Give access to JSP file/folder only for particular IP address

Question

I made a CMS application using JSP and servlet. I am not using any kind of framework. The CMS has 2 parts:

1. Front end
2. Admin (Back end)

If I hosted it on www.example.com, for example, then all my frond end site will show for all users.

But www.example.com/admin must be accessible from a couple of IP addresses. Not from all the users.

I found these links:

• link 1
• link 2
• Stack Overflow link

Link 1 looks bit confusing and Link 2 looks good, but I am not using JBoss.

In the Stack Overflow link they did not mention how to use it.

Answer 1

As far as I understand from your question you use the Apache Tomcat as a web server. In that case use Remote Address Filter to restrict access by IP address. It allows comparing IP of the requesting client with regular expressions to either allow or prevent the request based on the results of the comparison.

If you use Tomcat 7 you need use class RemoteAddrFilter and define regular expressions for necessary IP in the application's configuration file web.xml:

<filter>
   <filter-name>Remote Address Filter</filter-name>
   <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
   <init-param>
      <param-name>allow</param-name> <!-- or deny -->
      <param-value>10\.10\.1[12]\..*</param-value> <!-- regexp for your ip adress -->
   </init-param>
</filter>
<filter-mapping>
   <filter-name>Remote Address Filter</filter-name>
   <url-pattern>*/admin</url-pattern> <!-- the url of your admin page -->
</filter-mapping>

You can use hardcoded specific IP address or regular expression patterns. But in some cases regular expressions gives you a lot of flexibility in validation of addresses.

And if you use 6 or 5 version of Tomcat you need use class RemoteAddrValve and define following line in Tomcat's configuration file server.xml:

<Valve className=”org.apache.catalina.valves.RemoteAddrValve” allow=”10\.10\.1[12]\..*”/> 

or

 <Valve className="org.apache.catalina.valves.RemoteAddrValve"
    deny="86.57.158.37, 213.117.195.*, 124.86.42.*" /> 

More information about using request filter valves.

And interesting article about securing the administrative web apps with Tomcat.

And by the way there's convenient to not deny requests from localhost for testing. So it makes sense to add 127\.0\.0\.1 to your allowable range of IP adresses.

But don't forget that in some cases a proxy server can be used to get around the IP block. Apply also login authentication for better security.

Answer 2

You can define a WebFilter.

An example:

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebFilter(filterName = "ezSecurityAdminFilter", urlPatterns = "/admin/*")
public class EZSecurityAdminFilter implements Filter {

    private static String allowIP = "0:0:0:0:0:0:0:1";

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;


        String ipAddr = req.getRemoteAddr();

        System.out.println("IP-Addr: " + ipAddr);

        if (ipAddr.equals(allowIP)) {
            chain.doFilter(request, response);
        } else {

            res.sendRedirect("/WebApplication1/access_denied.jsp");
        }
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void destroy() {
    }
}

All request from a other IP address then allowIP will be redirected.