问题
I have application running on Internet which contains some admin module also. I don't want to let the user access my admin module on Internet. I want that request coming from intranet can access admin module. Is there any way to control this without developing a new application which serves admin component?
回答1:
If you are using servlets, you could add a filter and analyze the client IP address (see this question).
Be aware that there is no guarantee you will determine the correct address by any means.
A better approach would be combining this approach with some sort of authentication (user/password, client certificate, etc).
If possible, a separate application would also be better. This way you can simplify your deployment process (application running in a different port, etc) and make it easier to scale, since it is very likely that your administration and your regular application load, security, availability, etc, have different requirements.
回答2:
I am not sure if this will work in your situation, but if the admin module accepts connections at a specific port, you could try to shut down this port on your router/gateway (or whatever you use to connect the intranet with the internet) settings, hence not allowing anyone from the outside to access the module.
回答3:
The easiest way to accomplish this from a portable Java perspective would be to create a filter that checks the IP address and the requested URL. If the url is part of the admin module and the IP is internal, then you continue the chain. Otherwise you redirect or abort.
That being said, Weblogic may have other techniques to accomplish this as well. However seeing that you are running this on a Weblogic server, I will assume that this is a enterprise-class application. In which case, you may want to consider building it as a separate module for security purposes and for load balancing. As you have more and more users access your application, you will need to have more servers to handle the load. However, you will not likely need the same capacity for the admin module. Consequently, hosting the admin module as its own app will allow you to host it on one internal App Server while the application itself gets spread across a larger farm.
Finally, keep in mind that it is fairly easy to spoof IP addresses, so unless you have some other form of authentication (ex: username/pwd, SSL certifcate exchange, etc), you are opening your application to some signficant security holes.
Just something to think about when making your architectural decision.
回答4:
What's the underlying web server? If apache, use an .htaccess rule.
http://www.javascriptkit.com/howto/htaccess5.shtml
来源:https://stackoverflow.com/questions/11327219/verifying-if-request-source-comes-from-internet-or-intranet