Is there any way to restrict access by configuring in WildFly?

Question

Is there any way to restrict access by configuring in WildFly. I would like to know whether we can add a list of IPs that can only access the server? Is there any way to blacklist IPs in server level?

I am checking a feature like this: http://boseca.blogspot.in/2010/12/programmatically-addremove-ip-security.html

Answer 1

If you're using Wildfly 8.2 (which contains Undertow 1.1.0), then you can configure IP access control via the undertow-handlers.conf file, which you put in a war's WEB-INF or a jar's META-INF folder.

You can do something like:

ip-access-control[default-allow=false, acl={'10.0.0.1 deny', '10.0.0.0/24 allow'}]

this can also be combined with predicates:

path-prefix[/internal] -> ip-access-control[acl={ '10.0.0.0/24 allow'}]

Source.

Alternatively (or if you use an earlier Wildfly version than 8.2) you can create a ServletExtension. Create a file META-INF\services\io.undertow.servlet.ServletExtension, in it there should be a fully qualified name of your extension. The extension must implement the io.undertow.servlet.ServletExtension interface. This extension then may create a io.undertow.server.handlers.IPAddressAccessControlHandler programmatically, configure it, and add it to the deployment's initial handler chain.

The above talked about adding a handler at the deployment level. To add a custom handler at the server level you need at least Wildfly 8.2. In the undertow subsystem in standalone.xml (or whatever config you use) you can add a handler (filter) like this (irrelevant configuration omitted):

<subsystem xmlns="urn:jboss:domain:undertow:1.2">
    <server name="default-server">
        <host name="default-host" alias="localhost">
            <filter-ref name="custom-filter" />
        </host>
    </server>
    <filters>
        <filter name="custom-filter" module="io.undertow.core" />
                class-name="io.undertow.server.handlers.HttpTraceHandler"
    </filters>
</subsystem>

Source. The handler must be in your static server module, not in a deployment. Inherit the IPAddressAccessControlHandler, configure it in your constructor or override its methods as you need, and point the config to your custom handler.

According to WFLY-4048 text based handler configuration at the server level will be in Wildfly 10.

Answer 2

You can also implement the IP filter on JBOSS level by adding a filter-ref and expression filter as shown below

 <subsystem xmlns="urn:jboss:domain:undertow:3.0" statistics-enabled="true" instance-id="instanceid">
        <buffer-cache name="default"/>
        <server name="default-server">
            <ajp-listener name="ajp" max-connections="1200" write-timeout="600000" read-timeout="30000" allow-equals-in-cookie-value="true" record-request-start-time="true" socket-binding="ajp"/>
            <http-listener name="default" allow-equals-in-cookie-value="true" socket-binding="http"/>
            <host name="default-host" alias="localhost">
                <location name="/" handler="welcome-content"/>
                  <access-log suffix=".log" prefix="access" pattern="%a %h %{i,sm_user} %u %t %r %s %b %T"/>
                  <filter-ref name="limit-connections"/>
                <filter-ref name="ipaccess"/>
                <single-sign-on/>
            </host>
        </server>
        <servlet-container name="default">
            <jsp-config/>
            <websockets/>
        </servlet-container>
        <handlers>
            <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
        </handlers>
         <filters>
            <request-limit name="limit-connections" queue-size="100" max-concurrent-requests="1200"/>
            <expression-filter  module="io.undertow.core" name="ipaccess" expression="ip-access-control[default-allow=false, acl={'10.0.0.1 deny', '10.0.0.0/24 allow'}]"/>
        </filters>
    </subsystem>