You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by Richard Wheeldon <ri...@voxsmart.com> on 2017/01/31 18:35:13 UTC
RE: IP Based Restrictions
Done. See http://rswheeldon.com/shiro-ip-filter.tgz
If someone would like to take a look / fix the default ini / help me get it into trunk it’d be appreciated,
Regards,
Richard
From: Brian Demers [mailto:brian.demers@gmail.com]
Sent: Thursday, January 12, 2017 4:16 PM
To: user@shiro.apache.org
Subject: Re: IP Based Restrictions
I like it, we could even create a default IpSource so the INI file could work out of the box, something like:
[main]
ipFilter.ipSource = x.x.x.x, x.x.x.x/24
On Thu, Jan 12, 2017 at 5:25 AM, Richard Wheeldon <ri...@voxsmart.com>> wrote:
It’s the whole app for now.
So I could grab the IpAddressMatcher from Spring sec and repackage it (rather than introducing a dep between shiro and spring which would be a bit crazy)
https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java
Then create:
package org.apache.shiro.web.filter.authz;
public interface IpSource {
public List<String> getIpRanges();
}
package org.apache.shiro.web.filter.authz;
public class IpFilter extends AuthorizationFilter {
public void setIps(List<String> ips) { ... }
public void setIpSource(IpSource source) { ... }
public getHost(ServletRequest request) {
return request.getRemoteHost();
}
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
...
String host = getHost();
for (IpAddressMatcher matcher : matchers) {
if (matcher.matches(host)) {
return true;
}
}
return false;
}
}
package com.voxsmart.stuff;
public class XffIpFilter extends IpFilter {
@Override
public getHost()
parseIpAddressFromXffHeader(request.getHeader(XFF_HEADER))
}
}
package com.voxsmart.stuff;
public class DatabaseIpSource {
@Override
public getIpRanges() {
... select range from ...
}
}
And put in shiro.ini:
[main]
ipSource = com.voxsmart.stuff.DatabaseIpSource
ipFilter = com.voxsmart.stuff.XffIpFilter
ipFilter.ipSource = ipSource
[urls]
/* = ipSource,...
Does this seem reasonable?
From: Brian Demers [mailto:brian.demers@gmail.com<ma...@gmail.com>]
Sent: Tuesday, January 10, 2017 5:14 PM
To: user@shiro.apache.org<ma...@shiro.apache.org>
Subject: Re: IP Based Restrictions
Take a look at this block of code in the AuthenticatingFilter:
https://github.com/apache/shiro/blob/ef5450b9f4be74ee930401115394823b9e1fc3e6/web/src/main/java/org/apache/shiro/web/filter/authc/AuthenticatingFilter.java#L62-L72
Are you trying to restrict an IP/range for a individual users. Or a range for the whole application? A realm would work for the user case. For the application case, you could probably just create a filter.
Either way, great stuff!
On Tue, Jan 10, 2017 at 11:39 AM, Richard Wheeldon <ri...@voxsmart.com>> wrote:
Hi,
Having broken the back of the token based MFA, my next quest in bolting down my app is to add configurable IP-based restrictions. I’m thinking of a realm which reads a list of IPs or ranges (v4 or v6) from a DB then checks if the host matches.
Two questions:
1. Is there any interest in my producing a generic / re-usable JdbcHostRestrictionRealm and kicking it back upstream? I can probably do this by cribbing from JdbcRealm.
2. My app is sat behind a load balancer which changes the IP address. Since we control the load balancer we can trust the X-Forwarded-For header in a downstream app. Is there a preferable place to hook in the logic to read it from the request and set it on the token?
Richard
Re: IP Based Restrictions
Posted by Brian Demers <br...@gmail.com>.
Thanks Alexander!
We also have a CONTRIBUTING.md
<https://github.com/apache/shiro/blob/master/CONTRIBUTING.md> in the root
of the repo.
Richard, thanks! we can move the rest of the discussion over there.
