web/src/main/java/org/apache/shiro/web/filter/authz/IpFilter.java - shiro - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.shiro.web.filter.authz;

 import org.apache.shiro.lang.util.StringUtils;

 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;

 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Collection;

 /**
  * A Filter that requires the request to be from within a specific set of IP
  * address ranges and / or not from with a specific (denied) set.
  * <p/>
  * Example config:
  * <pre>
  * [main]
  * localLan = org.apache.shiro.web.filter.authz.IpFilter
  * localLan.authorizedIps = 192.168.10.0/24
  * localLan.deniedIps = 192.168.10.10/32
  * <p/>
  * [urls]
  * /some/path/** = localLan
  * # override for just this path:
  * /another/path/** = localLan
  * </pre>
  *
  * @since 2.0
  */
 public class IpFilter extends AuthorizationFilter {

     private static IpSource DEFAULT_IP_SOURCE = new IpSource() {
             public Collection<String> getAuthorizedIps() {
                 return Collections.emptySet();
             }
             public Collection<String> getDeniedIps() {
                 return Collections.emptySet();
             }
         };

     private IpSource ipSource = DEFAULT_IP_SOURCE;

     private List<IpAddressMatcher> authorizedIpMatchers = Collections.emptyList();
     private List<IpAddressMatcher> deniedIpMatchers = Collections.emptyList();

     /**
      * Specifies a set of (comma, tab or space-separated) strings representing
      * IP address representing IPv4 or IPv6 ranges / CIDRs from which access
      * should be allowed (if the IP is not included in either the list of
      * statically defined denied IPs or the dynamic list of IPs obtained from
      * the IP source.
      */
     public void setAuthorizedIps(String authorizedIps) {
         String[] ips = StringUtils.tokenizeToStringArray(authorizedIps, ", \t");
         if (ips != null && ips.length > 0) {
             authorizedIpMatchers = new ArrayList<IpAddressMatcher>();
             for (String ip : ips) {
                 authorizedIpMatchers.add(new IpAddressMatcher(ip));
             }
         }
     }

     /**
      * Specified a set of (comma, tab or space-separated) strings representing
      * IP address representing IPv4 or IPv6 ranges / CIDRs from which access
      * should be blocked.
      */
     public void setDeniedIps(String deniedIps) {
         String[] ips = StringUtils.tokenizeToStringArray(deniedIps, ", \t");
         if (ips != null && ips.length > 0) {
             deniedIpMatchers = new ArrayList<IpAddressMatcher>();
             for (String ip : ips) {
                 deniedIpMatchers.add(new IpAddressMatcher(ip));
             }
         }
     }

     public void setIpSource(IpSource source) {
         this.ipSource = source;
     }

     /**
      * Returns the remote host for a given HTTP request. By default uses the
      * remote method ServletRequest.getRemoteAddr(). May be overridden by
      * subclasses to obtain address information from specific headers (e.g. XFF
      * or Forwarded) in situations with reverse proxies.
      */
     public String getHostFromRequest(ServletRequest request) {
         return request.getRemoteAddr();
     }

     protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
         String remoteIp = getHostFromRequest(request);
         for (IpAddressMatcher matcher : deniedIpMatchers) {
             if (matcher.matches(remoteIp)) {
                 return false;
             }
         }
         for (String ip : ipSource.getDeniedIps()) {
             IpAddressMatcher matcher = new IpAddressMatcher(ip);
             if (matcher.matches(remoteIp)) {
                 return false;
             }
         }
         for (IpAddressMatcher matcher : authorizedIpMatchers) {
             if (matcher.matches(remoteIp)) {
                 return true;
             }
         }
         for (String ip : ipSource.getAuthorizedIps()) {
             IpAddressMatcher matcher = new IpAddressMatcher(ip);
             if (matcher.matches(remoteIp)) {
                 return true;
             }
         }
         return false;
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.shiro.web.filter.authz;

	import org.apache.shiro.lang.util.StringUtils;

	import javax.servlet.ServletRequest;
	import javax.servlet.ServletResponse;

	import java.util.ArrayList;
	import java.util.Collections;
	import java.util.List;
	import java.util.Collection;

