Access to source IP address during authentication and authorization

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Access to source IP address during authentication and authorization

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

In spite of my (somewhat) recent work on the CredentialHandlers, I
haven't been using Tomcat's container-provider authentication and
authorization for over a decade. This is because I need access to the
user's source IP address for auditing where users "are" when they
login to my applications.

Is there any opportunity to obtain the user's IP address during login?
IIRC, the JASPIC scheme does allow this kind of information, but I'm
not sure if Tomcat actually supplies it. JASPIC is a rather
complicated solution when I am in fact authenticating against a simple
relational database.

What might be other ways to obtain the user's IP address during
authentication?

Thanks,
- -chris

PS I don't use Spring, to "just use Spring security like everyone
else" isn't a great solution for me.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmJqRoACgkQHPApP6U8
pFiyBRAAy0hn69+toHp5Dl0mKXlnAFsicOMko95/a8831o75v6/8t5DTIjnU0oAr
G4fND3OW4Ud4XPRnuUVY6u5we7BjQbySDgKdm3Tsa0h36UOUqbP5avzOWAZJMaBX
w0vq97Nn5jCUbiDyM2BABfph3WXk93yBjklfg7p12NlBMu6uR+0de/GPeb8dn/TT
Grdk7NSvDKUn69uqi3alNDyvPqS2F0XPizVgdnEbH6X+9DBBHaK0NSEtT+3D5YaS
WKwjZFubxU8BCO4wb8BLynJy61Fu7CGNQTxg9qI9+sa1kHEuq/XXl++qCVRF6ORJ
ZSd7ujBP9JV7v8WGgDhAZDfZ6HBYvgHr0euXzfqZPRxsqk5tKwz6uvpOgeuNz/Bv
xgOYZrqSw5G+BSj0Ia9k5Gwx4rPldwZ+LKfQ3sUVeg08R+vBePimhMU0oHlh8js8
zC+PaK8EQ0OWkScqCRgMD1B8K1CfR/mQrdoXvvS3e4NP7+gbiyvVLPEIOExlu0cy
zEseknq41o8Iooil4dHB15YZ7JE7TriKDAo/PxSGmvjownRKpTKvXTyBLVTHjudt
vyWtOpJxjaNaos9JeHRkKr7Lx029cxcJt9jJS1Ucatv5n68PCSzN0wDvqZaCEPpS
EUjpo3K+wRq+/BFfRK1K/0m3fGqfAQZT21rmIM011348Lk6s1Go=
=smRC
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access to source IP address during authentication and authorization

info@flyingfischer.ch

Am 08.08.2017 um 14:05 schrieb Christopher Schultz:

> All,
>
> In spite of my (somewhat) recent work on the CredentialHandlers, I
> haven't been using Tomcat's container-provider authentication and
> authorization for over a decade. This is because I need access to the
> user's source IP address for auditing where users "are" when they
> login to my applications.
>
> Is there any opportunity to obtain the user's IP address during login?
> IIRC, the JASPIC scheme does allow this kind of information, but I'm
> not sure if Tomcat actually supplies it. JASPIC is a rather
> complicated solution when I am in fact authenticating against a simple
> relational database.
>
> What might be other ways to obtain the user's IP address during
> authentication?
>
> Thanks,
> -chris
>
> PS I don't use Spring, to "just use Spring security like everyone
> else" isn't a great solution for me.

If you run Tomcat only you may use request.getRemoteAddr() in the logic
and build IP based access management around this.

If you run Apache in front of Tomcat you may need to fiddle with
X-Forwarded-For header.