On Wed, Feb 1, 2017 at 6:45 AM, Richard Wheeldon <
richard.wheeldon@voxsmart.com> wrote:
> Cool. Thanks. Done. https://github.com/apache/shiro/pull/57
>
> Richard
>
> -----Original Message-----
> From: Alexander Openkowski [mailto:opncow@googlemail.com]
> Sent: Wednesday, February 1, 2017 10:52 AM
> To: user@shiro.apache.org
> Subject: Re: IP Based Restrictions
>
> This one looks good to me:
> https://gist.github.com/Chaser324/ce0505fbed06b947d962
>
> On 02/01/2017 11:18 AM, Richard Wheeldon wrote:
> > Sure. How? Is there a cheat sheet around?
> >
> > -----Original Message-----
> > From: Brian Demers [mailto:brian.demers@gmail.com]
> > Sent: Tuesday, January 31, 2017 8:49 PM
> > To: user@shiro.apache.org
> > Cc: dev@shiro.apache.org
> > Subject: Re: IP Based Restrictions
> >
> > Can you put this in a pull request for github.com/apache/shiro ?
> >
> > On Tue, Jan 31, 2017 at 1:35 PM, Richard Wheeldon <
> richard.wheeldon@voxsmart.com> wrote:
> >
> >> Done. See http://rswheeldon.com/shiro-ip-filter.tgz
> >>
> >>
> >>
> >> If someone would like to take a look / fix the default ini / help me
> >> get it into trunk it’d be appreciated,
> >>
> >>
> >>
> >> Regards,
> >>
> >>
> >>
> >> Richard
> >>
> >>
> >>
> >> *From:* Brian Demers [mailto:brian.demers@gmail.com]
> >> *Sent:* Thursday, January 12, 2017 4:16 PM
> >>
> >> *To:* user@shiro.apache.org
> >> *Subject:* Re: IP Based Restrictions
> >>
> >>
> >>
> >> I like it, we could even create a default IpSource so the INI file
> >> could work out of the box, something like:
> >>
> >>
> >>
> >> [main]
> >>
> >> ipFilter.ipSource = x.x.x.x, x.x.x.x/24
> >>
> >>
> >>
> >>
> >>
> >> On Thu, Jan 12, 2017 at 5:25 AM, Richard Wheeldon <
> >> richard.wheeldon@voxsmart.com> wrote:
> >>
> >> It’s the whole app for now.
> >>
> >>
> >>
> >> So I could grab the IpAddressMatcher from Spring sec and repackage it
> >> (rather than introducing a dep between shiro and spring which would
> >> be a bit crazy)
> >>
> >> https://github.com/spring-projects/spring-security/blob/
> >> master/web/src/main/java/org/springframework/security/web/
> >> util/matcher/IpAddressMatcher.java
> >>
> >>
> >>
> >> Then create:
> >>
> >>
> >>
> >> package org.apache.shiro.web.filter.authz;
> >>
> >>
> >>
> >> public interface IpSource {
> >>
> >> public List<String> getIpRanges();
> >>
> >> }
> >>
> >>
> >>
> >> package org.apache.shiro.web.filter.authz;
> >>
> >>
> >>
> >> public class IpFilter extends AuthorizationFilter {
> >>
> >> public void setIps(List<String> ips) { ... }
> >>
> >> public void setIpSource(IpSource source) { ... }
> >>
> >> public getHost(ServletRequest request) {
> >>
> >> return request.getRemoteHost();
> >>
> >> }
> >>
> >> @Override
> >>
> >> protected boolean isAccessAllowed(ServletRequest request,
> >> ServletResponse response, Object mappedValue) throws Exception {
> >>
> >> ...
