|
Replies:
7
-
Last Post:
Oct 13, 2009 7:27 AM
by: Paul Blair
|
|
|
|
|
|
|
Glassfish gem - restricting access by IP or hostname
Posted:
Oct 9, 2009 8:15 AM
|
|
|
|
|
|
|
|
|
|
Glassfish gem - restricting access by IP or hostname
Posted:
Oct 9, 2009 8:15 AM
in response to: Guest
|
|
|
|
|
Hello Glassfish team --
We are using the Glassfish gem with JRuby 1.3.1 and Rails 2.3.4, behind a
Sun Java System Web Server acting as a reverse proxy. We have the web server
handling all authentication and authorization, and we'd like to avoid having
to reimplement this in the Rails app. So we'd like to set up a configuration
whereby the only way to access the Rails app is through the web server.
I don't see any options for this in glassfish.yml; however, I do see that
Glassfish allows the virtual-server properties
allowRemoteAddress
denyRemoteAddress
allowRemoteHost
denyRemoteHost
to be set in domain.xml. If I set one of these properties in
$JRUBY_HOME/lib/ruby/gems/1.8/gems/glassfish-0.9.5-universal-java/domains/domain1/config/domain.xml,
I can see it being carried over to the
$RAILS_HOME/tmp/.glassfish/config/domain.xml file. However, none of them
seem to have any effect.
For example, if I have in the gem's domain.xml
<virtual-server id="server"
http-listeners="http-listener-1">
<property value="${com.sun.aas.instanceRoot}/docroot"
name="docroot"/>
<property
value="${com.sun.aas.instanceRoot}/logs/access" name="accesslog"/>
<property value="false" name="sso-enabled"/>
<property name="allowRemoteAddress" value="127.0.0.1"/>
</virtual-server>
I would expect this to be if anything overly restrictive, but I can still
access the Rails app directly from my browser on an external host. I've
tried the other properties with equal lack of success.
The above domain.xml entry gets translated to the following entry in the
domain.xml under $RAILS_HOME:
<virtual-server id="server"
docroot="[RAILS_HOME]/tmp/.glassfish/docroot"
access-log="[RAILS_HOME]/tmp/.glassfish/logs/access"
network-listeners="http-listener-1">
<property name="allowRemoteAddress" value="127.0.0.1"></property>
</virtual-server>
Thanks for any help you can give.
--
Paul Blair
pblair@cyrusinnovation.com
Cyrus Innovation LLC
200 Varick, Suite 902
New York, NY 10014
phone: (212) 647-7186
fax: (212) 591-6043
http://cyrusinnovation.com
~~~~~~~~~~~~~~~~~
Cyrus ranked #231 on the Inc 500 fastest growing companies:
http://www.marketwire.com/press-release/Cyrus-Innovation-Llc-1029552.html
~~~~~~~~~~~~~~~~~
--
Paul Blair
pblair@cyrusinnovation.com
Cyrus Innovation LLC
200 Varick, Suite 902
New York, NY 10014
phone: (212) 647-7186
fax: (212) 591-6043
http://cyrusinnovation.com
~~~~~~~~~~~~~~~~~
Cyrus ranked #231 on the Inc 500 fastest growing companies:
http://www.marketwire.com/press-release/Cyrus-Innovation-Llc-1029552.html
~~~~~~~~~~~~~~~~~
[att1.html]
|
|
|
|
|
|
|
|
|
Re: Glassfish gem - restricting access by IP or hostname
Posted:
Oct 9, 2009 9:03 AM
in response to: Paul Blair
|
|
|
Hi Paul,
The domain.xml virtual-server facility is not exposed thru glassfish.yml
for a reason - it is meant to be used only with Glassfish web container
(servlet/ejb etc.). I know its bit confusing for the users all of this
will become much simpler when glassfish gem is implemented using
Glassfish embedded API. Infact you should avoid making changes to
domain.xml by yourself. glassfish.yml is the only contract that you
should go for.
