1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package edu.internet2.middleware.shibboleth.idp.authn.provider;
18
19 import java.net.InetAddress;
20 import java.net.UnknownHostException;
21 import java.util.ArrayList;
22 import java.util.List;
23
24 import javax.servlet.http.HttpServletRequest;
25 import javax.servlet.http.HttpServletResponse;
26
27 import org.opensaml.xml.util.DatatypeHelper;
28 import org.slf4j.Logger;
29 import org.slf4j.LoggerFactory;
30 import org.slf4j.helpers.MessageFormatter;
31
32 import edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine;
33 import edu.internet2.middleware.shibboleth.idp.authn.LoginHandler;
34 import edu.internet2.middleware.shibboleth.idp.util.IPRange;
35
36
37
38
39
40
41
42 public class IPAddressLoginHandler extends AbstractLoginHandler {
43
44
45 private final Logger log = LoggerFactory.getLogger(IPAddressLoginHandler.class);
46
47
48 private String authenticatedUser;
49
50
51 private List<IPRange> ipRanges;
52
53
54 private boolean ipInRangeIsAuthenticated;
55
56 public IPAddressLoginHandler(String user, List<IPRange> ranges, boolean ipInRangeIsAuthenticated) {
57 authenticatedUser = DatatypeHelper.safeTrimOrNullString(user);
58 if (authenticatedUser == null) {
59 throw new IllegalArgumentException("The authenticated user ID may not be null or empty");
60 }
61
62 if (ranges == null || ranges.isEmpty()) {
63 throw new IllegalArgumentException("The list of IP ranges may not be null or empty");
64 }
65 ipRanges = new ArrayList<IPRange>(ranges);
66
67 this.ipInRangeIsAuthenticated = ipInRangeIsAuthenticated;
68 }
69
70
71 public boolean supportsPassive() {
72 return true;
73 }
74
75
76 public boolean supportsForceAuthentication() {
77 return true;
78 }
79
80
81 public void login(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
82 log.debug("Attempting to authenticated client '{}'", httpRequest.getRemoteAddr());
83 try {
84 InetAddress clientAddress = InetAddress.getByName(httpRequest.getRemoteAddr());
85 if (authenticate(clientAddress)) {
86 log.debug("Authenticated user by IP address");
87 httpRequest.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, authenticatedUser);
88 } else {
89 log.debug("Client IP address {} failed authentication.", httpRequest.getRemoteAddr());
90 httpRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY,
91 "Client failed IP address authentication");
92 }
93 } catch (UnknownHostException e) {
94 String msg = MessageFormatter.format("Unable to resolve {} in to an IP address", httpRequest
95 .getRemoteAddr());
96 log.warn(msg);
97 httpRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY, msg);
98 }
99
100 AuthenticationEngine.returnToAuthenticationEngine(httpRequest, httpResponse);
101 }
102
103
104
105
106
107
108
109
110 protected boolean authenticate(InetAddress clientAddress) {
111 if (ipInRangeIsAuthenticated) {
112 for (IPRange range : ipRanges) {
113 if (range.contains(clientAddress)) {
114 return true;
115 }
116 }
117 } else {
118 for (IPRange range : ipRanges) {
119 if (!range.contains(clientAddress)) {
120 return true;
121 }
122 }
123 }
124
125 return false;
126 }
127 }