0

For security reason, I need to restrict user log in my server from designated computer only, but it is a BS architecture software, and I don't want to add a client agent to every client computer. So the only solution I can think of is using IP whitelist at server side, but what if customer using dynamic IP? Is there any simple(not too much customization, no hardware) solution can achieve my requirements?

My sever is based on J2EE,using apache http server and tomcat, supports the following authentication:

  • HTTP Basic authentication
  • SSL/TLS client authentication
  • HTTPS Client Authentication
  • Microsoft NTLM Authentication
  • Form-based Authentication
  • Security Assertion Markup Language (SAML) Authentication

Update my question If the customer can use fixed IP address, how about I use nginx as reverse proxy, and using IP whitelist to deny some user access outside the safety zone. Let's say my server's URL like:

  • http://domainname:80/app/aproduct/xxx
  • http://domainname:80/app/bproduct/xx
  • http://domainname:80/app/secretproduct/x

How can I config nginx to restrict user access the secret product only in safety zone? In another words, for the url contains a specific string, only user form safety zone can access, otherwise all user in the network can access.

Thanks in advance.

Tom
  • 2,857
  • 9
  • 46
  • 59
  • 1
    I think you need to use SSL/TLS client certificates. See https://stackoverflow.com/questions/1552345 – Stephen C Mar 06 '22 at 06:01
  • @StephenC Do you mean only the client computer which has the right certificate can log in? And I should disable all the others authentication( like http Basic authentication and form based authentication)? Thanks. – Tom Mar 07 '22 at 01:11
  • 1
    1) Yes. 2) Probably keep the existing authentication. The client cert notionally authenticates the computer. The other auth authenticates the user; e.g. their user name and password. – Stephen C Mar 07 '22 at 01:40

0 Answers0