View Javadoc

1   /*
2    * Copyright 2006 University Corporation for Advanced Internet Development, Inc.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package edu.internet2.middleware.shibboleth.idp.authn.provider;
18  
19  import java.net.InetAddress;
20  import java.net.UnknownHostException;
21  import java.util.ArrayList;
22  import java.util.List;
23  
24  import javax.servlet.http.HttpServletRequest;
25  import javax.servlet.http.HttpServletResponse;
26  
27  import org.opensaml.xml.util.DatatypeHelper;
28  import org.slf4j.Logger;
29  import org.slf4j.LoggerFactory;
30  
31  import edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine;
32  import edu.internet2.middleware.shibboleth.idp.authn.LoginHandler;
33  import edu.internet2.middleware.shibboleth.idp.util.IPRange;
34  
35  /**
36   * IP Address authentication handler.
37   * 
38   * This "authenticates" a user based on their IP address. It operates in either default deny or default allow mode, and
39   * evaluates a given request against a list of blocked or permitted IPs. It supports both IPv4 and IPv6.
40   */
41  public class IPAddressLoginHandler extends AbstractLoginHandler {
42  
43      /** Class logger. */
44      private final Logger log = LoggerFactory.getLogger(IPAddressLoginHandler.class);
45  
46      /** The username to use for IP-address "authenticated" users. */
47      private String authenticatedUser;
48  
49      /** List of configured IP ranged. */
50      private List<IPRange> ipRanges;
51  
52      /** Whether a user is "authenticated" if their IP address is within a configured IP range. */
53      private boolean ipInRangeIsAuthenticated;
54  
55      public IPAddressLoginHandler(String user, List<IPRange> ranges, boolean ipInRangeIsAuthenticated) {
56          authenticatedUser = DatatypeHelper.safeTrimOrNullString(user);
57          if (authenticatedUser == null) {
58              throw new IllegalArgumentException("The authenticated user ID may not be null or empty");
59          }
60  
61          if (ranges == null || ranges.isEmpty()) {
62              throw new IllegalArgumentException("The list of IP ranges may not be null or empty");
63          }
64          ipRanges = new ArrayList<IPRange>(ranges);
65  
66          this.ipInRangeIsAuthenticated = ipInRangeIsAuthenticated;
67      }
68  
69      /** {@inheritDoc} */
70      public boolean supportsPassive() {
71          return true;
72      }
73  
74      /** {@inheritDoc} */
75      public boolean supportsForceAuthentication() {
76          return true;
77      }
78  
79      /** {@inheritDoc} */
80      public void login(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
81          log.debug("Attempting to authenticated client '{}'", httpRequest.getRemoteAddr());
82          try {
83              InetAddress clientAddress = InetAddress.getByName(httpRequest.getRemoteAddr());
84              if (authenticate(clientAddress)) {
85                  log.debug("Authenticated user by IP address");
86                  httpRequest.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, authenticatedUser);
87              } else {
88                  log.debug("Client IP address {} failed authentication.", httpRequest.getRemoteAddr());
89                  httpRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY,
90                          "Client failed IP address authentication");
91              }
92          } catch (UnknownHostException e) {
93              String msg = "Unable to resolve " + httpRequest.getRemoteAddr() + " in to an IP address";
94              log.warn(msg);
95              httpRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY, msg);
96          }
97  
98          AuthenticationEngine.returnToAuthenticationEngine(httpRequest, httpResponse);
99      }
100 
101     /**
102      * Authenticates the client address.
103      * 
104      * @param clientAddress the client address
105      * 
106      * @return true if the client address is authenticated, false it not
107      */
108     protected boolean authenticate(InetAddress clientAddress) {
109         if (ipInRangeIsAuthenticated) {
110             for (IPRange range : ipRanges) {
111                 if (range.contains(clientAddress)) {
112                     return true;
113                 }
114             }
115         } else {
116             for (IPRange range : ipRanges) {
117                 if (!range.contains(clientAddress)) {
118                     return true;
119                 }
120             }
121         }
122 
123         return false;
124     }
125 }