shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Wheeldon <richard.wheel...@voxsmart.com>
Subject RE: IP Based Restrictions
Date Wed, 01 Feb 2017 10:18:44 GMT
Sure. How? Is there a cheat sheet around?

-----Original Message-----
From: Brian Demers [mailto:brian.demers@gmail.com] 
Sent: Tuesday, January 31, 2017 8:49 PM
To: user@shiro.apache.org
Cc: dev@shiro.apache.org
Subject: Re: IP Based Restrictions

Can you put this in a pull request for github.com/apache/shiro ?

On Tue, Jan 31, 2017 at 1:35 PM, Richard Wheeldon < richard.wheeldon@voxsmart.com> wrote:

> Done. See http://rswheeldon.com/shiro-ip-filter.tgz
>
>
>
> If someone would like to take a look / fix the default ini / help me 
> get it into trunk it’d be appreciated,
>
>
>
> Regards,
>
>
>
> Richard
>
>
>
> *From:* Brian Demers [mailto:brian.demers@gmail.com]
> *Sent:* Thursday, January 12, 2017 4:16 PM
>
> *To:* user@shiro.apache.org
> *Subject:* Re: IP Based Restrictions
>
>
>
> I like it, we could even create a default IpSource so the INI file 
> could work out of the box, something like:
>
>
>
> [main]
>
> ipFilter.ipSource = x.x.x.x, x.x.x.x/24
>
>
>
>
>
> On Thu, Jan 12, 2017 at 5:25 AM, Richard Wheeldon < 
> richard.wheeldon@voxsmart.com> wrote:
>
> It’s the whole app for now.
>
>
>
> So I could grab the IpAddressMatcher from Spring sec and repackage it 
> (rather than introducing a dep between shiro and spring which would be 
> a bit crazy)
>
> https://github.com/spring-projects/spring-security/blob/
> master/web/src/main/java/org/springframework/security/web/
> util/matcher/IpAddressMatcher.java
>
>
>
> Then create:
>
>
>
> package org.apache.shiro.web.filter.authz;
>
>
>
> public interface IpSource {
>
>     public List<String> getIpRanges();
>
> }
>
>
>
> package org.apache.shiro.web.filter.authz;
>
>
>
> public class IpFilter extends AuthorizationFilter {
>
>     public void setIps(List<String> ips) { ... }
>
>     public void setIpSource(IpSource source) { ... }
>
>     public getHost(ServletRequest request) {
>
>         return request.getRemoteHost();
>
>     }
>
>     @Override
>
>     protected boolean isAccessAllowed(ServletRequest request, 
> ServletResponse response, Object mappedValue) throws Exception {
>
>         ...
>
>         String host = getHost();
>
>         for (IpAddressMatcher matcher : matchers) {
>
>                     if (matcher.matches(host)) {
>
>                 return true;
>
>             }
>
>         }
>
>         return false;
>
>     }
>
> }
>
>
>
> package com.voxsmart.stuff;
>
>
>
> public class XffIpFilter extends IpFilter {
>
>     @Override
>
>     public getHost()
>
>         parseIpAddressFromXffHeader(request.getHeader(XFF_HEADER))
>
>     }
>
> }
>
>
>
> package com.voxsmart.stuff;
>
>
>
> public class DatabaseIpSource {
>
>
>
>     @Override
>
>     public getIpRanges() {
>
>         ... select range from ...
>
>     }
>
> }
>
>
>
> And put in shiro.ini:
>
> [main]
>
> ipSource = com.voxsmart.stuff.DatabaseIpSource
>
> ipFilter = com.voxsmart.stuff.XffIpFilter
>
> ipFilter.ipSource = ipSource
>
>
>
> [urls]
>
> /* = ipSource,...
>
>
>
> Does this seem reasonable?
>
>
>
> *From:* Brian Demers [mailto:brian.demers@gmail.com]
> *Sent:* Tuesday, January 10, 2017 5:14 PM
> *To:* user@shiro.apache.org
> *Subject:* Re: IP Based Restrictions
>
>
>
> Take a look at this block of code in the AuthenticatingFilter:
>
> https://github.com/apache/shiro/blob/ef5450b9f4be74ee93040111539482
> 3b9e1fc3e6/web/src/main/java/org/apache/shiro/web/filter/
> authc/AuthenticatingFilter.java#L62-L72
>
>
>
> Are you trying to restrict an IP/range for a individual users. Or a range
> for the whole application?   A realm would work for the user case. For the
> application case, you could probably just create a filter.
>
>
>
> Either way, great stuff!
>
>
>
>
>
>
>
>
>
> On Tue, Jan 10, 2017 at 11:39 AM, Richard Wheeldon < 
> richard.wheeldon@voxsmart.com> wrote:
>
> Hi,
>
>
>
> Having broken the back of the token based MFA, my next quest in 
> bolting down my app is to add configurable IP-based restrictions. I’m 
> thinking of a realm which reads a list of IPs or ranges (v4 or v6) 
> from a DB then checks if the host matches.
>
>
>
> Two questions:
>
>    1. Is there any interest in my producing a generic / re-usable
>    JdbcHostRestrictionRealm and kicking it back upstream? I can probably do
>    this by cribbing from JdbcRealm.
>    2. My app is sat behind a load balancer which changes the IP address.
>    Since we control the load balancer we can trust the X-Forwarded-For header
>    in a downstream app. Is there a preferable place to hook in the logic to
>    read it from the request and set it on the token?
>
>
>
> Richard
>
>
>
>
>
Mime
View raw message