	/**
	* A Filter that requires the request to be from within a specific set of IP
	* address ranges and / or not from with a specific (denied) set.
	* <p/>
	* Example config:
	* <pre>
	* [main]
	* localLan = org.apache.shiro.web.filter.authz.IpFilter
	* localLan.authorizedIps = 192.168.10.0/24
	* localLan.deniedIps = 192.168.10.10/32
	* <p/>
	* [urls]
	* /some/path/** = localLan
	* # override for just this path:
	* /another/path/** = localLan
	* </pre>
	*
	* @since 2.0
	*/
	public class IpFilter extends AuthorizationFilter {

	private static IpSource DEFAULT_IP_SOURCE = new IpSource() {
	public Collection<String> getAuthorizedIps() {
	return Collections.emptySet();
	}
	public Collection<String> getDeniedIps() {
	return Collections.emptySet();
	}
	};

	private IpSource ipSource = DEFAULT_IP_SOURCE;

	private List<IpAddressMatcher> authorizedIpMatchers = Collections.emptyList();
	private List<IpAddressMatcher> deniedIpMatchers = Collections.emptyList();

	/**
	* Specifies a set of (comma, tab or space-separated) strings representing
	* IP address representing IPv4 or IPv6 ranges / CIDRs from which access
	* should be allowed (if the IP is not included in either the list of
	* statically defined denied IPs or the dynamic list of IPs obtained from
	* the IP source.
	*/
	public void setAuthorizedIps(String authorizedIps) {
	String[] ips = StringUtils.tokenizeToStringArray(authorizedIps, ", \t");
	if (ips != null && ips.length > 0) {
	authorizedIpMatchers = new ArrayList<IpAddressMatcher>();
	for (String ip : ips) {
	authorizedIpMatchers.add(new IpAddressMatcher(ip));
	}
	}
	}

	/**
	* Specified a set of (comma, tab or space-separated) strings representing
	* IP address representing IPv4 or IPv6 ranges / CIDRs from which access
	* should be blocked.
	*/
	public void setDeniedIps(String deniedIps) {
	String[] ips = StringUtils.tokenizeToStringArray(deniedIps, ", \t");
	if (ips != null && ips.length > 0) {
	deniedIpMatchers = new ArrayList<IpAddressMatcher>();
	for (String ip : ips) {
	deniedIpMatchers.add(new IpAddressMatcher(ip));
	}
	}
	}

	public void setIpSource(IpSource source) {
	this.ipSource = source;
	}

	/**
	* Returns the remote host for a given HTTP request. By default uses the
	* remote method ServletRequest.getRemoteAddr(). May be overridden by
	* subclasses to obtain address information from specific headers (e.g. XFF
	* or Forwarded) in situations with reverse proxies.
	*/
	public String getHostFromRequest(ServletRequest request) {
	return request.getRemoteAddr();
	}

	protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
	String remoteIp = getHostFromRequest(request);
	for (IpAddressMatcher matcher : deniedIpMatchers) {
	if (matcher.matches(remoteIp)) {
	return false;
	}
	}
	for (String ip : ipSource.getDeniedIps()) {
	IpAddressMatcher matcher = new IpAddressMatcher(ip);
	if (matcher.matches(remoteIp)) {
	return false;
	}
	}
	for (IpAddressMatcher matcher : authorizedIpMatchers) {
	if (matcher.matches(remoteIp)) {
	return true;
	}
	}
	for (String ip : ipSource.getAuthorizedIps()) {
	IpAddressMatcher matcher = new IpAddressMatcher(ip);
	if (matcher.matches(remoteIp)) {
	return true;
	}
	}
	return false;
	}
	}