Having said that, there are many users frontend glassfish gem with
apache or similar servers in production. I am not familiar with Sun Java
System Web Server specific mechanism but since we know pelple are using
with Apache/Squid etc. so it will work with Sun Web server as well. Here
are few links:
http://kenai.com/projects/jruby/pages/JRubyOnRailsWithGlassfishGem
http://blog.arungupta.me/2009/06/totd-84-using-apache-mod_proxy_balancer-to-load-balance-ruby-on-rails-running-on-glassfish/
http://blog.headius.com/2009/04/apache-jruby-rails-glassfish-easy.html
Let us know how it goes,
-vivek.
Paul Blair wrote:
> Hello Glassfish team --
>
> We are using the Glassfish gem with JRuby 1.3.1 and Rails 2.3.4,
> behind a Sun Java System Web Server acting as a reverse proxy. We have
> the web server handling all authentication and authorization, and we'd
> like to avoid having to reimplement this in the Rails app. So we'd
> like to set up a configuration whereby the only way to access the
> Rails app is through the web server.
>
> I don't see any options for this in glassfish.yml; however, I do see
> that Glassfish allows the virtual-server properties
>
> allowRemoteAddress
> denyRemoteAddress
> allowRemoteHost
> denyRemoteHost
>
> to be set in domain.xml. If I set one of these properties in
> $JRUBY_HOME/lib/ruby/gems/1.8/gems/glassfish-0.9.5-universal-java/domains/domain1/config/domain.xml,
> I can see it being carried over to the
> $RAILS_HOME/tmp/.glassfish/config/domain.xml file. However, none of
> them seem to have any effect.
>
> For example, if I have in the gem's domain.xml
>
> <virtual-server id="server"
> http-listeners="http-listener-1">
> <property
> value="${com.sun.aas.instanceRoot}/docroot" name="docroot"/>
> <property
> value="${com.sun.aas.instanceRoot}/logs/access" name="accesslog"/>
> <property value="false" name="sso-enabled"/>
> <property name="allowRemoteAddress"
> value="127.0.0.1"/>
> </virtual-server>
>
> I would expect this to be if anything overly restrictive, but I can
> still access the Rails app directly from my browser on an external
> host. I've tried the other properties with equal lack of success.
>
> The above domain.xml entry gets translated to the following entry in
> the domain.xml under $RAILS_HOME:
>
> <virtual-server id="server"
> docroot="[RAILS_HOME]/tmp/.glassfish/docroot"
> access-log="[RAILS_HOME]/tmp/.glassfish/logs/access"
> network-listeners="http-listener-1">
> <property name="allowRemoteAddress"
> value="127.0.0.1"></property>
> </virtual-server>
>
> Thanks for any help you can give.
>
> --
> Paul Blair
> pblair@cyrusinnovation.com <mailto:pblair@cyrusinnovation.com>
>
> Cyrus Innovation LLC
> 200 Varick, Suite 902
> New York, NY 10014
> phone: (212) 647-7186
> fax: (212) 591-6043
> http://cyrusinnovation.com
>
> ~~~~~~~~~~~~~~~~~
>
> Cyrus ranked #231 on the Inc 500 fastest growing companies:
> http://www.marketwire.com/press-release/Cyrus-Innovation-Llc-1029552.html
>
> ~~~~~~~~~~~~~~~~~
>
>
>
>
> --
> Paul Blair
> pblair@cyrusinnovation.com <mailto:pblair@cyrusinnovation.com>
>
> Cyrus Innovation LLC
> 200 Varick, Suite 902
> New York, NY 10014
> phone: (212) 647-7186
> fax: (212) 591-6043
> http://cyrusinnovation.com
>
> ~~~~~~~~~~~~~~~~~
>
> Cyrus ranked #231 on the Inc 500 fastest growing companies:
> http://www.marketwire.com/press-release/Cyrus-Innovation-Llc-1029552.html
>
> ~~~~~~~~~~~~~~~~~
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net
|
|
|
|
|
|
|
|
|
Re: Glassfish gem - restricting access by IP or hostname
Posted:
Oct 9, 2009 1:07 PM
in response to: Vivek Pandey
|
|
|
|
|
Thanks for the quick reply. I should have mentioned that we're having no
problems setting up the web server as a front end to Rails on Glassfish. The
only issue is in restricting access to Glassfish so that it can only be
accessed via the proxy. E.g., if I have Glassfish running on port 3442, I
don't want my users circumventing my web server and accessing the app by
calling URLs on port 3442 directly.
