Restrict access of web application other than localhost

Question

I hv 3 java web-apps running in jetty and i want one of them to be accessed only through localhost. I dont want to write filter. Can it be done by modifying some jetty configuration?

Answer 1

Playing with Virtual Hosts

To do this by configuration, you could maybe use virtual hosts. From the documentation:

Suppose also we have another webapp, zzz.war. We want xxx.war to be deployed as above, and zzz.war to be deployed only from 777.888.888.111, www.other.com, www.other.net and www.other.org:

<!-- webapp xxx.war -->
<Configure class="org.mortbay.jetty.webapp.WebAppContext">
  <Set name="contextPath">/xxx</Set>
  <Set name="war"><SystemProperty name="jetty.home"/>/webapps/xxx.war</Set>
  <Set name="virtualHosts">
    <Array type="java.lang.String">
      <Item>333.444.555.666</Item>
      <Item>127.0.0.1</Item>
      <Item>www.blah.com</Item>
      <Item>www.blah.net</Item>
      <Item>www.blah.org</Item>
    </Array>
  </Set>
</Configure>

<!-- webapp zzz.war -->
<Configure class="org.mortbay.jetty.webapp.WebAppContext">
  <Set name="contextPath">/zzz</Set>
  <Set name="war"><SystemProperty name="jetty.home"/>/webapps/zzz.war</Set>
  <Set name="virtualHosts">
    <Array type="java.lang.String">
      <Item>777.888.888.111</Item>
      <Item>www.other.com</Item>
      <Item>www.other.net</Item>
      <Item>www.other.org</Item>
    </Array>
  </Set>
</Configure>

So we could imagine having one webapp "deployed on" the local 127.0.0.1 IP address and the other deployed on names corresponding to the network IP address.

Playing with Connectors

Another option would be to define two connectors and to bind Jetty on localhost only for one of them. In your jetty.xml

<Configure class="org.mortbay.jetty.Server">

    <!-- set up both connectors -->
    <Set name="connectors">
      <Array type="org.mortbay.jetty.Connector">
        <Item>
          <New  class="org.mortbay.jetty.nio.SelectChannelConnector">
            <Set name="host"><SystemProperty name="jetty.host" default="localhost"/></Set>
            <Set name="port">8080</Set>
            <Set name="maxIdleTime">30000</Set>
            <Set name="Acceptors">1</Set>
            <Set name="name">connA</Set>
          </New>
        </Item>
        <Item>
          <New id="connB" class="org.mortbay.jetty.nio.SelectChannelConnector">
            <Set name="host"><SystemProperty name="jetty.host" default="0.0.0.0"/></Set>
            <Set name="port">9090</Set>
            <Set name="maxIdleTime">30000</Set>
            <Set name="Acceptors">1</Set>            
            <Set name="name">connB</Set>
          </New>
        </Item>
      </Array>
    </Set>

</Configure>

And then "assign" your webapp to the chosen connector. For example, in contextA.xml:

<Configure  class="org.mortbay.jetty.webapp.WebAppContext">      
  <Set name="war"><SystemProperty name="jetty.home"/>/webapps/A</Set>
  <Set name="contextPath">/webappA</Set>
  <Set name="connectorNames">
    <Array type="String">
      <Item>connA</Item>
    </Array>
   </Set>
  ...
</Configure>

But as you can see, having different connectors implies listening on different ports (unless you have multiple NIC).

See Also

• Configuring Connectors
• How do I serve webapp A only from port A and webapp B only from port B?
• Using Virtual Hosts

Answer 2

Absolutely simplest solution is to bind your server socket to localhost only. Setting host parameter of your connector to localhost should do the work. Note that this only works for localhost, it will make Jetty to listen only on loopback interface.

Answer 3

Writing a filter is the portable solution, and is easy to configure and use. It would have only a request.getRequestURL() to check whether it is localhost

In this thread you can see an option to use apache as front end.

Another option is to simply have to instances of the servlet-container, running on different ports, and use a firewall to block one of the ports.