> >>
> >> String host = getHost();
> >>
> >> for (IpAddressMatcher matcher : matchers) {
> >>
> >> if (matcher.matches(host)) {
> >>
> >> return true;
> >>
> >> }
> >>
> >> }
> >>
> >> return false;
> >>
> >> }
> >>
> >> }
> >>
> >>
> >>
> >> package com.voxsmart.stuff;
> >>
> >>
> >>
> >> public class XffIpFilter extends IpFilter {
> >>
> >> @Override
> >>
> >> public getHost()
> >>
> >> parseIpAddressFromXffHeader(request.getHeader(XFF_HEADER))
> >>
> >> }
> >>
> >> }
> >>
> >>
> >>
> >> package com.voxsmart.stuff;
> >>
> >>
> >>
> >> public class DatabaseIpSource {
> >>
> >>
> >>
> >> @Override
> >>
> >> public getIpRanges() {
> >>
> >> ... select range from ...
> >>
> >> }
> >>
> >> }
> >>
> >>
> >>
> >> And put in shiro.ini:
> >>
> >> [main]
> >>
> >> ipSource = com.voxsmart.stuff.DatabaseIpSource
> >>
> >> ipFilter = com.voxsmart.stuff.XffIpFilter
> >>
> >> ipFilter.ipSource = ipSource
> >>
> >>
> >>
> >> [urls]
> >>
> >> /* = ipSource,...
> >>
> >>
> >>
> >> Does this seem reasonable?
> >>
> >>
> >>
> >> *From:* Brian Demers [mailto:brian.demers@gmail.com]
> >> *Sent:* Tuesday, January 10, 2017 5:14 PM
> >> *To:* user@shiro.apache.org
> >> *Subject:* Re: IP Based Restrictions
> >>
> >>
> >>
> >> Take a look at this block of code in the AuthenticatingFilter:
> >>
> >> https://github.com/apache/shiro/blob/ef5450b9f4be74ee93040111539482
> >> 3b9e1fc3e6/web/src/main/java/org/apache/shiro/web/filter/
> >> authc/AuthenticatingFilter.java#L62-L72
> >>
> >>
> >>
> >> Are you trying to restrict an IP/range for a individual users. Or a
> range
> >> for the whole application? A realm would work for the user case. For
> the
> >> application case, you could probably just create a filter.
> >>
> >>
> >>
> >> Either way, great stuff!
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Tue, Jan 10, 2017 at 11:39 AM, Richard Wheeldon <
> >> richard.wheeldon@voxsmart.com> wrote:
> >>
> >> Hi,
> >>
> >>
> >>
> >> Having broken the back of the token based MFA, my next quest in
> >> bolting down my app is to add configurable IP-based restrictions. I’m
> >> thinking of a realm which reads a list of IPs or ranges (v4 or v6)
> >> from a DB then checks if the host matches.
> >>
> >>
> >>
> >> Two questions:
> >>
> >> 1. Is there any interest in my producing a generic / re-usable
> >> JdbcHostRestrictionRealm and kicking it back upstream? I can
> probably do
> >> this by cribbing from JdbcRealm.
> >> 2. My app is sat behind a load balancer which changes the IP address.
> >> Since we control the load balancer we can trust the X-Forwarded-For
> header
> >> in a downstream app. Is there a preferable place to hook in the
> logic to
> >> read it from the request and set it on the token?
> >>
> >>
> >>
> >> Richard
> >>
> >>
> >>
> >>
> >>
>
>
RE: IP Based Restrictions
Posted by Richard Wheeldon <ri...@voxsmart.com>.
Cool. Thanks. Done. https://github.com/apache/shiro/pull/57
Richard
-----Original Message-----
From: Alexander Openkowski [mailto:opncow@googlemail.com]
Sent: Wednesday, February 1, 2017 10:52 AM
To: user@shiro.apache.org
Subject: Re: IP Based Restrictions
This one looks good to me:
https://gist.github.com/Chaser324/ce0505fbed06b947d962
On 02/01/2017 11:18 AM, Richard Wheeldon wrote:
> Sure. How? Is there a cheat sheet around?