Markus




---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access to source IP address during authentication and authorization

André Warnier (tomcat)
On 08.08.2017 14:21, [hidden email] wrote:

>
> Am 08.08.2017 um 14:05 schrieb Christopher Schultz:
>> All,
>>
>> In spite of my (somewhat) recent work on the CredentialHandlers, I
>> haven't been using Tomcat's container-provider authentication and
>> authorization for over a decade. This is because I need access to the
>> user's source IP address for auditing where users "are" when they
>> login to my applications.
>>
>> Is there any opportunity to obtain the user's IP address during login?
>> IIRC, the JASPIC scheme does allow this kind of information, but I'm
>> not sure if Tomcat actually supplies it. JASPIC is a rather
>> complicated solution when I am in fact authenticating against a simple
>> relational database.
>>
>> What might be other ways to obtain the user's IP address during
>> authentication?
>>
>> Thanks,
>> -chris
>>
>> PS I don't use Spring, to "just use Spring security like everyone
>> else" isn't a great solution for me.
>
> If you run Tomcat only you may use request.getRemoteAddr() in the logic
> and build IP based access management around this.
>
> If you run Apache in front of Tomcat you may need to fiddle with
> X-Forwarded-For header.
>
> Markus
>

+1, I was just going to mention the same.
In case of any front-end proxy, getRemoteAddr() would probably give the IP of the proxy.
And to make matters a little bit more complicated, see this article :
https://github.com/eprints/eprints/issues/214
This is perl, not Java, but it provides some additional information which might be useful
(about nginx and HTTPS e.g.)



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access to source IP address during authentication and authorization

Christopher Schultz-2
In reply to this post by info@flyingfischer.ch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Markus,

On 8/8/17 8:21 AM, [hidden email] wrote:

>
> Am 08.08.2017 um 14:05 schrieb Christopher Schultz:
>> All,
>>
>> In spite of my (somewhat) recent work on the CredentialHandlers,
>> I haven't been using Tomcat's container-provider authentication
>> and authorization for over a decade. This is because I need
>> access to the user's source IP address for auditing where users
>> "are" when they login to my applications.
>>
>> Is there any opportunity to obtain the user's IP address during
>> login? IIRC, the JASPIC scheme does allow this kind of
>> information, but I'm not sure if Tomcat actually supplies it.
>> JASPIC is a rather complicated solution when I am in fact
>> authenticating against a simple relational database.
>>
>> What might be other ways to obtain the user's IP address during
>> authentication?
>>
>> Thanks, -chris
>>
>> PS I don't use Spring, to "just use Spring security like
>> everyone else" isn't a great solution for me.
>
> If you run Tomcat only you may use request.getRemoteAddr() in the
> logic and build IP based access management around this.

Have you noticed that Tomcat only passes two String values to the
authenticators? The IP address is not available.

> If you run Apache in front of Tomcat you may need to fiddle with
> X-Forwarded-For header.

I have no problem with Tomcat having access to the IP address. I just
want Tomcat to make that IP address available to the authenticator
component in some way.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmJskcACgkQHPApP6U8
pFivdA//XSyx5+ZszII0hxLjaeJi5+PHTOnbrzdcKLD+Q/6aDeFDbiECQItqAPZY
w30aEWsqEdXiXEiCoHqD7NrsxkL6cM01uPpLSHsISDnPxX69ogWGCZNmxduLUxr2
V3kTLn+s2fry2ZECZWW28KW3aKvs9EQ8bPrxQoPZFHWlXSloIy+ao4UlpxBuCQh2
CO1akIYcxiOXCb8Bq4zIk70/E6zTDnWrsXcu3voTcSV8xrScZxYmj3AKMWITICw8
owmwJ0aQfnnOCs1j7HDz9TEKjUa/Net+Z1d1ZlWlq7aq3xaTBLyDyZskE1FeZ6yK
pZPgveRdmlnReUJYHBfZqqUKT7iPRSoogcHdFZhVyI8JU2ega2nyI+uBDvc6fcPL
PAjBvmZ+FdIk9Plvptv0oc4BzZMd0401JPmuA02CtmqYxfVToJGYuqo4SYiVl5gG
mhCEY+VAIo5LWSRxM3scp/7fe9kj2c/Zn5AcYhNHIm16YEWYGe+FOKrPOMwK67e5
FWj0OxL0pSv9If7MRJ/xMXJyapH3KYkeNY2x5mdXpaueDmpDGb6Hvh9978q8P7wI
xXxfdocDCCFJOgsn7o+GZo4yqnWK177bmYXm2WxzW9AhTVqe285D0XK5OvL1EiAG
RzZqh3IgCNDgYoWzQjGtYO9q9FM4cu6REDBdmZOK8Kn2+fGaxC0=
=fAU7
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access to source IP address during authentication and authorization

markt
On 08/08/17 13:44, Christopher Schultz wrote:

<snip/>

> I have no problem with Tomcat having access to the IP address. I just
> want Tomcat to make that IP address available to the authenticator
> component in some way.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

Implementing that in a way that is truly backwards compatible requires a
little thought.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access to source IP address during authentication and authorization

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 8/8/17 8:49 AM, Mark Thomas wrote:

> On 08/08/17 13:44, Christopher Schultz wrote:
>
> <snip/>
>
>> I have no problem with Tomcat having access to the IP address. I
>> just want Tomcat to make that IP address available to the
>> authenticator component in some way.
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
>
> Implementing that in a way that is truly backwards compatible
> requires a little thought.

I agree that backward-compatibility is a significant issue, since the
Realm interface hasn't changed since ... well, ever.

How about cheating and using a ThreadLocal?

try {
  tl.set(theRequest)
  authenticator.authenticate(username,password);
} finally {
  tl.set(null);
}

??

For SecurityFilter, we added a sub-interface that adds more methods,
like this:

authenticate(String username, String password);
authenticate(String username, String password, HttpServletRequest req);

Then, the driver does this:

if(realm instanceof ExtendedRealm)
  ((ExtendedRealm)realm).authenticate(username, password, theRequest);
else
  realm.authenticate(username, password);

If using the HttpServletRequest itself is architecturally distasteful,
we could use some other kind of data object, or simply
java.lang.Object (which is a little distasteful itself).

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmJthYACgkQHPApP6U8
pFhwTw//ZjwS5MtDL7F18OWFrmtxvfyCDbnOiOgwyJxoCCn//xWjQC7sCmb8OZZd
PFnbbzRcU55Ws1+oDz+rZGoXTz8bOOaE0WXQ9r477ETryzjlTNarVgselgQUM24X
zl0cSAMJo4U/fabTrSupSOk1H6OJUwNRI0N4FNYsjpk+mXlScGcZsjycvB6CH5Bp
8ht3J222Q9hdBNatcpLzicfRW5t+smckA+1wxFWBye1gxnG9aaNakcXa/V7nQtoq
nZO636HIvK16LWoudBXUOfHqGTCBYTijfzD37v8LrIsYj6+yJ/ZetkF45tS4nWcF
Gl1vzQQCwY92xd9q6i6UBlnngI898Pp+vuld+mHHwM1nP2dvskO5A4VdYZ+dS4dp
QmMWYKhR4cr2TjOpDKy9hxzuRxeENt1Bnr3Jk2Qiy4o8e0a/e7ksB3JfXS99JfLt
uCprKNMkRG3Uc1+5vZXOQ1kk7Fz1Bryp7xrxgZjXdpHZ1R7GFIgPi6ohbA+GT4NV
dCgYWOPdh1TIcAgOP6dVgHc1H58BX2IjPl8AiKOKLZPKLv+3eWeA5XBz0D1LM0bm
CZ+EwFXCfIr5cFqabvbE99DdojhpT6NPmDjTmJznAV7f8AWHLnyr7eYMQY+pkHdF
GX3oOwzBlw46CVtMnkgu0OrLPnM/X8447RgMs1bJFJ1dpYO0rr8=
=d9LJ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access to source IP address during authentication and authorization

markt
On 08/08/17 14:01, Christopher Schultz wrote:

> Mark,
>
> On 8/8/17 8:49 AM, Mark Thomas wrote:
>> On 08/08/17 13:44, Christopher Schultz wrote:
>
>> <snip/>
>
>>> I have no problem with Tomcat having access to the IP address. I
>>> just want Tomcat to make that IP address available to the
>>> authenticator component in some way.
>
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
>
>> Implementing that in a way that is truly backwards compatible
>> requires a little thought.
>
> I agree that backward-compatibility is a significant issue, since the
> Realm interface hasn't changed since ... well, ever.
>
> How about cheating and using a ThreadLocal?
>
> try {
>   tl.set(theRequest)
>   authenticator.authenticate(username,password);
> } finally {
>   tl.set(null);
> }
>
> ??

