Inserting MINA IoFilters
As of version 1.1.0 quickfixj allows custom IoFilters. MINA's javadoc for IoFilter gives some examples of how this could be useful:
A filter which intercepts IoHandler events like Servlet filters. Filters can be used for these purposes:
- Event logging,
- Performance measurement,
- Authorization,
- Overload control,
- Message transformation (e.g. encryption and decryption, ...),
- and many more.
This page shows how to add filters by adding a simple filter to the order executor example.
Blacklist Filter
MINA comes with a Blacklist filter which closes incoming connections from blacklisted addresses.
Lets add this filter to the order executor and make it block connections from localhost. To do this, change:
acceptor = new SocketAcceptor (application, messageStoreFactory, settings, logFactory, messageFactory);
acceptor.start();
to this (plus the appropriate imports):
acceptor = new SocketAcceptor (application, messageStoreFactory, settings, logFactory, messageFactory); /* create the filter and add an address to the blacklist */ final BlacklistFilter blacklistFilter = new BlacklistFilter(); blacklistFilter.block(InetAddress.getByName("localhost")); /* add it to the acceptor */ ((SessionConnector) acceptor).setIoFilterChainBuilder(new IoFilterChainBuilder() { public void buildFilterChain(IoFilterChain chain) { chain.addBefore(FIXProtocolCodecFactory.FILTER_NAME, "BlacklistFilter", blacklistFilter); }}); acceptor.start();
Now when you start the executor and banzai apps you'll see this:
<20060913-10:54:22, FIX.4.2:EXEC->BANZAI, event> (Session FIX.4.2:EXEC->BANZAI schedule is daily, 00:00:00 UTC - 00:00:00 UTC) <20060913-10:54:22, FIX.4.2:EXEC->BANZAI, event> (Valid order types: [F, 2]) <20060913-10:54:22, FIX.4.2:EXEC->BANZAI, event> (Created session: FIX.4.2:EXEC->BANZAI) 13/09/2006 20:54:22 quickfix.mina.acceptor.AbstractSocketAcceptor startAcceptingConnections INFO: Listening for connections at 0.0.0.0/0.0.0.0:9876 press <enter> to quit 13/09/2006 20:54:26 quickfix.mina.acceptor.AcceptorIoHandler sessionCreated INFO: MINA session created: /127.0.0.1:4538 13/09/2006 20:54:26 org.apache.mina.util.SessionLog info INFO: [/127.0.0.1:4538] Remote address in the blacklist; closing. 13/09/2006 20:54:26 org.apache.mina.util.SessionLog info INFO: [/127.0.0.1:4538] Remote address in the blacklist; closing.
<20060913-10:54:26, FIX.4.2:BANZAI->EXEC, event> (Session FIX.4.2:BANZAI->EXEC schedule is daily, 00:00:00 UTC - 00:00:00 UTC) <20060913-10:54:26, FIX.4.2:BANZAI->EXEC, event> (Created session: FIX.4.2:BANZAI->EXEC) <20060913-10:54:26, FIX.4.2:BANZAI->EXEC, outgoing> (8=FIX.4.29=6535=A34=449=BANZAI52=20060913-10:54:26.75056=EXEC98=0108=3010=223) <20060913-10:54:26, FIX.4.2:BANZAI->EXEC, event> (Initiated logon request) <20060913-10:54:26, FIX.4.2:BANZAI->EXEC, event> (Disconnecting) 13/09/2006 20:54:26 quickfix.mina.initiator.InitiatorIoHandler sessionCreated INFO: MINA session created: /127.0.0.1:4538
It is as simple as that!
Whitelist Filter
Attached is a sample Whitelist filter - WhitelistFilter.java. It allows an acceptor to accept specific sessions from specific IPs only.
The code changes required to use it are similar to the Blacklist filter, except that:
- The filter is configured from SessionSettings.
- You have to add the filter after FIXProtocolCodecFactory.FILTER_NAME as it relies on this to parse received messages.
acceptor = new SocketAcceptor (application, messageStoreFactory, settings, logFactory, messageFactory); final WhitelistFilter whitelistFilter = new WhitelistFilter(settings); ((SessionConnector) acceptor).setIoFilterChainBuilder(new IoFilterChainBuilder() { public void buildFilterChain(IoFilterChain chain) { chain.addAfter(FIXProtocolCodecFactory.FILTER_NAME, "WhitelistFilter", whitelistFilter); }}); acceptor.start();
Specify valid IP addresses with the WhitelistHost setting, at either the default or session levels as required.
[default] ... WhitelistHost=www.quickfixj.org [session] SenderCompID=EXEC TargetCompID=BANZAI [session] SenderCompID=EXEC TargetCompID=SONOFBANZAI WhitelistHost1=127.0.0.1 WhitelistHost2=192.168.0.1, 192.168.0.2 [session] SenderCompID=EXEC TargetCompID=FREEFORALL WhitelistHost=
On startup the valid hosts will be logged:
INFO: Authorised IPs for FIX.4.2:EXEC->FREEFORALL: [Any] INFO: Authorised IPs for FIX.4.2:EXEC->BANZAI: [www.quickfixj.org/213.246.61.101] INFO: Authorised IPs for FIX.4.2:EXEC->SONOFBANZAI: [/192.168.0.1, /127.0.0.1, www.quickfixj.org/213.246.61.101, /192.168.0.2]
New connections will be validated against the authorised IPs once the first message is received and closed if they are not valid:
WARNING: [/127.0.0.1:2633] Closing FIX.4.2:EXEC->BANZAI connection from unauthorised address.
Comments (2)
Aug 01, 2006
Anonymous says:
Brad, do we need to create a factory for the builder? Is there any reason we can...Brad, do we need to create a factory for the builder? Is there any reason we can't just specify an IoFilterChainBuilder directly? I'm thinking the user would provide an IoFilterChain with just their filter modifications rather than inheriting from a default builder. The codec filter would be inserted automatically into the filter chain before calling the user's builder. The codec would have a well-defined name so it shouldn't limit the flexibility in how a filter chain can be configured. What do you think? I'd prefer to not have the factory unless it's necessary.
Aug 07, 2006
Brad Harvey says:
The primary benefit of the factory here is that it can read the quickfix setting...The primary benefit of the factory here is that it can read the quickfix settings file. If you specify an IoFilterChainBuilder directly in the settings file how do you configure it? This problem goes away if you only allow programmatic setting of the builder on SessionConnector. Not sure how useful specifying in settings actually is - I can imagine the settings file turning into frankensettings if you could do this for everything.
Note that the user is free to use any IoFilterChainBuilderFactory and IoFilterChainBuilder implementations - the Log example just extends the default factory for convenience. The caveat is that you have to insert the quickfix filter codec manually.
I do like the idea of inserting the codec filter and then calling the user's builder which can put things before or after the codec filter as it pleases - I forgot the filters don't have to be added in order. This removes the problem of having to add the codec filter yourself, but you now need to provider a Builder that knows how to add before or after the filter codec as appropriate.
Cheers,
Brad Harvey