>
> -----Original Message-----
> From: Brian Demers [mailto:brian.demers@gmail.com]
> Sent: Tuesday, January 31, 2017 8:49 PM
> To: user@shiro.apache.org
> Cc: dev@shiro.apache.org
> Subject: Re: IP Based Restrictions
>
> Can you put this in a pull request for github.com/apache/shiro ?
>
> On Tue, Jan 31, 2017 at 1:35 PM, Richard Wheeldon < richard.wheeldon@voxsmart.com> wrote:
>
>> Done. See http://rswheeldon.com/shiro-ip-filter.tgz
>>
>>
>>
>> If someone would like to take a look / fix the default ini / help me
>> get it into trunk it’d be appreciated,
>>
>>
>>
>> Regards,
>>
>>
>>
>> Richard
>>
>>
>>
>> *From:* Brian Demers [mailto:brian.demers@gmail.com]
>> *Sent:* Thursday, January 12, 2017 4:16 PM
>>
>> *To:* user@shiro.apache.org
>> *Subject:* Re: IP Based Restrictions
>>
>>
>>
>> I like it, we could even create a default IpSource so the INI file
>> could work out of the box, something like:
>>
>>
>>
>> [main]
>>
>> ipFilter.ipSource = x.x.x.x, x.x.x.x/24
>>
>>
>>
>>
>>
>> On Thu, Jan 12, 2017 at 5:25 AM, Richard Wheeldon <
>> richard.wheeldon@voxsmart.com> wrote:
>>
>> It’s the whole app for now.
>>
>>
>>
>> So I could grab the IpAddressMatcher from Spring sec and repackage it
>> (rather than introducing a dep between shiro and spring which would
>> be a bit crazy)
>>
>> https://github.com/spring-projects/spring-security/blob/
>> master/web/src/main/java/org/springframework/security/web/
>> util/matcher/IpAddressMatcher.java
>>
>>
>>
>> Then create:
>>
>>
>>
>> package org.apache.shiro.web.filter.authz;
>>
>>
>>
>> public interface IpSource {
>>
>> public List<String> getIpRanges();
>>
>> }
>>
>>
>>
>> package org.apache.shiro.web.filter.authz;
>>
>>
>>
>> public class IpFilter extends AuthorizationFilter {
>>
>> public void setIps(List<String> ips) { ... }
>>
>> public void setIpSource(IpSource source) { ... }
>>
>> public getHost(ServletRequest request) {
>>
>> return request.getRemoteHost();
>>
>> }
>>
>> @Override
>>
>> protected boolean isAccessAllowed(ServletRequest request,
>> ServletResponse response, Object mappedValue) throws Exception {
>>
>> ...
>>
>> String host = getHost();
>>
>> for (IpAddressMatcher matcher : matchers) {
>>
>> if (matcher.matches(host)) {
>>
>> return true;
>>
>> }
>>
>> }
>>
>> return false;
>>
>> }
>>
>> }
>>
>>
>>
>> package com.voxsmart.stuff;
>>
>>
>>
>> public class XffIpFilter extends IpFilter {
>>
>> @Override
>>
>> public getHost()
>>
>> parseIpAddressFromXffHeader(request.getHeader(XFF_HEADER))
>>
>> }
>>
>> }
>>
>>
>>
>> package com.voxsmart.stuff;
>>
>>
>>
>> public class DatabaseIpSource {
>>
>>
>>
>> @Override
>>
>> public getIpRanges() {
>>
>> ... select range from ...
>>
>> }
>>
>> }
>>
>>
>>
>> And put in shiro.ini:
>>
>> [main]
>>
>> ipSource = com.voxsmart.stuff.DatabaseIpSource
>>
>> ipFilter = com.voxsmart.stuff.XffIpFilter
>>
>> ipFilter.ipSource = ipSource
>>
>>
>>
>> [urls]
>>
>> /* = ipSource,...
>>
>>
>>
>> Does this seem reasonable?
