RE: IP Based Restrictions

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

RE: IP Based Restrictions

Richard Wheeldon
Done. See http://rswheeldon.com/shiro-ip-filter.tgz

If someone would like to take a look / fix the default ini / help me get it into trunk it’d be appreciated,

Regards,

Richard

From: Brian Demers [mailto:[hidden email]]
Sent: Thursday, January 12, 2017 4:16 PM
To: [hidden email]
Subject: Re: IP Based Restrictions

I like it, we could even create a default IpSource so the INI file could work out of the box, something like:

[main]
ipFilter.ipSource = x.x.x.x, x.x.x.x/24


On Thu, Jan 12, 2017 at 5:25 AM, Richard Wheeldon <[hidden email]<mailto:[hidden email]>> wrote:
It’s the whole app for now.

So I could grab the IpAddressMatcher from Spring sec and repackage it (rather than introducing a dep between shiro and spring which would be a bit crazy)
https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java

Then create:

package org.apache.shiro.web.filter.authz;

public interface IpSource {
    public List<String> getIpRanges();
}

package org.apache.shiro.web.filter.authz;

public class IpFilter extends AuthorizationFilter {
    public void setIps(List<String> ips) { ... }
    public void setIpSource(IpSource source) { ... }
    public getHost(ServletRequest request) {
        return request.getRemoteHost();
    }
    @Override
    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
        ...
        String host = getHost();
        for (IpAddressMatcher matcher : matchers) {
                    if (matcher.matches(host)) {
                return true;
            }
        }
        return false;
    }
}

package com.voxsmart.stuff;

public class XffIpFilter extends IpFilter {
    @Override
    public getHost()
        parseIpAddressFromXffHeader(request.getHeader(XFF_HEADER))
    }
}

package com.voxsmart.stuff;

public class DatabaseIpSource {

    @Override
    public getIpRanges() {
        ... select range from ...
    }
}

And put in shiro.ini:
[main]
ipSource = com.voxsmart.stuff.DatabaseIpSource
ipFilter = com.voxsmart.stuff.XffIpFilter
ipFilter.ipSource = ipSource

[urls]
/* = ipSource,...

Does this seem reasonable?

From: Brian Demers [mailto:[hidden email]<mailto:[hidden email]>]
Sent: Tuesday, January 10, 2017 5:14 PM
To: [hidden email]<mailto:[hidden email]>
Subject: Re: IP Based Restrictions

Take a look at this block of code in the AuthenticatingFilter:
https://github.com/apache/shiro/blob/ef5450b9f4be74ee930401115394823b9e1fc3e6/web/src/main/java/org/apache/shiro/web/filter/authc/AuthenticatingFilter.java#L62-L72

Are you trying to restrict an IP/range for a individual users. Or a range for the whole application?   A realm would work for the user case. For the application case, you could probably just create a filter.

Either way, great stuff!




On Tue, Jan 10, 2017 at 11:39 AM, Richard Wheeldon <[hidden email]<mailto:[hidden email]>> wrote:
Hi,

Having broken the back of the token based MFA, my next quest in bolting down my app is to add configurable IP-based restrictions. I’m thinking of a realm which reads a list of IPs or ranges (v4 or v6) from a DB then checks if the host matches.

Two questions:

  1.  Is there any interest in my producing a generic / re-usable JdbcHostRestrictionRealm and kicking it back upstream? I can probably do this by cribbing from JdbcRealm.
  2.  My app is sat behind a load balancer which changes the IP address. Since we control the load balancer we can trust the X-Forwarded-For header in a downstream app. Is there a preferable place to hook in the logic to read it from the request and set it on the token?

Richard


Reply | Threaded
Open this post in threaded view
|

Re: IP Based Restrictions

Brian Demers
Can you put this in a pull request for github.com/apache/shiro ?

On Tue, Jan 31, 2017 at 1:35 PM, Richard Wheeldon <
[hidden email]> wrote:

