Is there any way to restrict access by configuring in WildFly. I would like to know whether we can add a list of IPs that can only access the server? Is there any way to blacklist IPs in server level?
I am checking a feature like this: http://boseca.blogspot.in/2010/12/programmatically-addremove-ip-security.html
You can also implement the IP filter on JBOSS level by adding a filter-ref and expression filter as shown below
<subsystem xmlns="urn:jboss:domain:undertow:3.0" statistics-enabled="true" instance-id="instanceid"> <buffer-cache name="default"/> <server name="default-server"> <ajp-listener name="ajp" max-connections="1200" write-timeout="600000" read-timeout="30000" allow-equals-in-cookie-value="true" record-request-start-time="true" socket-binding="ajp"/> <http-listener name="default" allow-equals-in-cookie-value="true" socket-binding="http"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <access-log suffix=".log" prefix="access" pattern="%a %h %{i,sm_user} %u %t %r %s %b %T"/> <filter-ref name="limit-connections"/> <filter-ref name="ipaccess"/> <single-sign-on/> </host> </server> <servlet-container name="default"> <jsp-config/> <websockets/> </servlet-container> <handlers> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/> </handlers> <filters> <request-limit name="limit-connections" queue-size="100" max-concurrent-requests="1200"/> <expression-filter module="io.undertow.core" name="ipaccess" expression="ip-access-control[default-allow=false, acl={'10.0.0.1 deny', '10.0.0.0/24 allow'}]"/> </filters> </subsystem> If you're using Wildfly 8.2 (which contains Undertow 1.1.0), then you can configure IP access control via the undertow-handlers.conf file, which you put in a war's WEB-INF or a jar's META-INF folder.
You can do something like:
ip-access-control[default-allow=false, acl={'10.0.0.1 deny', '10.0.0.0/24 allow'}]this can also be combined with predicates:
path-prefix[/internal] -> ip-access-control[acl={ '10.0.0.0/24 allow'}]
Alternatively (or if you use an earlier Wildfly version than 8.2) you can create a ServletExtension. Create a file META-INF\services\io.undertow.servlet.ServletExtension, in it there should be a fully qualified name of your extension. The extension must implement the io.undertow.servlet.ServletExtension interface. This extension then may create a io.undertow.server.handlers.IPAddressAccessControlHandler programmatically, configure it, and add it to the deployment's initial handler chain.
The above talked about adding a handler at the deployment level. To add a custom handler at the server level you need at least Wildfly 8.2. In the undertow subsystem in standalone.xml (or whatever config you use) you can add a handler (filter) like this (irrelevant configuration omitted):
<subsystem xmlns="urn:jboss:domain:undertow:1.2"> <server name="default-server"> <host name="default-host" alias="localhost"> <filter-ref name="custom-filter" /> </host> </server> <filters> <filter name="custom-filter" module="io.undertow.core" /> class-name="io.undertow.server.handlers.HttpTraceHandler" </filters> </subsystem> Source. The handler must be in your static server module, not in a deployment. Inherit the IPAddressAccessControlHandler, configure it in your constructor or override its methods as you need, and point the config to your custom handler.
According to WFLY-4048 text based handler configuration at the server level will be in Wildfly 10.