1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package edu.internet2.middleware.shibboleth.idp.authn.provider;
19
20 import java.net.InetAddress;
21 import java.net.UnknownHostException;
22 import java.util.ArrayList;
23 import java.util.List;
24
25 import javax.servlet.http.HttpServletRequest;
26 import javax.servlet.http.HttpServletResponse;
27
28 import org.opensaml.xml.util.DatatypeHelper;
29 import org.slf4j.Logger;
30 import org.slf4j.LoggerFactory;
31
32 import edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine;
33 import edu.internet2.middleware.shibboleth.idp.authn.LoginHandler;
34 import edu.internet2.middleware.shibboleth.idp.util.IPRange;
35
36
37
38
39
40
41
42 public class IPAddressLoginHandler extends AbstractLoginHandler {
43
44
45 private final Logger log = LoggerFactory.getLogger(IPAddressLoginHandler.class);
46
47
48 private String authenticatedUser;
49
50
51 private List<IPRange> ipRanges;
52
53
54 private boolean ipInRangeIsAuthenticated;
55
56 public IPAddressLoginHandler(String user, List<IPRange> ranges, boolean ipInRangeIsAuthenticated) {
57 authenticatedUser = DatatypeHelper.safeTrimOrNullString(user);
58 if (authenticatedUser == null) {
59 throw new IllegalArgumentException("The authenticated user ID may not be null or empty");
60 }
61
62 if (ranges == null || ranges.isEmpty()) {
63 throw new IllegalArgumentException("The list of IP ranges may not be null or empty");
64 }
65 ipRanges = new ArrayList<IPRange>(ranges);
66
67 this.ipInRangeIsAuthenticated = ipInRangeIsAuthenticated;
68 }
69
70
71 public boolean supportsPassive() {
72 return true;
73 }
74
75
76 public boolean supportsForceAuthentication() {
77 return true;
78 }
79
80
81 public void login(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
82 log.debug("Attempting to authenticated client '{}'", httpRequest.getRemoteAddr());
83 try {
84 InetAddress clientAddress = InetAddress.getByName(httpRequest.getRemoteAddr());
85 if (authenticate(clientAddress)) {
86 log.debug("Authenticated user by IP address");
87 httpRequest.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, authenticatedUser);
88 } else {
89 log.debug("Client IP address {} failed authentication.", httpRequest.getRemoteAddr());
90 httpRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY,
91 "Client failed IP address authentication");
92 }
93 } catch (UnknownHostException e) {
94 String msg = "Unable to resolve " + httpRequest.getRemoteAddr() + " in to an IP address";
95 log.warn(msg);
96 httpRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY, msg);
97 }
98
99 AuthenticationEngine.returnToAuthenticationEngine(httpRequest, httpResponse);
100 }
101
102
103
104
105
106
107
108
109 protected boolean authenticate(InetAddress clientAddress) {
110 if (ipInRangeIsAuthenticated) {
111 for (IPRange range : ipRanges) {
112 if (range.contains(clientAddress)) {
113 return true;
114 }
115 }
116 } else {
117 for (IPRange range : ipRanges) {
118 if (!range.contains(clientAddress)) {
119 return true;
120 }
121 }
122 }
123
124 return false;
125 }
126 }