View Javadoc

1   /*
2    * Copyright 2006 University Corporation for Advanced Internet Development, Inc.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package edu.internet2.middleware.shibboleth.idp.authn.provider;
18  
19  import java.net.InetAddress;
20  import java.net.UnknownHostException;
21  import java.util.ArrayList;
22  import java.util.List;
23  
24  import javax.servlet.http.HttpServletRequest;
25  import javax.servlet.http.HttpServletResponse;
26  
27  import org.opensaml.xml.util.DatatypeHelper;
28  import org.slf4j.Logger;
29  import org.slf4j.LoggerFactory;
30  import org.slf4j.helpers.MessageFormatter;
31  
32  import edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine;
33  import edu.internet2.middleware.shibboleth.idp.authn.LoginHandler;
34  import edu.internet2.middleware.shibboleth.idp.util.IPRange;
35  
36  /**
37   * IP Address authentication handler.
38   * 
39   * This "authenticates" a user based on their IP address. It operates in either default deny or default allow mode, and
40   * evaluates a given request against a list of blocked or permitted IPs. It supports both IPv4 and IPv6.
41   */
42  public class IPAddressLoginHandler extends AbstractLoginHandler {
43  
44      /** Class logger. */
45      private final Logger log = LoggerFactory.getLogger(IPAddressLoginHandler.class);
46  
47      /** The username to use for IP-address "authenticated" users. */
48      private String authenticatedUser;
49  
50      /** List of configured IP ranged. */
51      private List<IPRange> ipRanges;
52  
53      /** Whether a user is "authenticated" if their IP address is within a configured IP range. */
54      private boolean ipInRangeIsAuthenticated;
55  
56      public IPAddressLoginHandler(String user, List<IPRange> ranges, boolean ipInRangeIsAuthenticated) {
57          authenticatedUser = DatatypeHelper.safeTrimOrNullString(user);
58          if (authenticatedUser == null) {
59              throw new IllegalArgumentException("The authenticated user ID may not be null or empty");
60          }
61  
62          if (ranges == null || ranges.isEmpty()) {
63              throw new IllegalArgumentException("The list of IP ranges may not be null or empty");
64          }
65          ipRanges = new ArrayList<IPRange>(ranges);
66  
67          this.ipInRangeIsAuthenticated = ipInRangeIsAuthenticated;
68      }
69  
70      /** {@inheritDoc} */
71      public boolean supportsPassive() {
72          return true;
73      }
74  
75      /** {@inheritDoc} */
76      public boolean supportsForceAuthentication() {
77          return true;
78      }
79  
80      /** {@inheritDoc} */
81      public void login(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
82          log.debug("Attempting to authenticated client '{}'", httpRequest.getRemoteAddr());
83          try {
84              InetAddress clientAddress = InetAddress.getByName(httpRequest.getRemoteAddr());
85              if (authenticate(clientAddress)) {
86                  log.debug("Authenticated user by IP address");
87                  httpRequest.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, authenticatedUser);
88              } else {
89                  log.debug("Client IP address {} failed authentication.", httpRequest.getRemoteAddr());
90                  httpRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY,
91                          "Client failed IP address authentication");
92              }
93          } catch (UnknownHostException e) {
94              String msg = MessageFormatter.format("Unable to resolve {} in to an IP address", httpRequest
95                      .getRemoteAddr());
96              log.warn(msg);
97              httpRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY, msg);
98          }
99  
100         AuthenticationEngine.returnToAuthenticationEngine(httpRequest, httpResponse);
101     }
102 
103     /**
104      * Authenticates the client address.
105      * 
106      * @param clientAddress the client address
107      * 
108      * @return true if the client address is authenticated, false it not
109      */
110     protected boolean authenticate(InetAddress clientAddress) {
111         if (ipInRangeIsAuthenticated) {
112             for (IPRange range : ipRanges) {
113                 if (range.contains(clientAddress)) {
114                     return true;
115                 }
116             }
117         } else {
118             for (IPRange range : ipRanges) {
119                 if (!range.contains(clientAddress)) {
120                     return true;
121                 }
122             }
123         }
124 
125         return false;
126     }
127 }