>> This is what I did >> 1. Used hashmap for storing allowed IP's (they are very less in >> number, even a 100 won't hurt) > > Technically, this will be the fastest way to manage IPs (but use a > ConcurrentHashMap as you may have concurrent access to this structure).
> The problem I see is that you may have a huge table to manage. Some > different strategies may have to be implemented, like white list (you just > store the accepted IP addresses), or multi level filtering (for instance, > you just keep the last byte or last two bytes, and if the IP address fits, > you lookup on a slow storage - disk or LDAP -). It all depends on which kind > of protection you want to offer. Well I am just storing allowed Addresses (#1). I am using inverse of Blacklist filter implementation, Checking on allowed IP's only :-) > In any case, using MINA to protect your system from incoming connection > without using a firewall in front of it is insane, IMHO. Its a good Idea to build a Firewall using MINA, isn't it :-) >> 2. Is there a better approach for allowing access on select keys like >> user name, state or attributes that can be read from input packets > Difficult question... As you are at a pretty low level with MINA, you can > only filter on IP. Otherwise, you will have to implement a authentication > system, which is generally tightly linked with your implemented protocol. There can be multiple levels of protection, and MINA IoFilter chain makes it easy. It can be two implementations or one, depending upon the requirement. Essentially, after decoding the packet, if we don't get the required key, we close the session. Since we already filter based on IP, it gives an additional protection. > > Just wait a few weeks :) Or wait until next monday, if the vote for 2.0.0-M4 > is positive, as this will allow us to merge the branch to the trunk, and you > will be able to build a version of ADS using MINA 2. The wait is acceptable, as its my internal implementation
