0

I'm developing a Windows application, using Eclipse, Tomcat server and Struts2. I am using LDAP verification to log in.

I only want to allow specific people to view my application, i.e person with IP 173.12.12.12 can view it, while 173.12.12.72 should not.

How should i do this?

Also if someone enters an ID which is disabled, the application should not work on his terminal anymore. How should i do this?

Aleksandr M
  • 24,264
  • 12
  • 69
  • 143
thecoot_11
  • 11
  • 4

2 Answers2

0

  • If you want to handle your IP address Whitelist within your web-application (eg. on a database), you can detect user's IP address server-side by reading the X-Forwarded-For HTTP Header from the Request.

  • If you want to handle your IP address Whitelist within your application server, (in this case, Tomcat), you must put a RemoteAddrValve in your context.xml (source).

Both this methods work, but both fail at detecting real IPs in case of IP spoofing. It's naive for a malicious user to spoof their own IP address, for example with CURL, or with a Firefox AddOn like anonymoX.

You shouldn't rely on IP address to protect your system. But you can use them to enhance the user experience to your authenticated, trusted users... once they're in, you can assume they're not malicious and start profiling their devices by IP to provide targeted functionalities.

Community
  • 1
  • 1
Andrea Ligios
  • 49,480
  • 26
  • 114
  • 243
  • From Wikipedia: *Services vulnerable to IP spoofing [...] Any service that uses IP address authentication*. Do not use IP address authentication. – Andrea Ligios Mar 09 '15 at 11:46
0

if it is a range of IP, fetch the IP value from a property file and verify against it. if it is a single value, fetch the value from the database assigned to users and verify against it.

thecoot_11
  • 11
  • 4