> Done. See http://rswheeldon.com/shiro-ip-filter.tgz
>
>
>
> If someone would like to take a look / fix the default ini / help me get
> it into trunk it’d be appreciated,
>
>
>
> Regards,
>
>
>
> Richard
>
>
>
> *From:* Brian Demers [mailto:[hidden email]]
> *Sent:* Thursday, January 12, 2017 4:16 PM
>
> *To:* [hidden email]
> *Subject:* Re: IP Based Restrictions
>
>
>
> I like it, we could even create a default IpSource so the INI file could
> work out of the box, something like:
>
>
>
> [main]
>
> ipFilter.ipSource = x.x.x.x, x.x.x.x/24
>
>
>
>
>
> On Thu, Jan 12, 2017 at 5:25 AM, Richard Wheeldon <
> [hidden email]> wrote:
>
> It’s the whole app for now.
>
>
>
> So I could grab the IpAddressMatcher from Spring sec and repackage it
> (rather than introducing a dep between shiro and spring which would be a
> bit crazy)
>
> https://github.com/spring-projects/spring-security/blob/
> master/web/src/main/java/org/springframework/security/web/
> util/matcher/IpAddressMatcher.java
>
>
>
> Then create:
>
>
>
> package org.apache.shiro.web.filter.authz;
>
>
>
> public interface IpSource {
>
>     public List<String> getIpRanges();
>
> }
>
>
>
> package org.apache.shiro.web.filter.authz;
>
>
>
> public class IpFilter extends AuthorizationFilter {
>
>     public void setIps(List<String> ips) { ... }
>
>     public void setIpSource(IpSource source) { ... }
>
>     public getHost(ServletRequest request) {
>
>         return request.getRemoteHost();
>
>     }
>
>     @Override
>
>     protected boolean isAccessAllowed(ServletRequest request,
> ServletResponse response, Object mappedValue) throws Exception {
>
>         ...
>
>         String host = getHost();
>
>         for (IpAddressMatcher matcher : matchers) {
>
>                     if (matcher.matches(host)) {
>
>                 return true;
>
>             }
>
>         }
>
>         return false;
>
>     }
>
> }
>
>
>
> package com.voxsmart.stuff;
>
>
>
> public class XffIpFilter extends IpFilter {
>
>     @Override
>
>     public getHost()
>
>         parseIpAddressFromXffHeader(request.getHeader(XFF_HEADER))
>
>     }
>
> }
>
>
>
> package com.voxsmart.stuff;
>
>
>
> public class DatabaseIpSource {
>
>
>
>     @Override
>
>     public getIpRanges() {
>
>         ... select range from ...
>
>     }
>
> }
>
>
>
> And put in shiro.ini:
>
> [main]
>
> ipSource = com.voxsmart.stuff.DatabaseIpSource
>
> ipFilter = com.voxsmart.stuff.XffIpFilter
>
> ipFilter.ipSource = ipSource
>
>
>
> [urls]
>
> /* = ipSource,...
>
>
>
> Does this seem reasonable?
>
>
>
> *From:* Brian Demers [mailto:[hidden email]]
> *Sent:* Tuesday, January 10, 2017 5:14 PM
> *To:* [hidden email]
> *Subject:* Re: IP Based Restrictions
>
>
>
> Take a look at this block of code in the AuthenticatingFilter:
>
> https://github.com/apache/shiro/blob/ef5450b9f4be74ee93040111539482
> 3b9e1fc3e6/web/src/main/java/org/apache/shiro/web/filter/
> authc/AuthenticatingFilter.java#L62-L72
>
>
>
> Are you trying to restrict an IP/range for a individual users. Or a range
> for the whole application?   A realm would work for the user case. For the
> application case, you could probably just create a filter.
>
>
>
> Either way, great stuff!
>
>
>
>
>
>
>
>
>
> On Tue, Jan 10, 2017 at 11:39 AM, Richard Wheeldon <
> [hidden email]> wrote:
>
> Hi,
>
>
>
> Having broken the back of the token based MFA, my next quest in bolting
> down my app is to add configurable IP-based restrictions. I’m thinking of a
> realm which reads a list of IPs or ranges (v4 or v6) from a DB then checks
> if the host matches.
>
>
>
> Two questions:
>
>    1. Is there any interest in my producing a generic / re-usable
>    JdbcHostRestrictionRealm and kicking it back upstream? I can probably do
>    this by cribbing from JdbcRealm.
>    2. My app is sat behind a load balancer which changes the IP address.
>    Since we control the load balancer we can trust the X-Forwarded-For header
>    in a downstream app. Is there a preferable place to hook in the logic to
>    read it from the request and set it on the token?
>
>
>
> Richard
>
>
>
>
>
Reply | Threaded
Open this post in threaded view
|

RE: IP Based Restrictions

Richard Wheeldon
Sure. How? Is there a cheat sheet around?

-----Original Message-----
From: Brian Demers [mailto:[hidden email]]
Sent: Tuesday, January 31, 2017 8:49 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: IP Based Restrictions

Can you put this in a pull request for github.com/apache/shiro ?

