src/edu/internet2/middleware/shibboleth/idp/authn/impl/IPAddressHandler.java

   1 /*
   2  * Copyright [2006] [University Corporation for Advanced Internet Development, Inc.]
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  * http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 package edu.internet2.middleware.shibboleth.idp.authn.impl;
  18
  19 import java.net.InetAddress;
  20 import java.net.UnknownHostException;
  21 import java.util.List;
  22
  23 import java.util.concurrent.CopyOnWriteArrayList;
  24
  25 import javax.servlet.RequestDispatcher;
  26 import javax.servlet.http.HttpServletRequest;
  27 import javax.servlet.http.HttpServletResponse;
  28 import javax.servlet.http.HttpSession;
  29 import javax.servlet.ServletRequest;
  30
  31 import edu.internet2.middleware.shibboleth.idp.authn.AuthenticationHandler;
  32 import edu.internet2.middleware.shibboleth.idp.authn.LoginContext;
  33
  34 import org.apache.log4j.Logger;
  35
  36 import org.joda.time.DateTime;
  37
  38 /**
  39  * IP Address authentication handler.
  40  *
  41  * This "authenticates" a user based on their IP address. It operates in either
  42  * default deny or default allow mode, and evaluates a given request against a
  43  * list of blocked or permitted IPs. It supports both IPv4 and IPv6.
  44  */
  45 public class IPAddressHandler implements AuthenticationHandler {
  46
  47         private static final Logger log = Logger.getLogger(IPAddressHandler.class
  48                         .getName());
  49
  50         /** the URI of the AuthnContextDeclRef or the AuthnContextClass */
  51         private String authnMethodURI;
  52
  53         /** The return location */
  54         private String returnLocation;
  55
  56         /** Are the IPs in ipList a permitted list or a deny list */
  57         private boolean defaultDeny;
  58
  59         /** The list of denied or permitted IPs */
  60         private List<InetAddress> ipList;
  61
  62         /** Creates a new instance of IPAddressHandler */
  63         public IPAddressHandler() {
  64         }
  65
  66         /**
  67          * Set the permitted IP addresses.
  68          *
  69          * If <code>defaultDeny</code> is <code>true</code> then only the IP
  70          * addresses in <code>ipList</code> will be "authenticated." If
  71          * <code>defaultDeny</code> is <code>false</code>, then all IP
  72          * addresses except those in <code>ipList</code> will be authenticated.
  73          *
  74          * @param ipList
  75          *            A list of {@link InetAddress}es.
  76          * @param defaultDeny
  77          *            Does <code>ipList</code> contain a deny or permit list.
  78          */
  79         public void setIpList(final List<InetAddress> ipList, boolean defaultDeny) {
  80
  81                 this.ipList = new CopyOnWriteArrayList(ipList);
  82                 this.defaultDeny = defaultDeny;
  83         }
  84
  85         /** {@inheritDoc   */
  86         public void setReturnLocation(String location) {
  87                 this.returnLocation = location;
  88         }
  89
  90         /** @{inheritDoc} */
  91         public boolean supportsPassive() {
  92                 return (true);
  93         }
  94
  95         /** {@inheritDoc} */
  96         public boolean supportsForceAuthentication() {
  97                 return (true);
  98         }
  99
 100         /** {@inheritDoc} */
 101         public void logout(HttpServletRequest request,
 102                         HttpServletResponse response, String principal) {
 103
 104                 RequestDispatcher dispatcher = request
 105                                 .getRequestDispatcher(returnLocation);
 106                 // dispatcher.forward(request, response);
 107         }
 108
 109         /** {@inheritDoc} */
 110         public void login(HttpServletRequest request, HttpServletResponse response,
 111                         LoginContext loginCtx) {
 112
 113                 loginContext.setAuthenticationAttempted();
 114                 loginContext.setAuthenticationInstant(new DateTime());
 115
 116                 if (defaultDeny) {
 117                         handleDefaultDeny(request, response, loginContext);
 118                 } else {
 119                         handleDefaultAllow(request, response, loginContext);
 120                 }
 121         }
 122
 123         protected void handleDefaultDeny(HttpServletRequest request,
 124                         HttpServletResponse response, LoginContext loginCtx) {
 125
 126                 boolean ipAllowed = searchIpList(request);
 127
 128                 if (ipAllowed) {
 129                         loginCtx.setAuthenticationOK(true);
 130                 } else {
 131                         loginCtx.setAuthenticationOK(false);
 132                         loginCtx
 133                                         .setAuthenticationFailureMessage("User's IP is not in the permitted list.");
 134                 }
 135         }
 136
 137         protected void handleDefaultAllow(HttpServletRequest request,
 138                         HttpServletResponse response, LoginContext loginCtx) {
 139
 140                 boolean ipDenied = searchIpList(request);
 141
 142                 if (ipDenied) {
 143                         loginCtx.setAuthenticationOK(false);
 144                         loginCtx
 145                                         .setAuthenticationFailureMessage("Users's IP is in the deny list.");
 146                 } else {
 147                         loginCtx.setAuthenticationOK(true);
 148                 }
 149         }
 150
 151         /**
 152          * Search the list of InetAddresses for the client's address.
 153          *
 154          * @param request
 155          *            The ServletReqeust
 156          *
 157          * @return <code>true</code> if the client's address is in
 158          *         <code>this.ipList</code>
 159          */
 160         private boolean searchIpList(final ServletRequest request) {
 161
 162                 boolean found = false;
 163
 164                 try {
 165                         InetAddress[] addrs = InetAddress.getAllByName(request
 166                                         .getRemoteAddr());
 167                         for (InetAddress a : addrs) {
 168                                 if (ipList.contains(a)) {
 169                                         found = true;
 170                                         break;
 171                                 }
 172                         }
 173                 } catch (UnknownHostException ex) {
 174                         log.error("Error resolving hostname: ", ex);
 175                 }
 176
 177                 return (found);
 178         }
 179
 180 }