Assuming my REST API URL is
http://myshop.com/rest/api/product/1
I would like to have this return data only when calling it within the corporate network, everyone else should not get any result back.
Here are the use cases where they can/cannot be accessible
User accessing it from outside the network but using it via a JSF/CDI application deployed on JBoss Server. (Should be accessible)
User directly accessing the URL from inside the network (via rest client or directly typing the url in browser window) (Should be accessible)
User directly accessing the URL from outside the network (via rest client or directly typing the url in browser window) (Should NOT be accessible)
Thanks for taking a look.
I'd suggest to get an IP address from the request and then check it via permitted IP's or mask of a subnet. How to get an IP address if you're using JAX-RS API you can find here: How to find out incoming RESTful request's IP using JAX-RS on Heroku?
Another option it's of course to block incoming request by firewall or by server's setting.
Related
Context : I have to call an externalService, which lies outside the environments hosted by us on AWS-EC2. This externalService requires IP Addresses to be whitelisted before accessing it. Since EC2 hosts IPAddresses are not guaranteed to be same and can change while replacing hosts, we decided to route the API calls through a proxy-server.
We are doing the same for some other externalServices calls as well, but those are all REST based, so we have not faced any problems while calling their APIs using rest-client or net/http.
Now, this time it's a SOAP Service and we are using Savon to access it.
I am able to download the url using "curl" on proxy server host but if I access wsdl through proxy-server from SavonClient, it fails. It gives 403 forbidden error.
irb(main):102:0* client = Savon.client do |variable|
irb(main):103:1* variable.proxy 'http://172.31.50.91:3128'
irb(main):104:1> variable.wsdl 'https://<some_url_here>'
irb(main):105:1> end
=> #<Savon::Client:……>>>
irb(main):106:0>
irb(main):107:0* client.operations
Net::HTTPServerException: 403 "Forbidden"
For other services which do not require IP whitelisting SavonClient works, whether or not proxy-server address is provided.
Any help will be appreciated. I have been struck here for long.
Thanks,
I have a web application, in which a web service resides in a folder. The whole web application can be accessed from anywhere, while the web service should only be accessed from certain IP addresses. I can't separate them and take the web service into another IIS web site, thus I need to restrict the access to the web service, while it resides in that web site. However, I have no limitation in creating virtual directories. What should I do? Can I do it at all?
To understand the scenario better, suppose that the domain of the website is www.sample.com, and every address on this website is accessible to all the Internet. For example, www.sample.com\path1 and www.sample.com\path2 are browsable by everyone and every IP address out there.
But the address of the web service www.sample.com\services\user.asmx should only be accessed from certain IP addresses, like 217.218.192.50 && 107.50.27.30 for example.
How can I achieve this configuration in IIS7?
OK, what a simple action it was.
Simply select the folder in IIS7, and from the right hand, select IP Address and Domain Restrictions (which if is not visible, must be reached via Features View tab).
Now, you can allow or deny any single IP address, or a range if IP addresses from seeing or not seeing your folder, and anything inside it.
I have different Spring Web Services, which are included into the context by the
Endpoint Annotation, so there are no dependencies despite the Annotation (no interface etc.). Therefore, no "context" information is present.
Now I want to chain a web service request, ie. an Endpoint is called which itself should call a web service on the same server. I can use Spring's WebServiceTemplate, however, I need the current server url for this request.
Is there any way how this url can be injected during application startup into the Endpoints? Since the Endpoints do not extend some class, there is no way to get this information anywhere inside the Endpoints, also the request parameters do not have this information (these are simple JAXB-classes, which are marshalled on request).
I believe the best option is to send the URL as part of the request.
This also enables you to dynamically change the URL to a third server later.
Let's say a client gave me this URL to access a webservice to GetQuotes:
http://www.somecompany.com/services/myservice.asmx
If I tried to access the web service and I get redirected to:
http://new.location.somecompany.com/theservice.asmx
Will this affect the ASP.NET client calling this web service?
Where both service URLs have the exact same GetQuotes method.
[Edit]
The reason for this question is because we are trying to access a web server which keeps rerouting requests to different servers depending on the load.
In general a redirect shouldn't adversely affect your client (provided it handles HTTP responses correctly).
However if it's a 302 permanent redirect you might want to just update your link and save yourself the extra DNS request...
That can also be a common way for a company to provide an unchanging external link for a service while still being able to move their backend around.
We have a web service that is deployed on 2 separate machines in different locations. Is it possible to monitor the url that a person used to call our webservice using java code? We have a 3DNS url set up and we want all clients to use this url as oppossed hitting the boxes directly with the correct port numbers in the url.
Thanks
Damien
Have you taken a look at:
#Resource
WebServiceContext wsContext;
This will return the context of the current message sent to your webservice. I've been able to get the IP address of the user from that.
This is assuming that you are using Java.
You might look into something like OWSM (Oracle Web Services Manager)... there may be open source alternatives.
OWSM creates a virtual endpoint that it handles and routes to the actual service hosts. This way, your service hosts can be hidden behind the firewall, with only the OWSM host visible to the world. When a user hits the virtual endpoint, OWSM can authenticate and pass them along to the balanced service host.
An alternative might be to use servlet filters on the real endpoints. The filter could do a couple of different things. It could simply log the requested URL from the HttpServletRequest, or it could even redirect to the correct URL for you (I'm not sure what the implications of that are for a web service, though).
All you would have to do is have the filter mapped to the same context path as the web service (axis uses /services/* for example).