Am I correct in concluding that the Glassfish gem does not currently support
allowing/denying access based on IP or host? I don't see anything on that
topic in the resources you referenced. Is there a way that this can be done
in glassfish.yml?
Thanks,
Paul
On Fri, Oct 9, 2009 at 12:03 PM, Vivek Pandey <Vivek.Pandey@sun.com> wrote:
> Hi Paul,
>
> The domain.xml virtual-server facility is not exposed thru glassfish.yml
> for a reason - it is meant to be used only with Glassfish web container
> (servlet/ejb etc.). I know its bit confusing for the users all of this will
> become much simpler when glassfish gem is implemented using Glassfish
> embedded API. Infact you should avoid making changes to domain.xml by
> yourself. glassfish.yml is the only contract that you should go for.
>
> Having said that, there are many users frontend glassfish gem with apache
> or similar servers in production. I am not familiar with Sun Java System Web
> Server specific mechanism but since we know pelple are using with
> Apache/Squid etc. so it will work with Sun Web server as well. Here are few
> links:
>
> http://kenai.com/projects/jruby/pages/JRubyOnRailsWithGlassfishGem
>
> http://blog.arungupta.me/2009/06/totd-84-using-apache-mod_proxy_balancer-to-load-balance-ruby-on-rails-running-on-glassfish/
> http://blog.headius.com/2009/04/apache-jruby-rails-glassfish-easy.html
>
> Let us know how it goes,
>
> -vivek.
>
> Paul Blair wrote:
>
>> Hello Glassfish team --
>>
>> We are using the Glassfish gem with JRuby 1.3.1 and Rails 2.3.4, behind a
>> Sun Java System Web Server acting as a reverse proxy. We have the web server
>> handling all authentication and authorization, and we'd like to avoid having
>> to reimplement this in the Rails app. So we'd like to set up a configuration
>> whereby the only way to access the Rails app is through the web server.
>>
>> I don't see any options for this in glassfish.yml; however, I do see that
>> Glassfish allows the virtual-server properties
>>
>> allowRemoteAddress
>> denyRemoteAddress
>> allowRemoteHost
>> denyRemoteHost
>>
>> to be set in domain.xml. If I set one of these properties in
>> $JRUBY_HOME/lib/ruby/gems/1.8/gems/glassfish-0.9.5-universal-java/domains/domain1/config/domain.xml,
>> I can see it being carried over to the
>> $RAILS_HOME/tmp/.glassfish/config/domain.xml file. However, none of them
>> seem to have any effect.
>>
>> For example, if I have in the gem's domain.xml
>>
>> <virtual-server id="server"
>> http-listeners="http-listener-1">
>> <property value="${com.sun.aas.instanceRoot}/docroot"
>> name="docroot"/>
>> <property
>> value="${com.sun.aas.instanceRoot}/logs/access" name="accesslog"/>
>> <property value="false" name="sso-enabled"/>
>> <property name="allowRemoteAddress" value="127.0.0.1"/>
>> </virtual-server>
>> I would expect this to be if anything overly restrictive, but I can still
>> access the Rails app directly from my browser on an external host. I've
>> tried the other properties with equal lack of success.
>>
>> The above domain.xml entry gets translated to the following entry in the
>> domain.xml under $RAILS_HOME:
>>
>> <virtual-server id="server"
>> docroot="[RAILS_HOME]/tmp/.glassfish/docroot"
>> access-log="[RAILS_HOME]/tmp/.glassfish/logs/access"
>> network-listeners="http-listener-1">
>> <property name="allowRemoteAddress" value="127.0.0.1"></property>
>> </virtual-server>
>>
>> Thanks for any help you can give.
>>
>>
--
Paul Blair
pblair@cyrusinnovation.com
Cyrus Innovation LLC
200 Varick, Suite 902
New York, NY 10014
phone: (212) 647-7186
fax: (212) 591-6043
http://cyrusinnovation.com
~~~~~~~~~~~~~~~~~
Cyrus ranked #231 on the Inc 500 fastest growing companies:
http://www.marketwire.com/press-release/Cyrus-Innovation-Llc-1029552.html
~~~~~~~~~~~~~~~~~
[att1.html]
|
|
|
|
|
|
|
|
|
Re: Glassfish gem - restricting access by IP or hostname
Posted:
Oct 9, 2009 1:39 PM
in response to: Paul Blair
|
|
|
Hi,
I have always found it better to restrict the listeners (http-listener-1 and httper-listener-2) to 127.0.0.1 and let Apache listen on the main incoming IP address and then proxy the appropriate requests across.