Yuck.

> For SecurityFilter, we added a sub-interface that adds more methods,
> like this:
>
> authenticate(String username, String password);
> authenticate(String username, String password, HttpServletRequest req);
>
> Then, the driver does this:
>
> if(realm instanceof ExtendedRealm)
>   ((ExtendedRealm)realm).authenticate(username, password, theRequest);
> else
>   realm.authenticate(username, password);

That could work for 8.5.x and earlier. We can use default methods in
Tomcat 9.

I was also thinking about the case where a custom component called the
Realm (e.g. custom nested Realms). I'm not sure there is one solution
that can cleanly handle all use cases. We probably need to go with the
majority.

> If using the HttpServletRequest itself is architecturally distasteful,
> we could use some other kind of data object, or simply
> java.lang.Object (which is a little distasteful itself).

I have no problem with using the HttpServletRequest.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access to source IP address during authentication and authorization

zemiandeng
Hi, how about extends the
"org.apache.catalina.authenticator.AuthenticatorBase"? or extends
"FormAuthenticator" if you are using form based. The base class is actually
a Valve, thus provide the "Request" object access. And to use it, just
simply add as a valve in your context xml file. If I understand it
correctly, this will override the default one.

On Tue, Aug 8, 2017 at 9:09 AM, Mark Thomas <[hidden email]> wrote:

> On 08/08/17 14:01, Christopher Schultz wrote:
> > Mark,
> >
> > On 8/8/17 8:49 AM, Mark Thomas wrote:
> >> On 08/08/17 13:44, Christopher Schultz wrote:
> >
> >> <snip/>
> >
> >>> I have no problem with Tomcat having access to the IP address. I
> >>> just want Tomcat to make that IP address available to the
> >>> authenticator component in some way.
> >
> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
> >
> >> Implementing that in a way that is truly backwards compatible
> >> requires a little thought.
> >
> > I agree that backward-compatibility is a significant issue, since the
> > Realm interface hasn't changed since ... well, ever.
> >
> > How about cheating and using a ThreadLocal?
> >
> > try {
> >   tl.set(theRequest)
> >   authenticator.authenticate(username,password);
> > } finally {
> >   tl.set(null);
> > }
> >
> > ??
>
> Yuck.
>
> > For SecurityFilter, we added a sub-interface that adds more methods,
> > like this:
> >
> > authenticate(String username, String password);
> > authenticate(String username, String password, HttpServletRequest req);
> >
> > Then, the driver does this:
> >
> > if(realm instanceof ExtendedRealm)
> >   ((ExtendedRealm)realm).authenticate(username, password, theRequest);
> > else
> >   realm.authenticate(username, password);
>
> That could work for 8.5.x and earlier. We can use default methods in
> Tomcat 9.
>
> I was also thinking about the case where a custom component called the
> Realm (e.g. custom nested Realms). I'm not sure there is one solution
> that can cleanly handle all use cases. We probably need to go with the
> majority.
>
> > If using the HttpServletRequest itself is architecturally distasteful,
> > we could use some other kind of data object, or simply
> > java.lang.Object (which is a little distasteful itself).
>
> I have no problem with using the HttpServletRequest.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access to source IP address during authentication and authorization

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Zemian,

On 8/8/17 9:36 AM, Zemian Deng wrote:
> Hi, how about extends the
> "org.apache.catalina.authenticator.AuthenticatorBase"? or extends
> "FormAuthenticator" if you are using form based. The base class is
> actually a Valve, thus provide the "Request" object access. And to
> use it, just simply add as a valve in your context xml file. If I
> understand it correctly, this will override the default one.

I'm trying to come up with a more pluggable solution, like I did with
the CredentialHandlers.

