Restricting Access Based on IP Address
I am wondering how Oracle Identity Management lets us check if the request comes from a specific IP Address before authentication. I need to restrict access to web pages for a username or role to a certain location and IP address, in fact a bank branch.
Please note that I don't want to limit access to the server to one IP address in general, but I need to let in a pair of (IPx,Usernamex) in other words bind IPs and identities.
Any suggestion for this?
Thank you
Regards,
Farbod
Hi
Sorry for not answering until now but I have been busy the last couple of days.
You need to implement this functionality on the first node in your system so that you can get the originator IP. If your application server is behind something that changes the originator IP you will simply not be able to read the IP and the approach of using SSO call outs will not work. SSO call out will only work if the app server is placed in front.
If you have a load balancer in front you will need to install a reverse proxy of some kind in front of the load balancer. If you have the money for licenses I would recommend looking at OAAM.
What you will be building is basically a SSO setup so as long as the SSO system supports your authentication scheme and has an SSO plug in that supports your app server you will be fine.
If you have plenty of time but little license money you might want to look at building something based on Apache and Mod_proxy or mod_security. I did a little bit of work on this back in 2003 but it doesn't seem to be a common pattern today so I am not sure how viable this option is.
Hope this helps
/M
Similar Messages
-
Restrict application access based on IP address
Hi!
I am a newbie to Oracle Application Server, and I want to know if there is any way to restrict access to particular applications such as 'ascontrol' based on IP address.
I am using Oracle Application Server 10g.
Regards
DriniYou can see dms.conf file for something like that.
Order deny, allow
deny from all
allow from 10.0.0.1
This only allow 10.0.0.1 to see something.
Greetings -
I would like to combine <cfif> and <cfinclude> to
control part of the content of a page based on IP address ranges.
Basically, when a user accesses the page from a defined range of IP
addresses, the <cfinclude> calls foo.cfm into the page. If
the user accesses the page from an IP address outside of the
defined IP address range, <cfinclude> will return
other_foo.cfm.
Any suggestions for a newbie?
Thanks in advance.The variable CGI.REMOTE_ADDR or CGI.REMOTE_HOST should
contain the IP information. Then compare to your range. -
Using NAR to restrict access by MAC address
Hello All,
We have a solution where home users connect via ATM onto our network. Currenty their radius requests are passed onto Cisco ACS 3.3 and they are authenticated using RSA SecurID Fobs to an ACE server.
I am trying to look at an alternative to using a SecurID fob and restrict the end user's access based on MAC address.
I found this on the online documentation for ACS 3.3
"About Non-IP-based NAR Filters
A non-IP-based NAR filter (that is, a DNIS/CLI-based NAR filter) is a list of permitted or denied "calling"/"point of access" locations that you can use in restricting a AAA client. However, by entering an IP address in place of the CLI you can use the non-IP-based filter even when the AAA client does not use a Cisco IOS release that supports CLI or DNIS. In another exception to entering a CLI, you can enter a MAC address to permit or deny; for example, when you are using a Cisco Aironet AAA client. The format of what you specify in the CLI boxCLI, IP address, or MAC addressmust match the format of what you receive from your AAA client. You can determine this format from your RADIUS Accounting Log."
If I specify a clients MAC in any of the non IP NAR options (CLI, Port, DNIS)access is refused. I am using radius IETF and the only time I can see the MAC in the radius accounting logs is when I turn on the option to log cisco-av-pair. Nothing is being logged under CLI or DNIS, so I don't think I can restrict access based on MAC using a non IP NAR. Has anyone implemented what is referred to in the documentation above? Is it just applicable to cisco Aironet? Any ideas?
Thanks.A NAR is a definition, which you make in Cisco Secure ACS, of additional conditions that must be met before a user can access the network. Cisco Secure ACS applies these conditions using information from attributes sent by your AAA clients. So it is not device specific.
-
Restrict access to files with JAAS
Hi,
I would like to restrict access based on a JAAS-autenticated user to a file named
c:/foo.txt. I have written some code that checks if the autenticeted user has
access to the file, but how and where do I grant the user access with JAAS in
WebLogic Server 6.
FilePermission filePerm = new FilePermission("c:/foo.txt", "read");
java.security.AccessController.checkPermission(filePerm);
thanks
/Chrizmeena.vyas and jyri, please note that the uri parameter specifies a wildcard pattern. As stated in the the Using Wildcard Patterns section of the NSAPI Programmer's Guide at http://docs.sun.com/source/817-6252/npgwldcrd.html, ~ is a special character in wildcard patterns. As such, your examples will not work.
ylapin, the following should do what you want:<Client uri="*\\~">
PathCheck fn="deny-existence"
</Client>You can add the above immediately below the <Object name="default"> line in the obj.conf configuration file. -
Providing Access based on Client IP Address
Current Scenario -
SAP Portal is accessible directly and via Citrix (VPN).