As far as I know there is no functionality matching your requirements in glassfish, although you could easily achieve what you want in Apache.
Also, don't forget about the other ports such ad 4848 and the RMI ports. These are all open as well and you will need to decide what address they should be listening to, in development I tend to leave them open on the main IP but in production I restrict all these to 127.0.0.1 and use ssh and X-Forwarding to access the console, etc.
Glassfish is really developer friendly in being like this out of the box, but sometimes I wish it was more restrictive so I don't have to hunt for all the ports that should be blocked or restricted to localhost when I install it.
|
|
|
|
|
|
|
|
|
Re: Glassfish gem - restricting access by IP or hostname
Posted:
Oct 9, 2009 1:59 PM
in response to: arshadm
|
|
|
|
|
On Fri, Oct 9, 2009 at 4:39 PM, <glassfish@javadesktop.org> wrote:
> have always found it better to restrict the listeners (http-listener-1 and
> httper-listener-2) to 127.0.0.1 and let Apache listen on the main incoming
> IP address and then proxy the appropriate requests across.
>
This is exactly what I'm trying to do. Do you know of a way to do this with
the Glassfish JRuby gem?
> Also, don't forget about the other ports such ad 4848 and the RMI ports.
> These are all open as well
>From what I can tell, these are not open when Glassfish is running as a gem,
even though the domain.xml file makes it look like they're open.
--
Paul Blair
pblair@cyrusinnovation.com
Cyrus Innovation LLC
200 Varick, Suite 902
New York, NY 10014
phone: (212) 647-7186
fax: (212) 591-6043
http://cyrusinnovation.com
~~~~~~~~~~~~~~~~~
Cyrus ranked #231 on the Inc 500 fastest growing companies:
http://www.marketwire.com/press-release/Cyrus-Innovation-Llc-1029552.html
~~~~~~~~~~~~~~~~~
[att1.html]
|
|
|
|
|
|
|
|
|
Re: Glassfish gem - restricting access by IP or hostname
Posted:
Oct 9, 2009 2:35 PM
in response to: Paul Blair
|
|
|
Paul Blair wrote:
> Thanks for the quick reply. I should have mentioned that we're having
> no problems setting up the web server as a front end to Rails on
> Glassfish. The only issue is in restricting access to Glassfish so
> that it can only be accessed via the proxy. E.g., if I have Glassfish
> running on port 3442, I don't want my users circumventing my web
> server and accessing the app by calling URLs on port 3442 directly.
>
> Am I correct in concluding that the Glassfish gem does not currently
> support allowing/denying access based on IP or host? I don't see
> anything on that topic in the resources you referenced. Is there a way
> that this can be done in glassfish.yml?
>
Sorry, I thought its about issues with reverse proxy. I understand what
you are trying to do. No this is currently not possible with glassfish
gem or in the jruby container in glassfish v3 server. Can you report a
bug at glassfish gem at rubyforge or
https://glassfish.dev.java.net/servlets/ProjectIssues? A fix should be
in order shortly.
thanks,
-vivek.
> Thanks,
>
> Paul
>
> On Fri, Oct 9, 2009 at 12:03 PM, Vivek Pandey <Vivek.Pandey@sun.com
> <mailto:Vivek.Pandey@sun.com>> wrote:
>
> Hi Paul,
>
> The domain.xml virtual-server facility is not exposed thru
> glassfish.yml for a reason - it is meant to be used only with
> Glassfish web container (servlet/ejb etc.). I know its bit
> confusing for the users all of this will become much simpler when
> glassfish gem is implemented using Glassfish embedded API. Infact
> you should avoid making changes to domain.xml by yourself.
> glassfish.yml is the only contract that you should go for.
