View Javadoc

1   /*
2    * Licensed to the University Corporation for Advanced Internet Development, 
3    * Inc. (UCAID) under one or more contributor license agreements.  See the 
4    * NOTICE file distributed with this work for additional information regarding
5    * copyright ownership. The UCAID licenses this file to You under the Apache 
6    * License, Version 2.0 (the "License"); you may not use this file except in 
7    * compliance with the License.  You may obtain a copy of the License at
8    *
9    *    http://www.apache.org/licenses/LICENSE-2.0
10   *
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS,
13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14   * See the License for the specific language governing permissions and
15   * limitations under the License.
16   */
17  
18  package edu.internet2.middleware.shibboleth.idp.authn.provider;
19  
20  import java.net.InetAddress;
21  import java.net.UnknownHostException;
22  import java.util.ArrayList;
23  import java.util.List;
24  
25  import javax.servlet.http.HttpServletRequest;
26  import javax.servlet.http.HttpServletResponse;
27  
28  import org.opensaml.xml.util.DatatypeHelper;
29  import org.slf4j.Logger;
30  import org.slf4j.LoggerFactory;
31  
32  import edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine;
33  import edu.internet2.middleware.shibboleth.idp.authn.LoginHandler;
34  import edu.internet2.middleware.shibboleth.idp.util.IPRange;
35  
36  /**
37   * IP Address authentication handler.
38   * 
39   * This "authenticates" a user based on their IP address. It operates in either default deny or default allow mode, and
40   * evaluates a given request against a list of blocked or permitted IPs. It supports both IPv4 and IPv6.
41   */
42  public class IPAddressLoginHandler extends AbstractLoginHandler {
43  
44      /** Class logger. */
45      private final Logger log = LoggerFactory.getLogger(IPAddressLoginHandler.class);
46  
47      /** The username to use for IP-address "authenticated" users. */
48      private String authenticatedUser;
49  
50      /** List of configured IP ranged. */
51      private List<IPRange> ipRanges;
52  
53      /** Whether a user is "authenticated" if their IP address is within a configured IP range. */
54      private boolean ipInRangeIsAuthenticated;
55  
56      public IPAddressLoginHandler(String user, List<IPRange> ranges, boolean ipInRangeIsAuthenticated) {
57          authenticatedUser = DatatypeHelper.safeTrimOrNullString(user);
58          if (authenticatedUser == null) {
59              throw new IllegalArgumentException("The authenticated user ID may not be null or empty");
60          }
61  
62          if (ranges == null || ranges.isEmpty()) {
63              throw new IllegalArgumentException("The list of IP ranges may not be null or empty");
64          }
65          ipRanges = new ArrayList<IPRange>(ranges);
66  
67          this.ipInRangeIsAuthenticated = ipInRangeIsAuthenticated;
68      }
69  
70      /** {@inheritDoc} */
71      public boolean supportsPassive() {
72          return true;
73      }
74  
75      /** {@inheritDoc} */
76      public boolean supportsForceAuthentication() {
77          return true;
78      }
79  
80      /** {@inheritDoc} */
81      public void login(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
82          log.debug("Attempting to authenticated client '{}'", httpRequest.getRemoteAddr());
83          try {
84              InetAddress clientAddress = InetAddress.getByName(httpRequest.getRemoteAddr());
85              if (authenticate(clientAddress)) {
86                  log.debug("Authenticated user by IP address");
87                  httpRequest.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, authenticatedUser);
88              } else {
89                  log.debug("Client IP address {} failed authentication.", httpRequest.getRemoteAddr());
90                  httpRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY,
91                          "Client failed IP address authentication");
92              }
93          } catch (UnknownHostException e) {
94              String msg = "Unable to resolve " + httpRequest.getRemoteAddr() + " in to an IP address";
95              log.warn(msg);
96              httpRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY, msg);
97          }
98  
99          AuthenticationEngine.returnToAuthenticationEngine(httpRequest, httpResponse);
100     }
101 
102     /**
103      * Authenticates the client address.
104      * 
105      * @param clientAddress the client address
106      * 
107      * @return true if the client address is authenticated, false it not
108      */
109     protected boolean authenticate(InetAddress clientAddress) {
110         if (ipInRangeIsAuthenticated) {
111             for (IPRange range : ipRanges) {
112                 if (range.contains(clientAddress)) {
113                     return true;
114                 }
115             }
116         } else {
117             for (IPRange range : ipRanges) {
118                 if (!range.contains(clientAddress)) {
119                     return true;
120                 }
121             }
122         }
123 
124         return false;
125     }
126 }