Start line:  
End line:  

Snippet Preview

Snippet HTML Code

Stack Overflow Questions
  //
  //  ========================================================================
  //  Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
  //  ------------------------------------------------------------------------
  //  All rights reserved. This program and the accompanying materials
  //  are made available under the terms of the Eclipse Public License v1.0
  //  and Apache License v2.0 which accompanies this distribution.
  //
  //      The Eclipse Public License is available at
 //      http://www.eclipse.org/legal/epl-v10.html
 //
 //      The Apache License v2.0 is available at
 //      http://www.opensource.org/licenses/apache2.0.php
 //
 //  You may elect to redistribute this code under either of these licenses.
 //  ========================================================================
 //
 
 package org.eclipse.jetty.server.handler;
 
 import java.util.List;
 import java.util.Map;
 
 
IP Access Handler

Controls access to the wrapped handler by the real remote IP. Control is provided by white/black lists that include both internet addresses and URIs. This handler uses the real internet address of the connection, not one reported in the forwarded for headers, as this cannot be as easily forged.

Typically, the black/white lists will be used in one of three modes:

  • Blocking a few specific IPs/URLs by specifying several black list entries.
  • Allowing only some specific IPs/URLs by specifying several white lists entries.
  • Allowing a general range of IPs/URLs by specifying several general white list entries, that are then further refined by several specific black list exceptions

An empty white list is treated as match all. If there is at least one entry in the white list, then a request must match a white list entry. Black list entries are always applied, so that even if an entry matches the white list, a black list entry will override it.

Internet addresses may be specified as absolute address or as a combination of four octet wildcard specifications (a.b.c.d) that are defined as follows.

 nnn - an absolute value (0-255)
 mmm-nnn - an inclusive range of absolute values, 
           with following shorthand notations:
           nnn- => nnn-255
           -nnn => 0-nnn
           -    => 0-255
 a,b,... - a list of wildcard specifications
 

Internet address specification is separated from the URI pattern using the "|" (pipe) character. URI patterns follow the servlet specification for simple * prefix and suffix wild cards (e.g. /, /foo, /foo/bar, /foo/bar/*, *.baz).

Earlier versions of the handler used internet address prefix wildcard specification to define a range of the internet addresses (e.g. 127., 10.10., 172.16.1.). They also used the first "/" character of the URI pattern to separate it from the internet address. Both of these features have been deprecated in the current version.

Examples of the entry specifications are:

  • 10.10.1.2 - all requests from IP 10.10.1.2
  • 10.10.1.2|/foo/bar - all requests from IP 10.10.1.2 to URI /foo/bar
  • 10.10.1.2|/foo/* - all requests from IP 10.10.1.2 to URIs starting with /foo/
  • 10.10.1.2|*.html - all requests from IP 10.10.1.2 to URIs ending with .html
  • 10.10.0-255.0-255 - all requests from IPs within 10.10.0.0/16 subnet
  • 10.10.0-.-255|/foo/bar - all requests from IPs within 10.10.0.0/16 subnet to URI /foo/bar
  • 10.10.0-3,1,3,7,15|/foo/* - all requests from IPs addresses with last octet equal to 1,3,7,15 in subnet 10.10.0.0/22 to URIs starting with /foo/

Earlier versions of the handler used internet address prefix wildcard specification to define a range of the internet addresses (e.g. 127., 10.10., 172.16.1.). They also used the first "/" character of the URI pattern to separate it from the internet address. Both of these features have been deprecated in the current version.

 
public class IPAccessHandler extends HandlerWrapper
    private static final Logger LOG = Log.getLogger(IPAccessHandler.class);
    /* ------------------------------------------------------------ */
    
Creates new handler object
    public IPAccessHandler()
    {
        super();
    }
    
    /* ------------------------------------------------------------ */
    
Creates new handler object and initializes white- and black-list

Parameters:
white array of whitelist entries
black array of blacklist entries
    public IPAccessHandler(String[] whiteString []black)
    {
        super();
        
        if (white != null && white.length > 0)
            setWhite(white);
        if (black != null && black.length > 0)
            setBlack(black);
    }
    
    /* ------------------------------------------------------------ */
    
Add a whitelist entry to an existing handler configuration

Parameters:
entry new whitelist entry
    public void addWhite(String entry)
    {
        add(entry);
    }
    
    /* ------------------------------------------------------------ */
    
Add a blacklist entry to an existing handler configuration

Parameters:
entry new blacklist entry
    public void addBlack(String entry)
    {
        add(entry);
    }
    
    /* ------------------------------------------------------------ */
    
Re-initialize the whitelist of existing handler object

Parameters:
entries array of whitelist entries
    public void setWhite(String[] entries)
    {
        set(entries);
    }
    
    /* ------------------------------------------------------------ */
    
Re-initialize the blacklist of existing handler object

Parameters:
entries array of blacklist entries
    public void setBlack(String[] entries)
    {
        set(entries);
    }
    
