Hi,
I’m using Cuba 7.1.1
I 'm buidling 2 uber jars, app and app-core
I want to deploy app.jar and a server and app-core.jar on another server. Servers are in 2 separated sub-network.
I wonder about "how to be sure only authorized client apps can perform calls on app-core.jar
I saw cuba.trustedClientPermittedIpList which allow to restrict the IPs of the caller but I would like to know if there is a way to secure the callers via a key/token.
When clients invoke middleware services, each invocation contains the user session id which effectively plays the role of a token. If the passed id doesn’t match any session known to the server, an exception is thrown.
The user session id is generated when the user logs in, and this procedure requires either a login/password of a user or a login with cuba.trustedClientPassword. In the latter case, the client IP must also be in cuba.trustedClientPermittedIpList.
So to successfully call the server, a client must either know some user session id currently cached by the server, or a user login together with his/her password or cuba.trustedClientPassword to get a new user session by logging in.
As for X-Forwarded-For for checking client address, you are right - it’s ignored now. Thank you for the report, I’ve created an issue.
If you are using the UberJar deployment behind the proxy you should create a custom jetty.xml file and add the ForwardedRequestCustomizer to this file.