Getting the client's IP

[tareq]

Hi,
I'm using (the wonderful) Spring WS + Acegi to build web services.
Before serving requests, I need to check that the clients IP is among a list of authorized IPs for that client.
I'm thinking about putting this behaviour in an endpoint interceptor and attaching it to the message dispatcher (probably after the ws-security interceptor so that I can use the user account loaded by acegi).
My question is: how can I get the client's IP address?

[Arjen Poutsma]

Interesting. I think the best way to implement this type of security is to do it at the HTTP layer, since there is where you have access to the IP address. So instead of implementing a EndpointInterceptor, I would implement a HandlerInterceptor, and put that in the EndpointInterceptorChain before the MessageDispatcher.

However, if you need to return a SOAP fault as a response to illegal access, it becomes a different matter.

[tareq]

Thank you for the information.
As a matter of fact, I do need to return a soap fault ; something similar to what is returned by the ws-security interceptor, just to keep the behaviour of the web service coherent from the clients' point of view.
What I'm thinking about is getting the IP of the client in a HandlerInterceptor, sticking it in a ThreadLocal and then getting it later in the chain in an EndpointInterceptor using spring's injection, and then performing the ip security control.
Will it work that way?
Anyhow, I thought it'd be a useful feature to get the IP of the client in the Spring WS layer. what do you think about it?

[Arjen Poutsma]

Thank you for the information.
As a matter of fact, I do need to return a soap fault ; something similar to what is returned by the ws-security interceptor, just to keep the behaviour of the web service coherent from the clients' point of view.
What I'm thinking about is getting the IP of the client in a HandlerInterceptor, sticking it in a ThreadLocal and then getting it later in the chain in an EndpointInterceptor using spring's injection, and then performing the ip security control.
Will it work that way?

That can work. I'm not a great fan of TheadLocals, but this seems to be a legit use. Be sure to reset the tl to null when you're done!

You could also use the nightly builds code, where the TransportRequest is now a property of the MessageContext. You can cast this to a HttpTransportRequest, which contains the HttpServletRequest you are looking for.

Cheers,

A

[tareq]

I'll check that out. I also thought about using the new bean scopes in Spring 2 (request scope).
For the thread locals, I'm using Spring's target sources so no worries!
I may also consider performing the check at the service layer (with an interceptor, similar to the authorization control in the airline example) in order to have the same behaviour if ever we decide to expose the services through other technologies.
Thanks again.

[farrellr]

Following this thread, I am wanting to put something into a session context from an endpoint, but I can't see how I get the messageContext information from within an AbstractMarshallingPayloadEndpoint implementation. It seems like invoke can get it, but only invokeInternal can be overridden.
Can anyone tell me how I can get it?

[Arjen Poutsma]

You cannot access the MessageContext from an AbstractMarshallingPayloadEndpoint. Like the name says, this endpoint focusses on the payload of the message, not the entire message. In general, the best place to access the message context is in a EndpointInterceptor.

Or, if you really want to access it in the endpoint, you can write your own implementation of MessageEndpoint. The functionality from AbstractMarshallingPayloadEndpoint is mostly just convenience, it's not that hard to replicate.

[farrellr]

Thanks Arjen,
That makes sense,
I would create a new messageEndpoint implementation, however when I import org.springframework.ws.context.MessageContext;
it seems MessageContext has getResponse, hasResponse, and sendResponse.
I guess sendResponse is probably what I want, but the syntax has changed from the syntax used in the AbstractMarshallingPayloadEndpoint I was referring to for createResponse.
Can you tell me the correct syntax to create a response now?
If it is sendResponse, that takes TransportResponse as an argument, and I don't know where that comes from. I'm using the nightly build from 8/26.
Can you advise?
Thanks again

[farrellr]

Thanks for releasing the M2 update Arjen. The code for the AbstractMarshallingPayloadEndpoint should put me on the right track now.
Good Stuff - Thanks Again.

[denov]

Interesting. I think the best way to implement this type of security is to do it at the HTTP layer, since there is where you have access to the IP address. So instead of implementing a EndpointInterceptor, I would implement a HandlerInterceptor, and put that in the EndpointInterceptorChain before the MessageDispatcher.

However, if you need to return a SOAP fault as a response to illegal access, it becomes a different matter.

how would one get the client IP in the PayloadRoot method? with xfire i was doing XFireServletController.getRequest().getRemoteAddr( );