Obviously, I can simply write or extend whatever Valve I want and do
anything with it, but having to choose a single type of authenticator
isn't very flexible.

I'd prefer a solution that improves Tomcat for the whole community,
rather than one that merely meets my private needs.

- -chris

> On Tue, Aug 8, 2017 at 9:09 AM, Mark Thomas <[hidden email]>
> wrote:
>
>> On 08/08/17 14:01, Christopher Schultz wrote:
>>> Mark,
>>>
>>> On 8/8/17 8:49 AM, Mark Thomas wrote:
>>>> On 08/08/17 13:44, Christopher Schultz wrote:
>>>
>>>> <snip/>
>>>
>>>>> I have no problem with Tomcat having access to the IP
>>>>> address. I just want Tomcat to make that IP address
>>>>> available to the authenticator component in some way.
>>>
>>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
>>>
>>>> Implementing that in a way that is truly backwards
>>>> compatible requires a little thought.
>>>
>>> I agree that backward-compatibility is a significant issue,
>>> since the Realm interface hasn't changed since ... well, ever.
>>>
>>> How about cheating and using a ThreadLocal?
>>>
>>> try { tl.set(theRequest)
>>> authenticator.authenticate(username,password); } finally {
>>> tl.set(null); }
>>>
>>> ??
>>
>> Yuck.
>>
>>> For SecurityFilter, we added a sub-interface that adds more
>>> methods, like this:
>>>
>>> authenticate(String username, String password);
>>> authenticate(String username, String password,
>>> HttpServletRequest req);
>>>
>>> Then, the driver does this:
>>>
>>> if(realm instanceof ExtendedRealm)
>>> ((ExtendedRealm)realm).authenticate(username, password,
>>> theRequest); else realm.authenticate(username, password);
>>
>> That could work for 8.5.x and earlier. We can use default methods
>> in Tomcat 9.
>>
>> I was also thinking about the case where a custom component
>> called the Realm (e.g. custom nested Realms). I'm not sure there
>> is one solution that can cleanly handle all use cases. We
>> probably need to go with the majority.
>>
>>> If using the HttpServletRequest itself is architecturally
>>> distasteful, we could use some other kind of data object, or
>>> simply java.lang.Object (which is a little distasteful
>>> itself).
>>
>> I have no problem with using the HttpServletRequest.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmKD0AACgkQHPApP6U8
pFj78Q//UPwFI0H/Ixbix31lMcK819yiRxDMJJ5aMFkg/JchZJBm6eoJ3pJwP8nF
W9LD/x9qF3tNFc+N3fATUOKi9NWHEnMXxKqWm0OzSmGeM7V1XnaT8hUjA5Mm97He
Io4YSVncq4bG7rb5asyK0+p0zqLZGxPZMeAe+2tM0uvoy06YELJaV6Ra9is8tVtS
CncQYJlDTTHT0ecsbIBUQiC46daYEIbaF0yxU0z794cEN4yAd17jlFmFpQs+7eAT
wNy9eCAlG+Q7w15/rea50QniER+NDGdbXGz6Vpyp42MSy2Zr19cXZQMqlWVrQV3t
Od7C8pjzNIRUHFPFeFX21jfeLReFmTioDXlHrwnayy8WsecYHq2iVkMdEpm7NxY2
etGg26RKPypiLepA3cwj4tUR6lmgE9A7ydP7utY2IfOKU6QZ0vyCz5KITELq+yqf
XG2i/RvI/U7qutXqk5nbkkEH6UCsN9eQrCtKZ4r5tLxIJDlSLSsgsHrUKKdd1zJ8
ACHSKMEA1HyA8pbI7mdENeogNWz1dQ3J7JSpWjHmsEcPutn2dP4Q25+StjkuFAah
W1neqzXrT/Vt/K98Q3mS3YK8/x+X91TS46C2J6zut76KDRHqBAwiXDNq+KFzKePR
+SzBiHS6elz4tXz+zxRG+stmL96ooDMUMJMzDSPSCqGPzmC3jvQ=
=YgBR
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...