    /* ------------------------------------------------------------ */
    
    @Override
    public void handle(String targetRequest baseRequestHttpServletRequest requestHttpServletResponse responsethrows IOExceptionServletException
    {
        // Get the real remote IP (not the one set by the forwarded headers (which may be forged))
        AbstractHttpConnection connection = baseRequest.getConnection();
        if (connection!=null)
        {
            EndPoint endp=connection.getEndPoint();
            if (endp!=null)
            {
                String addr = endp.getRemoteAddr();
                if (addr!=null && !isAddrUriAllowed(addr,baseRequest.getPathInfo()))
                {
                    response.sendError(.);
                    baseRequest.setHandled(true);
                    return;
                }
            }
        }
        
        getHandler().handle(target,baseRequestrequestresponse);
    }
    
    /* ------------------------------------------------------------ */
    
Helper method to parse the new entry and add it to the specified address pattern map.

Parameters:
entry new entry
patternMap target address pattern map
    protected void add(String entryIPAddressMap<PathMappatternMap)
    {
        if (entry != null && entry.length() > 0)
        {
            boolean deprecated = false;
            int idx;
            if (entry.indexOf('|') > 0 )
            {
                idx = entry.indexOf('|');
            }
            else
            {
                idx = entry.indexOf('/');
                deprecated = (idx >= 0);
            }
            
            String addr = idx > 0 ? entry.substring(0,idx) : entry;        
            String path = idx > 0 ? entry.substring(idx) : "/*";
            
            if (addr.endsWith("."))
                deprecated = true;
            if (path!=null && (path.startsWith("|") || path.startsWith("/*.")))
                path=path.substring(1);
           
            PathMap pathMap = patternMap.get(addr);
            if (pathMap == null)
            {
                pathMap = new PathMap(true);
                patternMap.put(addr,pathMap);
            }
            if (path != null && !"".equals(path))
                pathMap.put(path,path);
            
            if (deprecated)
                .debug(toString() +" - deprecated specification syntax: "+entry);
        }
    }
    /* ------------------------------------------------------------ */
    
Helper method to process a list of new entries and replace the content of the specified address pattern map

Parameters:
entries new entries
patternMap target address pattern map
    protected void set(String[] entries,  IPAddressMap<PathMappatternMap)
    {
        patternMap.clear();
        
        if (entries != null && entries.length > 0)
        {
            for (String addrPath:entries)
            {
                add(addrPathpatternMap);
            }
        }
    }
    
    /* ------------------------------------------------------------ */
    
Check if specified request is allowed by current IPAccess rules.

Parameters:
addr internet address
path context path
Returns:
true if request is allowed
    protected boolean isAddrUriAllowed(String addrString path)
    {
        if (.size()>0)
        {
            boolean match = false;
            
            Object whiteObj = .getLazyMatches(addr);
            if (whiteObj != null
            {
                List whiteList = (whiteObj instanceof List) ? (List)whiteObj : Collections.singletonList(whiteObj);
                for (Object entrywhiteList)
                {
                    PathMap pathMap = ((Map.Entry<String,PathMap>)entry).getValue();
                    if (match = (pathMap!=null && (pathMap.size()==0 || pathMap.match(path)!=null)))
                        break;
                }
            }
            
            if (!match)
                return false;
        }
        if (.size() > 0)
        {
            Object blackObj = .getLazyMatches(addr);
            if (blackObj != null
            {
                List blackList = (blackObj instanceof List) ? (List)blackObj : Collections.singletonList(blackObj);
    
                for (Object entryblackList)
                {
                    PathMap pathMap = ((Map.Entry<String,PathMap>)entry).getValue();
                    if (pathMap!=null && (pathMap.size()==0 || pathMap.match(path)!=null))
                        return false;
                }
            }
        }
        
        return true;
    }
    /* ------------------------------------------------------------ */
    
Dump the white- and black-list configurations when started

    @Override
    protected void doStart()
        throws Exception
    {
        super.doStart();
        
        if (.isDebugEnabled())
        {
            ..println(dump());
        }
    }
    
    /* ------------------------------------------------------------ */
    
Dump the handler configuration
    public String dump()
    {
        StringBuilder buf = new StringBuilder();
        
        buf.append(toString());
        buf.append(" WHITELIST:\n");
        dump(buf);
        buf.append(toString());
        buf.append(" BLACKLIST:\n");
        dump(buf);
        
        return buf.toString();
    }    
    
    /* ------------------------------------------------------------ */
    
Dump a pattern map into a StringBuilder buffer

Parameters:
buf buffer
patternMap pattern map to dump
    protected void dump(StringBuilder bufIPAddressMap<PathMappatternMap)
    {
        for (String addrpatternMap.keySet())
        {
            for (Object path: ((PathMap)patternMap.get(addr)).values())
            {
                buf.append("# ");
                buf.append(addr);
                buf.append("|");
                buf.append(path);
                buf.append("\n");
            }       
        }
    }
 }
New to GrepCode? Check out our FAQ X