Secure CRUD services using IP addresses (whitelist)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Secure CRUD services using IP addresses (whitelist)

fbonin
Hi,
I would like to secure the access of the CRUD API services (http://doc.orbeon.com/form-runner/api/persistence/crud.html) so that they are only available from certain IP addresses.

Is there a way to do that ? I created my own authorizer webapp but I don't have access to the IP address of the host that requested the service, only the IP address of the orbeon server that is calling my authorizer.

Thank you !
Frederic
Reply | Threaded
Open this post in threaded view
|

Re: Secure CRUD services using IP addresses (whitelist)

Erik Bruchez
Administrator
Frederic,

I don't think the auth service can obtain the remote IP address given how it is implemented now.

In this case, I would just add the IP filter in front of everything: the auth service would just validate other aspects of the request or let pass everything, and the IP filter in front of the servlet would check the paths and let through calls to the services as needed.

You could probably do this with UrlRewriteFilter:

   http://tuckey.org/urlrewrite/

Does this make sense?

-Erik
Reply | Threaded
Open this post in threaded view
|

Re: Secure CRUD services using IP addresses (whitelist)

fbonin
Hi,
Thank you we will use this approach instead.

Maybe Orbeon could pass more information to the authorizer using request parameters or http headers so that it can be implemented in the authorizer in the future ?

Thanks again !
Frederic
Reply | Threaded
Open this post in threaded view
|

Re: Secure CRUD services using IP addresses (whitelist)

Erik Bruchez
Administrator
Frederic,

Good suggestion, I went ahead and added a change to pass a new header, "Orbeon-Remote-Address":

    https://github.com/orbeon/orbeon-forms/issues/2881

-Erik