How to secure Jetty to only allow access from loopback(localhost)

Question

How can I secure jetty to only allow connections from localhost? This means a connection to server A on System A from Client B on System B has to fail. I know I can do this by configuring my firewall (so please no answers about this). I just want Jetty to only listen on localhost(loopback).

Answer 1

I found the answer to my question myself after a little bit more googling.

The answer is (Tested on jetty-distribution-7.0.1.v20091125):

1. Locate jetty.xml (etc/jetty.xml)
2. Search for <Call name="addConnector">
3. Set <Set name="Host"><SystemProperty name="jetty.host" default="127.0.0.1"/></Set> before line <Set name="port"><SystemProperty name="jetty.port"/></Set>
4. That's it. Restart jetty server (java -jar start.jar). The server should output something like:

2009-12-23 23:02:09.291:INFO::Started [email protected]:8080

The import thing is that it should say 127.0.0.1 instead of 0.0.0.0, 0.0.0.0 means listen on all ips on the machine.

P.S: I wanted to secure apache solr (which is using jetty) which can be achieved in the same way.

You can also bind to localhost programmatically(embed jetty) by:

Server server = new Server();
Connector connector = new SelectChannelConnector();
connector.setHost("localhost");
connector.setPort(80);
server.addConnector(connector);

Answer 2

For Jetty 9 embedded, this code works.

    Server server = new Server();                                       
    ServerConnector connector=new ServerConnector(server);
    connector.setPort(80);
    connector.setHost("localhost");        
    server.setConnectors(new Connector[]{connector});

Answer 3

I have not tried this but the usual method is to bind server to localhost (i.e. to IP 127.0.0.1). That means that Jetty server will listen to only connections that have localhost as their destination address.

A quick googling revealed this http://old.nabble.com/How-to-make-Jetty-bind-to-specific-IP-address---to11667378.html#a11669524 :

add this entry to SelectChannelConnector for example:

<Set name="Host">127.0.0.1</Set>

Answer 4

You can set the jetty.host property during start of the virtual machine:

java -Djetty.host=127.0.0.1 -jar start.jar

Btw same for jetty.port.

Answer 5

I was able to do this using .htaccess but for some reason the localhost filtering does not work. If you want to allow traffic from a particular external IP and block all others try http://technologyenablingbusiness.blogspot.com/2011/03/setting-security-in-solr-running-on.html

EDIT: Archived version of page at https://web.archive.org/web/20110429184536/http://technologyenablingbusiness.blogspot.com/2011/03/setting-security-in-solr-running-on.html

Answer 6

As of Jetty 7.1.5 (released in July 2010), you may initialize the Jetty server like this:

Server server = new Server(new InetSocketAddress("127.0.0.1", 8080));

Remember to import java.net.InetSocketAddress;.

Reference: org.eclipse.jetty.server.Server's constructor.