users@glassfish.java.net

Re: Glassfish gem - restricting access by IP or hostname

From: Paul Blair <pblair_at_cyrusinnovation.com>
Date: Fri, 9 Oct 2009 16:07:06 -0400

Thanks for the quick reply. I should have mentioned that we're having no
problems setting up the web server as a front end to Rails on Glassfish. The
only issue is in restricting access to Glassfish so that it can only be
accessed via the proxy. E.g., if I have Glassfish running on port 3442, I
don't want my users circumventing my web server and accessing the app by
calling URLs on port 3442 directly.

Am I correct in concluding that the Glassfish gem does not currently support
allowing/denying access based on IP or host? I don't see anything on that
topic in the resources you referenced. Is there a way that this can be done
in glassfish.yml?

Thanks,

Paul

On Fri, Oct 9, 2009 at 12:03 PM, Vivek Pandey <Vivek.Pandey_at_sun.com> wrote:

> Hi Paul,
>
> The domain.xml virtual-server facility is not exposed thru glassfish.yml
> for a reason - it is meant to be used only with Glassfish web container
> (servlet/ejb etc.). I know its bit confusing for the users all of this will
> become much simpler when glassfish gem is implemented using Glassfish
> embedded API. Infact you should avoid making changes to domain.xml by
> yourself. glassfish.yml is the only contract that you should go for.
>
> Having said that, there are many users frontend glassfish gem with apache
> or similar servers in production. I am not familiar with Sun Java System Web
> Server specific mechanism but since we know pelple are using with
> Apache/Squid etc. so it will work with Sun Web server as well. Here are few
> links:
>
> http://kenai.com/projects/jruby/pages/JRubyOnRailsWithGlassfishGem
>
> http://blog.arungupta.me/2009/06/totd-84-using-apache-mod_proxy_balancer-to-load-balance-ruby-on-rails-running-on-glassfish/
> http://blog.headius.com/2009/04/apache-jruby-rails-glassfish-easy.html
>
> Let us know how it goes,
>
> -vivek.
>
> Paul Blair wrote:
>
>> Hello Glassfish team --
>>
>> We are using the Glassfish gem with JRuby 1.3.1 and Rails 2.3.4, behind a
>> Sun Java System Web Server acting as a reverse proxy. We have the web server
>> handling all authentication and authorization, and we'd like to avoid having
>> to reimplement this in the Rails app. So we'd like to set up a configuration
>> whereby the only way to access the Rails app is through the web server.
>>
>> I don't see any options for this in glassfish.yml; however, I do see that
>> Glassfish allows the virtual-server properties
>>
>> allowRemoteAddress
>> denyRemoteAddress
>> allowRemoteHost
>> denyRemoteHost
>>
>> to be set in domain.xml. If I set one of these properties in
>> $JRUBY_HOME/lib/ruby/gems/1.8/gems/glassfish-0.9.5-universal-java/domains/domain1/config/domain.xml,
>> I can see it being carried over to the
>> $RAILS_HOME/tmp/.glassfish/config/domain.xml file. However, none of them
>> seem to have any effect.
>>
>> For example, if I have in the gem's domain.xml
>>
>> <virtual-server id="server"
>> http-listeners="http-listener-1">
>> <property value="${com.sun.aas.instanceRoot}/docroot"
>> name="docroot"/>
>> <property
>> value="${com.sun.aas.instanceRoot}/logs/access" name="accesslog"/>
>> <property value="false" name="sso-enabled"/>
>> <property name="allowRemoteAddress" value="127.0.0.1"/>
>> </virtual-server>
>> I would expect this to be if anything overly restrictive, but I can still
>> access the Rails app directly from my browser on an external host. I've
>> tried the other properties with equal lack of success.
>>
>> The above domain.xml entry gets translated to the following entry in the
>> domain.xml under $RAILS_HOME:
>>
>> <virtual-server id="server"
>> docroot="[RAILS_HOME]/tmp/.glassfish/docroot"
>> access-log="[RAILS_HOME]/tmp/.glassfish/logs/access"
>> network-listeners="http-listener-1">
>> <property name="allowRemoteAddress" value="127.0.0.1"></property>
>> </virtual-server>
>>
>> Thanks for any help you can give.
>>
>>
-- 
Paul Blair
pblair_at_cyrusinnovation.com
Cyrus Innovation LLC
200 Varick, Suite 902
New York, NY 10014
phone: (212) 647-7186
fax: (212) 591-6043
http://cyrusinnovation.com
~~~~~~~~~~~~~~~~~
Cyrus ranked #231 on the Inc 500 fastest growing companies:
http://www.marketwire.com/press-release/Cyrus-Innovation-Llc-1029552.html
~~~~~~~~~~~~~~~~~