1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package edu.internet2.middleware.shibboleth.idp.authn.provider;
18
19 import java.net.InetAddress;
20 import java.net.UnknownHostException;
21 import java.util.ArrayList;
22 import java.util.List;
23
24 import javax.servlet.http.HttpServletRequest;
25 import javax.servlet.http.HttpServletResponse;
26
27 import org.opensaml.xml.util.DatatypeHelper;
28 import org.slf4j.Logger;
29 import org.slf4j.LoggerFactory;
30
31 import edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine;
32 import edu.internet2.middleware.shibboleth.idp.authn.LoginHandler;
33 import edu.internet2.middleware.shibboleth.idp.util.IPRange;
34
35
36
37
38
39
40
41 public class IPAddressLoginHandler extends AbstractLoginHandler {
42
43
44 private final Logger log = LoggerFactory.getLogger(IPAddressLoginHandler.class);
45
46
47 private String authenticatedUser;
48
49
50 private List<IPRange> ipRanges;
51
52
53 private boolean ipInRangeIsAuthenticated;
54
55 public IPAddressLoginHandler(String user, List<IPRange> ranges, boolean ipInRangeIsAuthenticated) {
56 authenticatedUser = DatatypeHelper.safeTrimOrNullString(user);
57 if (authenticatedUser == null) {
58 throw new IllegalArgumentException("The authenticated user ID may not be null or empty");
59 }
60
61 if (ranges == null || ranges.isEmpty()) {
62 throw new IllegalArgumentException("The list of IP ranges may not be null or empty");
63 }
64 ipRanges = new ArrayList<IPRange>(ranges);
65
66 this.ipInRangeIsAuthenticated = ipInRangeIsAuthenticated;
67 }
68
69
70 public boolean supportsPassive() {
71 return true;
72 }
73
74
75 public boolean supportsForceAuthentication() {
76 return true;
77 }
78
79
80 public void login(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
81 log.debug("Attempting to authenticated client '{}'", httpRequest.getRemoteAddr());
82 try {
83 InetAddress clientAddress = InetAddress.getByName(httpRequest.getRemoteAddr());
84 if (authenticate(clientAddress)) {
85 log.debug("Authenticated user by IP address");
86 httpRequest.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, authenticatedUser);
87 } else {
88 log.debug("Client IP address {} failed authentication.", httpRequest.getRemoteAddr());
89 httpRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY,
90 "Client failed IP address authentication");
91 }
92 } catch (UnknownHostException e) {
93 String msg = "Unable to resolve " + httpRequest.getRemoteAddr() + " in to an IP address";
94 log.warn(msg);
95 httpRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY, msg);
96 }
97
98 AuthenticationEngine.returnToAuthenticationEngine(httpRequest, httpResponse);
99 }
100
101
102
103
104
105
106
107
108 protected boolean authenticate(InetAddress clientAddress) {
109 if (ipInRangeIsAuthenticated) {
110 for (IPRange range : ipRanges) {
111 if (range.contains(clientAddress)) {
112 return true;
113 }
114 }
115 } else {
116 for (IPRange range : ipRanges) {
117 if (!range.contains(clientAddress)) {
118 return true;
119 }
120 }
121 }
122
123 return false;
124 }
125 }