How to restrict access to WildFly web application by IP or Host?

This article will teach you how to create an Access Control List for your Web applications running on WildFly based on IP/Host address.

The procedure to apply is different depending on the version of the application server. We will check first how to do it with WildFly / JBoss EAP 7 which uses undertow. Next, we will learn how to do it with JBoss AS 7 / EAP 6 which uses Tomcat.

Create an Access Control List with WildFly / EAP 7

There are multiple ways to configure an Access Control List for Web applications in WildFly. One option is to create a filter in your undertow subsystem and then bind it in your host configuration. See the following example:

<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
    <buffer-cache name="default"/>
    <server name="default-server">
        <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
        <http-listener name="http-extra" socket-binding="http-extra" redirect-socket="https" enable-http2="true"/>
        <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
        <host name="default-host" alias="localhost">
            <location name="/" handler="welcome-content"/>
            <http-invoker security-realm="ApplicationRealm"/>

           <!-- IP Filter -->
            <filter-ref name="ip-acl" predicate="path-prefix('/webapp1')"/> 
        </host>
    </server>
    <servlet-container name="default">
        <jsp-config/>
        <websockets/>
    </servlet-container>
    <handlers>
        <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
    </handlers>
   <filters>
        <expression-filter name="ip-acl" expression="ip-access-control(default-allow=false, acl={'127.0.0.1 allow', '192.168.10.1 allow'})"/> 
    </filters>
</subsystem>

The ACL list is of the form {pattern} allow|deny, where {pattern} can be one of the following (both IPv4 and IPv6 are accepted):

  • An exact IP address (e.g. 192.168.0.1)
  • An Wildcard IP address (e.g. 192.168.0.*)
  • A Wildcard in slash notation: (e.g. 192.168.0.0/24)

By default, if there is no match, access will be denied.

In our example, we allowed access to the Web application “webapp1” from the addresses 127.0.0.1 and 192.168.0.1. If we were to configure the filter for multiple Web applications, you can use the or clause in your filter predicate:

<filter-ref name="ip-access-filter" predicate="path-prefix('/webapp1') or path-prefix('/webapp22')"/>

Finally, another option to create an ACL for Web applications consists in declaring the filter in the file WEB-INF/undertow-handlers.conf . Here is an example:

ip-access-control(default-allow=false, acl={'127.0.0.1 allow', '192.168.10.1 allow'})

You can learn more about undertow ACL in the official documentation.

Create an Access Control List with JBoss AS 7 / EAP 6

You can create easily Access control list based on the IP address/Host name using Tomcat Valves. A Valve element represents a component that will be inserted into the request processing pipeline for the associated Catalina container.

The Remote Address Filter allows you to compare the IP address of the client that submitted this request against one or more regular expressions, and either allow the request to continue or refuse to process the request from this client.
For example, to block all requests coming in except those from the local host:

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1" />

The Remote Host filter is much like the Remote Address Valve, except it allows you to compare the remote host address of the client that submitted this request instead of the fixed IP address. A Remote Host filter can be associated with a Tomcat Engine , Host, or Context container. An example entry using the org.apache.catalina.valves.RemoteHostValve can be found in the following code snippet.

 <Valve className="org.apache.catalina.valves.RemoteHostValve" deny="badhost*"/>

This valve entry denies access to the assigned container for the host whose name starts with badhost. If I assign this valve entry to the host container localhost, then all clients beginning with badhost will see a 403 – Forbidden page.