>>
>>
>>
>> *From:* Brian Demers [mailto:brian.demers@gmail.com]
>> *Sent:* Tuesday, January 10, 2017 5:14 PM
>> *To:* user@shiro.apache.org
>> *Subject:* Re: IP Based Restrictions
>>
>>
>>
>> Take a look at this block of code in the AuthenticatingFilter:
>>
>> https://github.com/apache/shiro/blob/ef5450b9f4be74ee93040111539482
>> 3b9e1fc3e6/web/src/main/java/org/apache/shiro/web/filter/
>> authc/AuthenticatingFilter.java#L62-L72
>>
>>
>>
>> Are you trying to restrict an IP/range for a individual users. Or a range
>> for the whole application? A realm would work for the user case. For the
>> application case, you could probably just create a filter.
>>
>>
>>
>> Either way, great stuff!
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Jan 10, 2017 at 11:39 AM, Richard Wheeldon <
>> richard.wheeldon@voxsmart.com> wrote:
>>
>> Hi,
>>
>>
>>
>> Having broken the back of the token based MFA, my next quest in
>> bolting down my app is to add configurable IP-based restrictions. I’m
>> thinking of a realm which reads a list of IPs or ranges (v4 or v6)
>> from a DB then checks if the host matches.
>>
>>
>>
>> Two questions:
>>
>> 1. Is there any interest in my producing a generic / re-usable
>> JdbcHostRestrictionRealm and kicking it back upstream? I can probably do
>> this by cribbing from JdbcRealm.
>> 2. My app is sat behind a load balancer which changes the IP address.
>> Since we control the load balancer we can trust the X-Forwarded-For header
>> in a downstream app. Is there a preferable place to hook in the logic to
>> read it from the request and set it on the token?
>>
>>
>>
>> Richard
>>
>>
>>
>>
>>
Re: IP Based Restrictions
Posted by Alexander Openkowski <op...@googlemail.com>.
This one looks good to me:
https://gist.github.com/Chaser324/ce0505fbed06b947d962
On 02/01/2017 11:18 AM, Richard Wheeldon wrote:
> Sure. How? Is there a cheat sheet around?
>
> -----Original Message-----
> From: Brian Demers [mailto:brian.demers@gmail.com]
> Sent: Tuesday, January 31, 2017 8:49 PM
> To: user@shiro.apache.org
> Cc: dev@shiro.apache.org
> Subject: Re: IP Based Restrictions
>
> Can you put this in a pull request for github.com/apache/shiro ?
>
> On Tue, Jan 31, 2017 at 1:35 PM, Richard Wheeldon < richard.wheeldon@voxsmart.com> wrote:
>
>> Done. See http://rswheeldon.com/shiro-ip-filter.tgz
>>
>>
>>
>> If someone would like to take a look / fix the default ini / help me
>> get it into trunk it\u2019d be appreciated,
>>
>>
>>
>> Regards,
>>
>>
>>
>> Richard
>>
>>
>>
>> *From:* Brian Demers [mailto:brian.demers@gmail.com]
>> *Sent:* Thursday, January 12, 2017 4:16 PM
>>
>> *To:* user@shiro.apache.org
>> *Subject:* Re: IP Based Restrictions
>>
>>
>>
>> I like it, we could even create a default IpSource so the INI file
>> could work out of the box, something like:
>>
>>
>>
>> [main]
>>
>> ipFilter.ipSource = x.x.x.x, x.x.x.x/24
>>
>>
>>
>>
>>
>> On Thu, Jan 12, 2017 at 5:25 AM, Richard Wheeldon <
>> richard.wheeldon@voxsmart.com> wrote:
>>
>> It\u2019s the whole app for now.
