How can I limit access to a deployed application on JBoss 7 to localhost only?

Question

I have an application that is split in to multiple deployable artefacts, one of which is a REST service, another which is a web interface to that REST interface, and so on. One customer is planning on deploying this in their DMZ and want to make sure that the REST interface can only be accessed by apps on the same box. Since the web app (and others) still need to be accessible, it's obviously not suitable to change the listening interface for JBoss.

I've tried adding virtual servers in jboss-web.xml, but this doesn't seem to be working. Another possibility seems to be using rewrite patterns in the domain.xml, but this doesn't seem very suitable to me, even if I can get it working. Ideally what I'd want is something specific to the deployable artefact that only allows access from localhost for that entire artefact.

Answer 1

I had similar requirement in one project, and virtual servers is IMHO only right way of doing that.

All you have to do is to add to standalone.xml/domain.xml :

  <virtual-server name="only-local">
            <alias name="localhost"/>
            <alias name="127.0.0.1"/>
  </virtual-server>

and then to application jboss-web.xml file:

<virtual-host>only-local</virtual-host>

Answer 2

I think you can use a Valve in your Context configuration for the application. Bsically you could use something like this:

<Context ...>
  <Valve className=”org.apache.catalina.valves.RemoteAddrValve” allow=”127.0.0.1″/>
...
</Context>

Further info can be found in the Tomcat config reference page for Valve.

Also this question got some examples that might be useful: Tomcat Valve settings

PS: This should work for JBoss as well.

Hope it helps.

Answer 3

You could configure a valve in the context.xml that someone already mentioned. An alternative to that is to have a different UI port. You make UI and REST APIs listen to different ports and switch on the firewall if you haven't already. You want to configure firewall rules such that REST API port can accept only from localhost or the loopback interface. The UI port should be more accepting to incoming requests.