Based on the URL alias - we have implemented Desktop Filtering.
eg if the URL ends with / internet - You get restricted roles
eg if the URL ends with / intranet - You get wider roles
In Production, we also have Netscaler Reverse Proxy and HTTPs settings in place for External (outside firewall) access.
New Requirement (Example) -
Based on the IP address of the client, determine which subnet it falls under and based on that -
If used within Citrix - Provide certain roles
If not used within Citrix - Restricted access / Redirect to a different URL on the redirect server.
Questions -
With the current desktop filtering in place based on URL determination and no specific restriction for inside/outside Citrix access -
1 - Please suggest which would be a good way to crack this? Inside Portal (IP address determination and SAP Logon modification) / Outside Portal (eg Citrix, Network OS Exit, Reverse Proxy etc) based on Best Practise ?
2 - Not sure if this is relevant : Find IP address of Client with webdybpro (This API works only in Web Dynpro and not PDK) ? I believe tweaking SAP Logon logic can get very painful and overtly complicated for such scenarios.
Thanks for your inputs ~ DhanzVivek,
On the coding front -
1 - Will reading the IP address in the header field x-forwarded-for retrieve right results if reverse proxy is in place ? Wouldnt it retrieve the proxy / load balancer IP instead of Client IP ?
2 - Also we have HTTPS settings for extranet access - So encrypted data (eg Client IP ) is transferred that the Web Dispatcher cannot manipulate ?
Please suggest.
Remember to be polite
Edited by: Anja Engelhardt on Jan 27, 2012 11:27 AM -
ASA 5510 Firewall internet Restriction based on IP address and block rest users excluding Mails
Hi,
As i have assignment to create access list based on IP address like we have to allow internet access this IP range 192.168.172.201 to 212.
And rest users we have to block excluding Mails.
Please help.
Thanks,
Regards,
Hemant Yadavlogin as: Rakh
[email protected]'s
password:
Type help or '?' for a list of available commands.
FAST-HQ-ASA> en
Password:
Invalid password
Password: ***********
FAST-HQ-ASA# show rum
^
ERROR: % Invalid input detected at '^' marker.
FAST-HQ-ASA# show run
: Saved
ASA Version 8.3(1)
hostname FAST-HQ-ASA
enable password 7tt1ICjiO2a2/Hn2 encrypted
passwd U8oee3lIrDCUmSK2 encrypted
names
interface Ethernet0/0
description ASA Outside segment
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 62.173.33.67 255.255.255.240
interface Ethernet0/1
description VLAN AGGREGATION point
no nameif
no security-level
no ip address
interface Ethernet0/1.2
description INSIDE segment (User)
vlan 2
nameif INSIDE
security-level 100
ip address 192.168.172.1 255.255.255.0
interface Ethernet0/1.3
description LAN
vlan 3
nameif LAN
security-level 100
ip address 192.168.173.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network INSIDE
subnet 192.168.172.0 255.255.255.0
object network LAN
subnet 192.168.173.0 255.255.255.0
object network MAIL-SERVER
host 192.168.172.32
object network DENY-IP-INTERNET
range 192.168.172.121 192.168.172.200
object-group service serBLOCK-INTERNET tcp
port-object eq www
object-group network BLOCK-IP-INTERNET
network-object object DENY-IP-INTERNET
access-list 102 extended permit icmp any any time-exceeded
access-list 102 extended permit icmp any any echo-reply
access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq smtp
access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq https
access-list BLOCK-WWW extended deny tcp object-group BLOCK-IP-INTERNET any object-group serBLOCK-INTERNET
access-list BLOCK-WWW extended permit ip any any
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu LAN 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network INSIDE
nat (INSIDE,OUTSIDE) dynamic interface
object network LAN
nat (LAN,OUTSIDE) dynamic interface
object network MAIL-SERVER
nat (INSIDE,OUTSIDE) static 62.173.33.70
access-group OUTSIDE-IN in interface OUTSIDE
access-group BLOCK-WWW out interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 62.173.33.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh 192.168.172.37 255.255.255.255 INSIDE
ssh 192.168.173.10 255.255.255.255 LAN
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username Rakh password EV9pEo1UkhHJSbIW encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1ee78d19f958efc6fd95f5e9d4e97b8d
: end
FAST-HQ-ASA# -
Is it possible to restrict access to specific IOS apps based on the WIFI profile that a user has connected to?
you might be able to block it if the app uses Internet access
and depending on your wireless you might be able to block a specific user
accessing the backend host that the app uses
some firewalls offer application filtering but I'm not aware of any that work with ios apps -
HT1178 How do I restrict access to my network to mac addresses?
