected. You're welcome.) >>> How can I restrict access to Jetty from certain IP addresses (or allow >>> only from specific subnet)? >>> Anoter issue I have is how to enable Jetty to work as http server? ... >> ... My server (running Jetty) is offering >> different services for different groups of people. Some services need >> to be restricted to, say institutional subnets or similar. And for >> this, the firewall is definetely not a good solution. Does Jetty let you use, say, Apache HTTP Server in front of it, as Tomcat does (typically via the AJP connector)? Apache HTTP Server has directives for that sort of thing. <http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow> <http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny> SignatureLew > Does Jetty let you use, say, Apache HTTP Server in front of it, as Tomcat does Yes, it does. SignatureSteve Sobol, Victorville, California PGP:0xE3AE35ED "Drench yourself in words unspoken / Live your life with arms wide open Today is where your book begins / The rest is still unwritten" - Natasha Beddingfield > > Does Jetty let you use, say, Apache HTTP Server in front of it, as Tomcat does > > Yes, it does. In that case, .htaccess (GIYF) can do the IP-based blocking you originally requested. Still, consider the possible costs versus benefits of either a) loosened or no restrictions (within your corporate LAN or whatever other private network) and/or b) access control by username/password accounts, i.e. by person rather than by chunk of hardware. > I think the reason is obvious. My server (running Jetty) is offering > different services for different groups of people. Some services need > to be restricted to, say institutional subnets or similar. And for > this, the firewall is definetely not a good solution. For this, a suitable user login and authentication mechanism is a good solution. I assume this is for your LAN or a VPN-tunnel-based WAN, in which case, stick it behind the corporate firewall and use password- based authentication. What if an authorized person wants to access this service from other than his usual location for whatever reason -- or an unauthorized person gets physical access to one of the machines you'd be whitelisting? Also ask what the purpose of the access restrictions is. If it's for crass commercial reasons then I won't be very sympathetic, although if it's to keep confidential information confidential, like patient records or financial data or credit-card numbers or what-have-you, then it's another story. It may be the case that the restrictions are gratuitous or unnecessary to carrying out your primary purpose and will just inconvenience or cost people needlessly (e.g. if it costs very little in resources per access and organization-wide access would do no harm and might benefit some people, but it's going to be restricted to a subset of the organization, or people will have to pay for access). If the restrictions are absolutely necessary, particularly for security of confidential data or trade secrets or something, though, figure out who needs access and set up a system with user or group accounts and passwords. > If it's spambots posting linkspam to dynamic pages, consider a > captcha rather than anything more drastic [ ... ] Perhaps you missed the W3C note on CAPTCHAs: http://www.w3.org/TR/turingtest/ ? Or maybe the fact that the only CAPTCHAs really capable of preventing spambots have < 70% success rates on humans? SignatureBeware of bugs in the above code; I have only proved it correct, not tried it. -- Donald E. Knuth > nebulou...@gmail.com wrote: > > If it's spambots posting linkspam to dynamic pages, consider a > > captcha rather than anything more drastic [ ... ] > > Perhaps you missed the W3C note...[snip remainder of gratuitously-snarky response] My, my, with this newsgroup's regulars the fun and sarcasm never stops! I never said anything about using bitmapped image based captchas. There are other kinds, such as verbal math problem captchas, that avoid the accessibility problems. Also there's the target-audience factor. If the page is meant to be used by, say, a bunch of US Marines sharpshooters, or fighter pilots, I doubt they'll have problems with bitmap captchas. :) Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.