>>
>>
>>
>> So I could grab the IpAddressMatcher from Spring sec and repackage it
>> (rather than introducing a dep between shiro and spring which would be
>> a bit crazy)
>>
>> https://github.com/spring-projects/spring-security/blob/
>> master/web/src/main/java/org/springframework/security/web/
>> util/matcher/IpAddressMatcher.java
>>
>>
>>
>> Then create:
>>
>>
>>
>> package org.apache.shiro.web.filter.authz;
>>
>>
>>
>> public interface IpSource {
>>
>> public List<String> getIpRanges();
>>
>> }
>>
>>
>>
>> package org.apache.shiro.web.filter.authz;
>>
>>
>>
>> public class IpFilter extends AuthorizationFilter {
>>
>> public void setIps(List<String> ips) { ... }
>>
>> public void setIpSource(IpSource source) { ... }
>>
>> public getHost(ServletRequest request) {
>>
>> return request.getRemoteHost();
>>
>> }
>>
>> @Override
>>
>> protected boolean isAccessAllowed(ServletRequest request,
>> ServletResponse response, Object mappedValue) throws Exception {
>>
>> ...
>>
>> String host = getHost();
>>
>> for (IpAddressMatcher matcher : matchers) {
>>
>> if (matcher.matches(host)) {
>>
>> return true;
>>
>> }
>>
>> }
>>
>> return false;
>>
>> }
>>
>> }
>>
>>
>>
>> package com.voxsmart.stuff;
>>
>>
>>
>> public class XffIpFilter extends IpFilter {
>>
>> @Override
>>
>> public getHost()
>>
>> parseIpAddressFromXffHeader(request.getHeader(XFF_HEADER))
>>
>> }
>>
>> }
>>
>>
>>
>> package com.voxsmart.stuff;
>>
>>
>>
>> public class DatabaseIpSource {
>>
>>
>>
>> @Override
>>
>> public getIpRanges() {
>>
>> ... select range from ...
>>
>> }
>>
>> }
>>
>>
>>
>> And put in shiro.ini:
>>
>> [main]
>>
>> ipSource = com.voxsmart.stuff.DatabaseIpSource
>>
>> ipFilter = com.voxsmart.stuff.XffIpFilter
>>
>> ipFilter.ipSource = ipSource
>>
>>
>>
>> [urls]
>>
>> /* = ipSource,...
>>
>>
>>
>> Does this seem reasonable?
>>
>>
>>
>> *From:* Brian Demers [mailto:brian.demers@gmail.com]
>> *Sent:* Tuesday, January 10, 2017 5:14 PM
>> *To:* user@shiro.apache.org
>> *Subject:* Re: IP Based Restrictions
>>
>>
>>
>> Take a look at this block of code in the AuthenticatingFilter:
>>
>> https://github.com/apache/shiro/blob/ef5450b9f4be74ee93040111539482
>> 3b9e1fc3e6/web/src/main/java/org/apache/shiro/web/filter/
>> authc/AuthenticatingFilter.java#L62-L72
>>
>>
>>
>> Are you trying to restrict an IP/range for a individual users. Or a range
>> for the whole application? A realm would work for the user case. For the
>> application case, you could probably just create a filter.
>>
>>
>>
>> Either way, great stuff!
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Jan 10, 2017 at 11:39 AM, Richard Wheeldon <
>> richard.wheeldon@voxsmart.com> wrote:
>>
>> Hi,
>>
>>
>>
>> Having broken the back of the token based MFA, my next quest in
>> bolting down my app is to add configurable IP-based restrictions. I\u2019m
>> thinking of a realm which reads a list of IPs or ranges (v4 or v6)
>> from a DB then checks if the host matches.
>>
>>
>>
>> Two questions:
>>
>> 1. Is there any interest in my producing a generic / re-usable
>> JdbcHostRestrictionRealm and kicking it back upstream? I can probably do
>> this by cribbing from JdbcRealm.
>> 2. My app is sat behind a load balancer which changes the IP address.
>> Since we control the load balancer we can trust the X-Forwarded-For header
>> in a downstream app. Is there a preferable place to hook in the logic to
>> read it from the request and set it on the token?
>>
>>
>>
>> Richard
>>
>>
>>
>>
>>
RE: IP Based Restrictions
Posted by Richard Wheeldon <ri...@voxsmart.com>.
