users@glassfish.java.net

Glassfish gem - restricting access by IP or hostname

From: Paul Blair <pblair_at_cyrusinnovation.com>
Date: Fri, 9 Oct 2009 11:15:27 -0400

Hello Glassfish team --

We are using the Glassfish gem with JRuby 1.3.1 and Rails 2.3.4, behind a
Sun Java System Web Server acting as a reverse proxy. We have the web server
handling all authentication and authorization, and we'd like to avoid having
to reimplement this in the Rails app. So we'd like to set up a configuration
whereby the only way to access the Rails app is through the web server.

I don't see any options for this in glassfish.yml; however, I do see that
Glassfish allows the virtual-server properties

allowRemoteAddress
denyRemoteAddress
allowRemoteHost
denyRemoteHost

to be set in domain.xml. If I set one of these properties in
$JRUBY_HOME/lib/ruby/gems/1.8/gems/glassfish-0.9.5-universal-java/domains/domain1/config/domain.xml,
I can see it being carried over to the
$RAILS_HOME/tmp/.glassfish/config/domain.xml file. However, none of them
seem to have any effect.

For example, if I have in the gem's domain.xml

                <virtual-server id="server"
http-listeners="http-listener-1">
                    <property value="${com.sun.aas.instanceRoot}/docroot"
name="docroot"/>
                    <property
value="${com.sun.aas.instanceRoot}/logs/access" name="accesslog"/>
                    <property value="false" name="sso-enabled"/>
                    <property name="allowRemoteAddress" value="127.0.0.1"/>
                </virtual-server>

I would expect this to be if anything overly restrictive, but I can still
access the Rails app directly from my browser on an external host. I've
tried the other properties with equal lack of success.

The above domain.xml entry gets translated to the following entry in the
domain.xml under $RAILS_HOME:

        <virtual-server id="server"
docroot="[RAILS_HOME]/tmp/.glassfish/docroot"
access-log="[RAILS_HOME]/tmp/.glassfish/logs/access"
network-listeners="http-listener-1">
          <property name="allowRemoteAddress" value="127.0.0.1"></property>
        </virtual-server>

Thanks for any help you can give.

-- 
Paul Blair
pblair_at_cyrusinnovation.com
Cyrus Innovation LLC
200 Varick, Suite 902
New York, NY 10014
phone: (212) 647-7186
fax: (212) 591-6043
http://cyrusinnovation.com
~~~~~~~~~~~~~~~~~
Cyrus ranked #231 on the Inc 500 fastest growing companies:
http://www.marketwire.com/press-release/Cyrus-Innovation-Llc-1029552.html
~~~~~~~~~~~~~~~~~
-- 
Paul Blair
pblair_at_cyrusinnovation.com
Cyrus Innovation LLC
200 Varick, Suite 902
New York, NY 10014
phone: (212) 647-7186
fax: (212) 591-6043
http://cyrusinnovation.com
~~~~~~~~~~~~~~~~~
Cyrus ranked #231 on the Inc 500 fastest growing companies:
http://www.marketwire.com/press-release/Cyrus-Innovation-Llc-1029552.html
~~~~~~~~~~~~~~~~~