On Tue, Jan 31, 2017 at 1:35 PM, Richard Wheeldon < [hidden email]> wrote:

> Done. See http://rswheeldon.com/shiro-ip-filter.tgz
>
>
>
> If someone would like to take a look / fix the default ini / help me
> get it into trunk it’d be appreciated,
>
>
>
> Regards,
>
>
>
> Richard
>
>
>
> *From:* Brian Demers [mailto:[hidden email]]
> *Sent:* Thursday, January 12, 2017 4:16 PM
>
> *To:* [hidden email]
> *Subject:* Re: IP Based Restrictions
>
>
>
> I like it, we could even create a default IpSource so the INI file
> could work out of the box, something like:
>
>
>
> [main]
>
> ipFilter.ipSource = x.x.x.x, x.x.x.x/24
>
>
>
>
>
> On Thu, Jan 12, 2017 at 5:25 AM, Richard Wheeldon <
> [hidden email]> wrote:
>
> It’s the whole app for now.
>
>
>
> So I could grab the IpAddressMatcher from Spring sec and repackage it
> (rather than introducing a dep between shiro and spring which would be
> a bit crazy)
>
> https://github.com/spring-projects/spring-security/blob/
> master/web/src/main/java/org/springframework/security/web/
> util/matcher/IpAddressMatcher.java
>
>
>
> Then create:
>
>
>
> package org.apache.shiro.web.filter.authz;
>
>
>
> public interface IpSource {
>
>     public List<String> getIpRanges();
>
> }
>
>
>
> package org.apache.shiro.web.filter.authz;
>
>
>
> public class IpFilter extends AuthorizationFilter {
>
>     public void setIps(List<String> ips) { ... }
>
>     public void setIpSource(IpSource source) { ... }
>
>     public getHost(ServletRequest request) {
>
>         return request.getRemoteHost();
>
>     }
>
>     @Override
>
>     protected boolean isAccessAllowed(ServletRequest request,
> ServletResponse response, Object mappedValue) throws Exception {
>
>         ...
>
>         String host = getHost();
>
>         for (IpAddressMatcher matcher : matchers) {
>
>                     if (matcher.matches(host)) {
>
>                 return true;
>
>             }
>
>         }
>
>         return false;
>
>     }
>
> }
>
>
>
> package com.voxsmart.stuff;
>
>
>
> public class XffIpFilter extends IpFilter {
>
>     @Override
>
>     public getHost()
>
>         parseIpAddressFromXffHeader(request.getHeader(XFF_HEADER))
>
>     }
>
> }
>
>
>
> package com.voxsmart.stuff;
>
>
>
> public class DatabaseIpSource {
>
>
>
>     @Override
>
>     public getIpRanges() {
>
>         ... select range from ...
>
>     }
>
> }
>
>
>
> And put in shiro.ini:
>
> [main]
>
> ipSource = com.voxsmart.stuff.DatabaseIpSource
>
> ipFilter = com.voxsmart.stuff.XffIpFilter
>
> ipFilter.ipSource = ipSource
>
>
>
> [urls]
>
> /* = ipSource,...
>
>
>
> Does this seem reasonable?
>
>
>
> *From:* Brian Demers [mailto:[hidden email]]
> *Sent:* Tuesday, January 10, 2017 5:14 PM
> *To:* [hidden email]
> *Subject:* Re: IP Based Restrictions
>
>
>
> Take a look at this block of code in the AuthenticatingFilter:
>
> https://github.com/apache/shiro/blob/ef5450b9f4be74ee93040111539482
> 3b9e1fc3e6/web/src/main/java/org/apache/shiro/web/filter/
> authc/AuthenticatingFilter.java#L62-L72
>
>
>
> Are you trying to restrict an IP/range for a individual users. Or a range
> for the whole application?   A realm would work for the user case. For the
> application case, you could probably just create a filter.
>
>
>
> Either way, great stuff!
>
>
>
>
>
>
>
>
>
> On Tue, Jan 10, 2017 at 11:39 AM, Richard Wheeldon <
> [hidden email]> wrote:
>
> Hi,
>
>
>
> Having broken the back of the token based MFA, my next quest in
> bolting down my app is to add configurable IP-based restrictions. I’m
> thinking of a realm which reads a list of IPs or ranges (v4 or v6)
> from a DB then checks if the host matches.
>
>
>
> Two questions:
>
>    1. Is there any interest in my producing a generic / re-usable
>    JdbcHostRestrictionRealm and kicking it back upstream? I can probably do
>    this by cribbing from JdbcRealm.
>    2. My app is sat behind a load balancer which changes the IP address.
>    Since we control the load balancer we can trust the X-Forwarded-For header
>    in a downstream app. Is there a preferable place to hook in the logic to
>    read it from the request and set it on the token?
>
>
>
> Richard
>
>
>
>
>