Sure. How? Is there a cheat sheet around?
-----Original Message-----
From: Brian Demers [mailto:brian.demers@gmail.com]
Sent: Tuesday, January 31, 2017 8:49 PM
To: user@shiro.apache.org
Cc: dev@shiro.apache.org
Subject: Re: IP Based Restrictions
Can you put this in a pull request for github.com/apache/shiro ?
On Tue, Jan 31, 2017 at 1:35 PM, Richard Wheeldon < richard.wheeldon@voxsmart.com> wrote:
> Done. See http://rswheeldon.com/shiro-ip-filter.tgz
>
>
>
> If someone would like to take a look / fix the default ini / help me
> get it into trunk it’d be appreciated,
>
>
>
> Regards,
>
>
>
> Richard
>
>
>
> *From:* Brian Demers [mailto:brian.demers@gmail.com]
> *Sent:* Thursday, January 12, 2017 4:16 PM
>
> *To:* user@shiro.apache.org
> *Subject:* Re: IP Based Restrictions
>
>
>
> I like it, we could even create a default IpSource so the INI file
> could work out of the box, something like:
>
>
>
> [main]
>
> ipFilter.ipSource = x.x.x.x, x.x.x.x/24
>
>
>
>
>
> On Thu, Jan 12, 2017 at 5:25 AM, Richard Wheeldon <
> richard.wheeldon@voxsmart.com> wrote:
>
> It’s the whole app for now.
>
>
>
> So I could grab the IpAddressMatcher from Spring sec and repackage it
> (rather than introducing a dep between shiro and spring which would be
> a bit crazy)
>
> https://github.com/spring-projects/spring-security/blob/
> master/web/src/main/java/org/springframework/security/web/
> util/matcher/IpAddressMatcher.java
>
>
>
> Then create:
>
>
>
> package org.apache.shiro.web.filter.authz;
>
>
>
> public interface IpSource {
>
> public List<String> getIpRanges();
>
> }
>
>
>
> package org.apache.shiro.web.filter.authz;
>
>
>
> public class IpFilter extends AuthorizationFilter {
>
> public void setIps(List<String> ips) { ... }
>
> public void setIpSource(IpSource source) { ... }
>
> public getHost(ServletRequest request) {
>
> return request.getRemoteHost();
>
> }
>
> @Override
>
> protected boolean isAccessAllowed(ServletRequest request,
> ServletResponse response, Object mappedValue) throws Exception {
>
> ...
>
> String host = getHost();
>
> for (IpAddressMatcher matcher : matchers) {
>
> if (matcher.matches(host)) {
>
> return true;
>
> }
>
> }
>
> return false;
>
> }
>
> }
>
>
>
> package com.voxsmart.stuff;
>
>
>
> public class XffIpFilter extends IpFilter {
>
> @Override
>
> public getHost()
>
> parseIpAddressFromXffHeader(request.getHeader(XFF_HEADER))
>
> }
>
> }
>
>
>
> package com.voxsmart.stuff;
>
>
>
> public class DatabaseIpSource {
>
>
>
> @Override
>
> public getIpRanges() {
>
> ... select range from ...
>
> }
>
> }
>
>
>
> And put in shiro.ini:
>
> [main]
>
> ipSource = com.voxsmart.stuff.DatabaseIpSource
>
> ipFilter = com.voxsmart.stuff.XffIpFilter
>
> ipFilter.ipSource = ipSource
>
>
>
> [urls]
>
> /* = ipSource,...
>
>
>
> Does this seem reasonable?
