How to be sure only authorized client apps can perform calls on app-core.jar

I’m using Cuba 7.1.1
I 'm buidling 2 uber jars, app and app-core

I want to deploy app.jar and a server and app-core.jar on another server. Servers are in 2 separated sub-network.

I wonder about "how to be sure only authorized client apps can perform calls on app-core.jar

I saw cuba.trustedClientPermittedIpList which allow to restrict the IPs of the caller but I would like to know if there is a way to secure the callers via a key/token.

For REST calls performed on front, there are

Other information: between my front and my back servers, there is an apache reverse proxy.
In this use case,

  • The IP checked against “cuba.trustedClientPermittedIpList” is the apache reverse proxy IP.
  • I think Cuba doesn’t check X-Forwarded-For value

Regard,s Guillaume

Hi Guillaume,

When clients invoke middleware services, each invocation contains the user session id which effectively plays the role of a token. If the passed id doesn’t match any session known to the server, an exception is thrown.

The user session id is generated when the user logs in, and this procedure requires either a login/password of a user or a login with cuba.trustedClientPassword. In the latter case, the client IP must also be in cuba.trustedClientPermittedIpList.

So to successfully call the server, a client must either know some user session id currently cached by the server, or a user login together with his/her password or cuba.trustedClientPassword to get a new user session by logging in.

As for X-Forwarded-For for checking client address, you are right - it’s ignored now. Thank you for the report, I’ve created an issue.


If you are using the UberJar deployment behind the proxy you should create a custom jetty.xml file and add the ForwardedRequestCustomizer to this file.

It is well documented:

Neither CUBA nor your application should duplicate the logic that has already been implemented by application servers.

Hi Alex,

Thanks for these informations.
I’m sure it will help me a lot.