I am setting-up a new Time Capsule and wish to restrict access to my wireless network to only those mac addresses of my equipment. I can't find instructions on how to do this. Any help in pointing me to the correct resource would be appreciated.
Suggest that you check the Help area in AirPort Utility for instructions.
Open AirPort Utility
Click the Help menu at the top of the screen
Click AirPort Utility Help
Wait for Help to load
Click Setting up a Wi-FI network on the left side of the main page
Click Control when a user can access your network
Click Control access to your wireless network -
Restricting access via MAC address?
Hello,
Could someone please tell me how to restrict access to my wireless network (and internet sharing) by only allowing computers with a certain MAC address to join?
I'm kinda stumbling around here
Thanks,
JonnySorry if I wasn't being specific enough...
I have my eMac set up as a Software Base Station, which streams internet & Airtunes to an Airport Express. I have it set up this way, because my ADSL modem is connected via USB (so it's a bit of a workaround). As a result, I have Internet Sharing switched on, so I can access it from all my other macs.
What I want to do is to stop other people from accessing my eMac's internet connection. If I set up a WEP password for Internet Sharing, I lose my Airtunes facility... so I was thinking another way might be to restrict access to the connection via MAC address. I only want my other airport card-equipped macs to access the internet connection and network generally.
Surely it's possible? -
Restrict Access to certain users based on if a variable in the SQL database is set to 1
Hey guys,
I am quite new to PHP and MySQL and I have a question concerning access restriction. For a website project I am experimenting with Dreamweaver's login and restrict access behavior, which works fine. However, on the website I would like to restrict access for users that only have a 1 set in the corresponding MySQL database (which means that e.g. each page has a different variable in the database that can be set to 1, which would allow me to personify access beyond the level of the out-of-the box option, where each user can only have one access level). So it is quite similiar to the out-of-the-box restrict access to page based on user group, but just depending on another variable in the database.
I guess it can be done with an if condition that checks in the database if the logged in user has a 1 in this variable, and if yes give her/him access if not redirect to another page. However, I could not figure out how to implement that.
Your help is highly appreciated!
Thanks in advance!Hello guys,
I spend quite some time on the internet reseaching my wish and redefined my need: I would basically like to have the possibility to assign a user multiple access levels. There would be e.g. 10 pages for each I create an access level. Then a user with e.g. access to pages 2 and 8 can only access these two pages. So my basic question is if and if yes how I can assign a user muliple access levels at a time and store these values in the MySQL database.
Thanks a lot for your help!! -
How to restrict VK11 access based on condition class D (Tax)
hi ,
I have a requirement to restrict VK11 access based on condition class D (Tax). Because all users should not have access to maintain tax data in VK11 while general pricing data they can maintain. when condition class is D then we should have control.
Thanks
AkhileshHi Akhilesh,
Please find the below link and click on View article.
http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
how to create authorization object?
Thanks
Dasaradha -
Restricting access to link based on a user's accesslevel
I've gotten the DW login feature working for restricting
access to pages based on a user's successful login and associated
accesslevel. However, I have some links that open an Excel
spreadsheet and an Outlook calendar. Is there an easy way to
restrict access to a link so that an unauthorized user can't
navigate to the link? Here's my code for the link:
<td height="19" colspan="3"
valign="top"><em><strong><a
href="STI-Intranet/XLS/PROD_SCHED.xls" title="Current Production
Schedule (Read Only)">STI Production Schedule
</a></strong></em></td>
<td height="4%" valign="top"><strong><a href="
http://server_3/public/cal_engineering/"
title="FROM INTRANET"><font size="2" face="Verdana, Arial,
Helvetica,
sans-serif">INT</font></a></strong></td>What server side language are you using? Do the links need to
be restricted
to just one access level, or multiple levels? Should it be
blocked for only
one level or multiple?
Bryan Ashcraft (remove brain to reply)
Web Application Developer
Wright Medical Technologies, Inc.
=============================
Macromedia Certified Dreamweaver Developer
Adobe Community Expert (DW) ::
http://www.adobe.com/communities/experts/
"mslee1965" <[email protected]> wrote in
message
news:e52o7e$3ak$[email protected]..
> I've gotten the DW login feature working for restricting
access to pages
> based
> on a user's successful login and associated accesslevel.
