Secure CRUD services using IP addresses (whitelist)

Hi,
I would like to secure the access of the CRUD API services (http://doc.orbeon.com/form-runner/api/persistence/crud.html) so that they are only available from certain IP addresses.

Is there a way to do that ? I created my own authorizer webapp but I don't have access to the IP address of the host that requested the service, only the IP address of the orbeon server that is calling my authorizer.

Thank you !
Frederic

Frederic,

I don't think the auth service can obtain the remote IP address given how it is implemented now.

In this case, I would just add the IP filter in front of everything: the auth service would just validate other aspects of the request or let pass everything, and the IP filter in front of the servlet would check the paths and let through calls to the services as needed.

You could probably do this with UrlRewriteFilter:

   http://tuckey.org/urlrewrite/

Does this make sense?

-Erik

Hi,
Thank you we will use this approach instead.

Maybe Orbeon could pass more information to the authorizer using request parameters or http headers so that it can be implemented in the authorizer in the future ?

Thanks again !
Frederic

Frederic,

Good suggestion, I went ahead and added a change to pass a new header, "Orbeon-Remote-Address":

    https://github.com/orbeon/orbeon-forms/issues/2881

-Erik