users@glassfish.java.net

Re: Glassfish gem - restricting access by IP or hostname

From: Vivek Pandey <Vivek.Pandey_at_Sun.COM>
Date: Fri, 09 Oct 2009 09:03:30 -0700

Hi Paul,

The domain.xml virtual-server facility is not exposed thru glassfish.yml
for a reason - it is meant to be used only with Glassfish web container
(servlet/ejb etc.). I know its bit confusing for the users all of this
will become much simpler when glassfish gem is implemented using
Glassfish embedded API. Infact you should avoid making changes to
domain.xml by yourself. glassfish.yml is the only contract that you
should go for.

Having said that, there are many users frontend glassfish gem with
apache or similar servers in production. I am not familiar with Sun Java
System Web Server specific mechanism but since we know pelple are using
with Apache/Squid etc. so it will work with Sun Web server as well. Here
are few links:

http://kenai.com/projects/jruby/pages/JRubyOnRailsWithGlassfishGem
http://blog.arungupta.me/2009/06/totd-84-using-apache-mod_proxy_balancer-to-load-balance-ruby-on-rails-running-on-glassfish/
http://blog.headius.com/2009/04/apache-jruby-rails-glassfish-easy.html

Let us know how it goes,

-vivek.

Paul Blair wrote:
> Hello Glassfish team --
>
> We are using the Glassfish gem with JRuby 1.3.1 and Rails 2.3.4,
> behind a Sun Java System Web Server acting as a reverse proxy. We have
> the web server handling all authentication and authorization, and we'd
> like to avoid having to reimplement this in the Rails app. So we'd
> like to set up a configuration whereby the only way to access the
> Rails app is through the web server.
>
> I don't see any options for this in glassfish.yml; however, I do see
> that Glassfish allows the virtual-server properties
>
> allowRemoteAddress
> denyRemoteAddress
> allowRemoteHost
> denyRemoteHost
>
> to be set in domain.xml. If I set one of these properties in
> $JRUBY_HOME/lib/ruby/gems/1.8/gems/glassfish-0.9.5-universal-java/domains/domain1/config/domain.xml,
> I can see it being carried over to the
> $RAILS_HOME/tmp/.glassfish/config/domain.xml file. However, none of
> them seem to have any effect.
>
> For example, if I have in the gem's domain.xml
>
> <virtual-server id="server"
> http-listeners="http-listener-1">
> <property
> value="${com.sun.aas.instanceRoot}/docroot" name="docroot"/>
> <property
> value="${com.sun.aas.instanceRoot}/logs/access" name="accesslog"/>
> <property value="false" name="sso-enabled"/>
> <property name="allowRemoteAddress"
> value="127.0.0.1"/>
> </virtual-server>
>
> I would expect this to be if anything overly restrictive, but I can
> still access the Rails app directly from my browser on an external
> host. I've tried the other properties with equal lack of success.
>
> The above domain.xml entry gets translated to the following entry in
> the domain.xml under $RAILS_HOME:
>
> <virtual-server id="server"
> docroot="[RAILS_HOME]/tmp/.glassfish/docroot"
> access-log="[RAILS_HOME]/tmp/.glassfish/logs/access"
> network-listeners="http-listener-1">
> <property name="allowRemoteAddress"
> value="127.0.0.1"></property>
> </virtual-server>
>
> Thanks for any help you can give.
>
> --
> Paul Blair
> pblair_at_cyrusinnovation.com <mailto:pblair_at_cyrusinnovation.com>
>
> Cyrus Innovation LLC
> 200 Varick, Suite 902
> New York, NY 10014
> phone: (212) 647-7186
> fax: (212) 591-6043
> http://cyrusinnovation.com
>
> ~~~~~~~~~~~~~~~~~
>
> Cyrus ranked #231 on the Inc 500 fastest growing companies:
> http://www.marketwire.com/press-release/Cyrus-Innovation-Llc-1029552.html
>
> ~~~~~~~~~~~~~~~~~
>
>
>
>
> --
> Paul Blair
> pblair_at_cyrusinnovation.com <mailto:pblair_at_cyrusinnovation.com>
>
> Cyrus Innovation LLC
> 200 Varick, Suite 902
> New York, NY 10014
> phone: (212) 647-7186
> fax: (212) 591-6043
> http://cyrusinnovation.com
>
> ~~~~~~~~~~~~~~~~~
>
> Cyrus ranked #231 on the Inc 500 fastest growing companies:
> http://www.marketwire.com/press-release/Cyrus-Innovation-Llc-1029552.html
>
> ~~~~~~~~~~~~~~~~~
>