However, I have
> some
> links that open an Excel spreadsheet and an Outlook
calendar. Is there an
> easy
> way to restrict access to a link so that an unauthorized
user can't
> navigate to
> the link? Here's my code for the link:
>
> <td height="19" colspan="3"
valign="top"><em><strong><a
> href="STI-Intranet/XLS/PROD_SCHED.xls" title="Current
Production Schedule
> (Read
> Only)">STI Production Schedule
</a></strong></em></td>
>
> <td height="4%" valign="top"><strong><a
href="<a target=_blank
> class=ftalternatingbarlinklarge
> href="
http://server_3/public/cal_engineering/"">http://server_3/public/cal_engin
> eering/"</a> title="FROM INTRANET"><font
size="2" face="Verdana, Arial,
> Helvetica,
sans-serif">INT</font></a></strong></td>
>
> -
How do I restrict access to Wireless router (800 series) by mac address
I hope I'm in the correct area.
I'm trying to deny access to 3 wireless devices to the cisco 800 series wireless router
The MAC address are:
MAC Address IP address Device Name Parent State
0014.6caf.410a 192.168.2.26 unknown - self Assoc
9803.d8ba.cd42 192.168.2.41 unknown - self Assoc
a4d1.d205.72e1 192.168.2.25 unknown
If this cannot be done is it poosible to assign the mac address to an ip address and then denying access to the ip address.
Thanks
JonHello Jon,
You should be able to do it either way. Best way would be by IP address so you do not even allow the host to associate with your AP.
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
FERC Code of Conduct - Restricting access for employees
hello - I am project lead for an effort to separate market and transmission data from certain employees in our company. I'm finding this to be a monumental task, since we have a large SAP implementation. FI/CO, MM, HR (postion-based security), Customer (IS-U-CCS), PM, PS, xRPM. We have implemented SOD for SOx compliance, but this is an entirely different effort. Unlike SOx, we need to totally restrict transactions that could contain non-public market and transmission data, so we need to separate the data behind the transactions. Does anyone have experience with this? Would love to hear what approach you took and swap ideas.
Annette M Alboreo, FirstEnergy Corp.Hi Annette,
First of all, good luck! Data segregation is always a tricky one to manage and needs to be carefully thought out. This sort of activity has a large security and functional overhead and you need to make sure you have access to them.
When I've worked on this sort of thing in the past, there are a few things that you need to identify
- What data is sensitive? The business should ID <b>all</b> sensitive data and the functional team translate that into fields etc. What data needs to be legally segregated, what data is nice to have segregated. A set of rules should be drawn up to say who get's what in which circumstances.
- How are people accessing data? What transactions give access to sensitive data? Standard SAP tx, custom tx (which may need auth checks changing), access to SE38/SA38, SQ01, SQVI etc. All of the routes to the data need to be identified.
Once it is known what data needs to be restricted then it is possible to address how to restrict access to it. A reasonable amount of it should be able to be catered for in the standard auth concept. It's also likely that there will be the requirement for additional config & customising (e.g hide fields, change screens, user exits) to meet these new control needs. I think it goes without saying that the more that you can fix with the standard auth concept, the easier it tends to be. If this means removing some transactions from users then in some cases it may be less costly than knocking up a whole load of custom code to solve the problem - of course this is dependent on the situation.
Hope that is of some use
Cheers
Alex
Maybe you are looking for
-
BW:Inventory stock Report issue based on Vendor and PO number
Dear Guru's. Requirement is to report different inventory stock's (Total Stock, blocked stock, stock in transit..etc) based on plant, material, storage location, vendor and purchase order in BW. For Example: Plant material Stock in Transit Total Sto
-
My iPod will not charge at all it will when it's off it will power on and charge to a certain pint then will stop and no longer charge what is its problem I've tried 3 cords and three different outlets and also in my computer! What is wrong with it?i
-
Photoshop CS2 & CS3 + OS 10.6
Hi, I'm thinking about updating to 10.6. One issue is older software, since I cannot afford to upgrade any of that. Can someone tell me if Photoshop CS2 works on snow leopard? What about CS3? Thanks! Jen
-
MDM Item Details iView modification
Hello, We have a requirement to implement custom functionality for some of the fields when using the standard Item Details iView. Is there a way to do the following: Currently the field in question has a popup functionality that is standard for the i
-
Downloaded Firefox and put it into my Apps folder as instructed. Its Icon in my Apps folder is not the Fox/Globe but a white icon of papers with a white circle&diagonal slash (like a white "stop" or do-not-enter sign). When I pulled that to my dock,