My webapp have a set of resources, let's call that set R. Some of those resources need to be accessed only from certain source IP addresses, let's call that subset R'. And some subset of R' (let's call it R'') needs authentication.
I have a requirement to check source IP address before authentication.
Right now, R' is specified in web.xml RemoteAddrFilter s, and R'' is specified in web.xml s.
The problem is, filters are executed after container-managed authentication, so login form is presented to the user before RemoteAddrFilter kicks in, and check source IP address. That is not what I need. Users outside trusted IP ranges should not be able to even know about the protected resources, let alone to guess passwords.
RemoteAddrValve, on the other hand, is called before container-managed authentication, but it does not allow specifying s.
What would be a good solution for the above requirement? Extend RemoteAddrValve with the ability to specify s?