8

I want to configure a machine in my network to accept all calls from a specific machine without authentication. For this I am planning to use the IP address of the client machine as the required trust factor to allow unchecked authentication.

My concern is that is it possible to accurately determine the IP address of a client in a java servlet? Is it possible that the IP which I get in the servlet can be changed by some hacking mechanism to made my server to believe that it is the trusted IP?

For example if my server machine is configured to trust 192.168.0.1, then is it possible by some other client other than 192.168.0.1 to pretend as 192.168.0.1 and fool my authentication mechanism?

AstroCB
  • 12,337
  • 20
  • 57
  • 73
Ashish
  • 3,028
  • 5
  • 28
  • 35

5 Answers5

21

You can use the getRemoteAddr() method from the HttpServletRequest class to obtain the IP address. Be careful, though. If your client is behind a proxy server (or even a NATting firewall), you'll get the proxy IP address instead.

So, you can also look for the X-Forwarded-For HTTP header (standard for identifying the source IP address of a client behind an HTTP proxy). See more on Wikipedia. Be careful, though. If your client is NOT behind a proxy, you can get a null XFF header. So, if you are to follow this path, you should use a mix of the servlet methods and XFF header evaluation. There is no guarantee, though, that the proxy will forward you the header.

But be aware that the source IP address can be easily changed or faked by any malicious client. I really recommend using some sort of client authentication (a certificate, for example). There is no way for a web app to accurately determine the client IP address.

Viccari
  • 9,029
  • 4
  • 43
  • 77
  • and +1 for mentioning the XFF header and possibility for it to be null – stevevls Feb 17 '12 at 10:50
  • how does the client authentication works? can the client send a certificate similar to what server sends in https communication to identify itself, could you please provide some details on this. – Ashish Feb 20 '12 at 08:47
  • 1
    You can generate a self-signed client certificate and install it on your client machine's keystore (are you using Java in your client as well?). Then, your server should only accept requests signed by client certificates from a given CA (yourself, in this case). There is plenty of documentation regarding Java + client certificates on the web. Also, have a look at the excelent [Wikipedia entry](http://en.wikipedia.org/wiki/Transport_Layer_Security) on TLS for the basics. – Viccari Feb 20 '12 at 11:24
7

Your service could be vulnerable to IP Spoofing. It's easy to forge packets that appear to be from a different IP address. The thing about spoofing, though, is that the attacker won't be able to receive any response packets. Therefore, if calling your services doesn't cause an internal change of state (i.e. it's read only), then you should be okay. If, however, the calls to your service will issue writes, then you shouldn't rely simply on IP address because a spoofed packet will be enough to change the internal state of your system.

Viccari
  • 9,029
  • 4
  • 43
  • 77
stevevls
  • 10,675
  • 1
  • 45
  • 50
  • could you please provide some way of how I can achieve the desired functionality i.e. trusting a machine in my network. – Ashish Feb 20 '12 at 08:49
  • part of what you might want to do is decide on the acceptable level of risk balanced with how many cycles you have to lock it down. if you're a bank, then you need to make sure it's rock solid, but other applications have more tolerance. one option is to ensure that you're not bound on a public IP and trust in your sysadmins to keep the local 'net locked down. if you really need to secure it, viccaris suggestions of using client certificates is a good one if you need to get it locked down. whatever you do, if you go beyond IP verification, make sure that you can revoke access easily. – stevevls Feb 20 '12 at 23:22
2

You could be locally susepitable to ARP Spoofing. Where a malicious machine convinces the router to associate the IP address with it's MAC address.

The level and mechanism of trust really depends on the sensitivity of the server/service you are trying to protect and the environment you are operating in.

It looks to me that this is a local arrangement given the private IP address 192.168 range. If this server is not public facing, not critical and you are operating in a relatively secure LAN environment that's well shut off from the public and other private LANS then you should be OK. Otherwise you should look at other security options at a higher level.

Adrian Regan
  • 2,240
  • 13
  • 11
  • nice point. i haven't (yet) spent much time worrying about malicious users on the local network, though it's definitely known to happen and a good idea to protect against. :) – stevevls Feb 17 '12 at 10:49
  • The 192.168 ip range will not be carried by any public router. So any threat will have to come internally – Adrian Regan Feb 17 '12 at 10:52
1

My concern is that is it possible to accurately determine the IP address of a client in a java servlet?

No it is not possible. There are a number of scenarios where you won't see the real client IP address due to either the actions of the user, or other reasons that are outside the user's control.

In the latter cases, IP-based identification ends up causing head-aches for your honest customers; i.e. the customers that you really want to keep.

If you really need to limit access to specific set of computers, you should consider using something like SSL/TLS with client certificates as your first line of defence. TLS with client certificates is described here.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
0

IPs can be easily faked like email-senders I would strongly suggest not to rely on them solely.

wintersolutions
  • 5,173
  • 5
  • 30
  • 51
  • Not as easy as mail sender, as you reply to specified IP address. So the real problem is tzrusting source IP in case of actions, but you can relly on them when providing informations – Hurda Feb 17 '12 at 10:06
  • 1
    Yeah, i upvoted stevelvs answer because he makes the distinction between writes and readonly. Btw. mail sender is exactly the same because you can't receive the answer in both cases. – wintersolutions Feb 17 '12 at 10:08