问题描述:

Is there a Wakanda way to:

  1. expose a Wakanda application only to a specific IP address or IP range
  2. validate a login request (custom login) against an IP address or IP range

网友答案:

I will answer the questions one by one :

1-

This should be done using your OS' firewall (using iptables for instance if you are on Linux)

2-

If you restrict access to the app using the firewall, you might not need to do this. But if you really need to :

Today there is no good way to do this, because you can't disable the authentication REST API. The workaround I propose is as follows (but I don't think it will work if you are using active directory ):

  • Add a custom request handler for authentication /login where you do something like :

    function login(request,response){
            var ip = request.remoteAddress;
    
            if( ! isIPAuthorized(ip)){
                            response.statusCode = 403;
                            return;
            }
    
            sessionStorage["login-request"] = true;
            /*
             * Your login code here
             * For instance you can use loginByPassword, createUserSession ..
             */
            sessionStorage["login-request"] = false;
    }
    
  • Inside your Login Listener you can check if the login request came from you custom login function or not by checking the sessionStorage :

    if(!sessionStorage["login-request"]){
            return {
                   "error" : 1024,
                    "errorMessage" : "Unautorized Login Attempt"
            }
    }
    

This way any login attempt using the default REST authentication API where IPs are not checked will be refused.

网友答案:

For the first question, enable the Cross-origin resource sharing in the Project Settings file ( Settings.waSettings ), and you need to define the list of Domain name or IP address from where external pages are allowed to send data requests to the Wakanda Server via CORS. Multiple domain attributes can be added to create a white list.

网友答案:

The best way to expose any application to a specific range of IP addresses (while blocking all others) is with a firewall; whether it be a software-based firewall (such as iptables or windows-firewall) or a hardware-based firewall (such as a Cisco ASA). Using a firewall completely alleviates the need for the second part of your question.

相关阅读:
Top