>
> Having said that, there are many users frontend glassfish gem with
> apache or similar servers in production. I am not familiar with
> Sun Java System Web Server specific mechanism but since we know
> pelple are using with Apache/Squid etc. so it will work with Sun
> Web server as well. Here are few links:
>
> http://kenai.com/projects/jruby/pages/JRubyOnRailsWithGlassfishGem
> http://blog.arungupta.me/2009/06/totd-84-using-apache-mod_proxy_balancer-to-load-balance-ruby-on-rails-running-on-glassfish/
> http://blog.headius.com/2009/04/apache-jruby-rails-glassfish-easy.html
>
> Let us know how it goes,
>
> -vivek.
>
> Paul Blair wrote:
>
> Hello Glassfish team --
>
> We are using the Glassfish gem with JRuby 1.3.1 and Rails
> 2.3.4, behind a Sun Java System Web Server acting as a reverse
> proxy. We have the web server handling all authentication and
> authorization, and we'd like to avoid having to reimplement
> this in the Rails app. So we'd like to set up a configuration
> whereby the only way to access the Rails app is through the
> web server.
>
> I don't see any options for this in glassfish.yml; however, I
> do see that Glassfish allows the virtual-server properties
>
> allowRemoteAddress
> denyRemoteAddress
> allowRemoteHost
> denyRemoteHost
>
> to be set in domain.xml. If I set one of these properties in
> $JRUBY_HOME/lib/ruby/gems/1.8/gems/glassfish-0.9.5-universal-java/domains/domain1/config/domain.xml,
> I can see it being carried over to the
> $RAILS_HOME/tmp/.glassfish/config/domain.xml file. However,
> none of them seem to have any effect.
>
> For example, if I have in the gem's domain.xml
>
> <virtual-server id="server"
> http-listeners="http-listener-1">
> <property
> value="${com.sun.aas.instanceRoot}/docroot" name="docroot"/>
> <property
> value="${com.sun.aas.instanceRoot}/logs/access" name="accesslog"/>
> <property value="false" name="sso-enabled"/>
> <property name="allowRemoteAddress"
> value="127.0.0.1"/>
> </virtual-server>
> I would expect this to be if anything overly restrictive, but
> I can still access the Rails app directly from my browser on
> an external host. I've tried the other properties with equal
> lack of success.
>
> The above domain.xml entry gets translated to the following
> entry in the domain.xml under $RAILS_HOME:
>
> <virtual-server id="server"
> docroot="[RAILS_HOME]/tmp/.glassfish/docroot"
> access-log="[RAILS_HOME]/tmp/.glassfish/logs/access"
> network-listeners="http-listener-1">
> <property name="allowRemoteAddress"
> value="127.0.0.1"></property>
> </virtual-server>
>
> Thanks for any help you can give.
>
>
> --
> Paul Blair
> pblair@cyrusinnovation.com <mailto:pblair@cyrusinnovation.com>
>
> Cyrus Innovation LLC
> 200 Varick, Suite 902
> New York, NY 10014
> phone: (212) 647-7186
> fax: (212) 591-6043
> http://cyrusinnovation.com
>
> ~~~~~~~~~~~~~~~~~
>
> Cyrus ranked #231 on the Inc 500 fastest growing companies:
> http://www.marketwire.com/press-release/Cyrus-Innovation-Llc-1029552.html
>
> ~~~~~~~~~~~~~~~~~
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net
|
|
|
|
|
|
|
|
|
Re: Glassfish gem - restricting access by IP or hostname
Posted:
Oct 13, 2009 7:27 AM
in response to: Vivek Pandey
|
|
|
|
|
FYI, this is issue number 10156 on the issues list at glassfish.dev.java.net
.
Thanks!
Paul
On Fri, Oct 9, 2009 at 5:35 PM, Vivek Pandey <Vivek.Pandey@sun.com> wrote:
> Paul Blair wrote:
>
>>
>> Am I correct in concluding that the Glassfish gem does not currently
>> support allowing/denying access based on IP or host? I don't see anything on
>> that topic in the resources you referenced. Is there a way that this can be
>> done in glassfish.yml?
>>
>> Sorry, I thought its about issues with reverse proxy. I understand what
> you are trying to do. No this is currently not possible with glassfish gem
> or in the jruby container in glassfish v3 server. Can you report a bug at
> glassfish gem at rubyforge or
> https://glassfish.dev.java.net/servlets/ProjectIssues? A fix should be in
> order shortly.
>
> thanks,
>
> -vivek.
>
[att1.html]
|
|
|
|
|
java.net RSS