>
>
>
> *From:* Brian Demers [mailto:brian.demers@gmail.com]
> *Sent:* Tuesday, January 10, 2017 5:14 PM
> *To:* user@shiro.apache.org
> *Subject:* Re: IP Based Restrictions
>
>
>
> Take a look at this block of code in the AuthenticatingFilter:
>
> https://github.com/apache/shiro/blob/ef5450b9f4be74ee93040111539482
> 3b9e1fc3e6/web/src/main/java/org/apache/shiro/web/filter/
> authc/AuthenticatingFilter.java#L62-L72
>
>
>
> Are you trying to restrict an IP/range for a individual users. Or a range
> for the whole application? A realm would work for the user case. For the
> application case, you could probably just create a filter.
>
>
>
> Either way, great stuff!
>
>
>
>
>
>
>
>
>
> On Tue, Jan 10, 2017 at 11:39 AM, Richard Wheeldon <
> richard.wheeldon@voxsmart.com> wrote:
>
> Hi,
>
>
>
> Having broken the back of the token based MFA, my next quest in
> bolting down my app is to add configurable IP-based restrictions. I’m
> thinking of a realm which reads a list of IPs or ranges (v4 or v6)
> from a DB then checks if the host matches.
>
>
>
> Two questions:
>
> 1. Is there any interest in my producing a generic / re-usable
> JdbcHostRestrictionRealm and kicking it back upstream? I can probably do
> this by cribbing from JdbcRealm.
> 2. My app is sat behind a load balancer which changes the IP address.
> Since we control the load balancer we can trust the X-Forwarded-For header
> in a downstream app. Is there a preferable place to hook in the logic to
> read it from the request and set it on the token?
>
>
>
> Richard
>
>
>
>
>
RE: IP Based Restrictions
Posted by Richard Wheeldon <ri...@voxsmart.com>.
Sure. How? Is there a cheat sheet around?
-----Original Message-----
From: Brian Demers [mailto:brian.demers@gmail.com]
Sent: Tuesday, January 31, 2017 8:49 PM
To: user@shiro.apache.org
Cc: dev@shiro.apache.org
Subject: Re: IP Based Restrictions
Can you put this in a pull request for github.com/apache/shiro ?
On Tue, Jan 31, 2017 at 1:35 PM, Richard Wheeldon < richard.wheeldon@voxsmart.com> wrote:
> Done. See http://rswheeldon.com/shiro-ip-filter.tgz
>
>
>
> If someone would like to take a look / fix the default ini / help me
> get it into trunk it’d be appreciated,
>
>
>
> Regards,
>
>
>
> Richard
>
>
>
> *From:* Brian Demers [mailto:brian.demers@gmail.com]
> *Sent:* Thursday, January 12, 2017 4:16 PM
>
> *To:* user@shiro.apache.org
> *Subject:* Re: IP Based Restrictions
>
>
>
> I like it, we could even create a default IpSource so the INI file
> could work out of the box, something like:
>
>
>
> [main]
>
> ipFilter.ipSource = x.x.x.x, x.x.x.x/24
>
>
>
>
>
> On Thu, Jan 12, 2017 at 5:25 AM, Richard Wheeldon <
> richard.wheeldon@voxsmart.com> wrote:
>
> It’s the whole app for now.
>
>
>
> So I could grab the IpAddressMatcher from Spring sec and repackage it
> (rather than introducing a dep between shiro and spring which would be
> a bit crazy)
>
> https://github.com/spring-projects/spring-security/blob/
> master/web/src/main/java/org/springframework/security/web/
> util/matcher/IpAddressMatcher.java
>
>
>
> Then create:
>
>
>
> package org.apache.shiro.web.filter.authz;
>
>
>
> public interface IpSource {
>
> public List<String> getIpRanges();
>
> }
>
>
>
> package org.apache.shiro.web.filter.authz;
>
>
>
> public class IpFilter extends AuthorizationFilter {
>
> public void setIps(List<String> ips) { ... }
>
> public void setIpSource(IpSource source) { ... }
>
> public getHost(ServletRequest request) {
>
> return request.getRemoteHost();
>
> }
>
> @Override
>
> protected boolean isAccessAllowed(ServletRequest request,
> ServletResponse response, Object mappedValue) throws Exception {
>
> ...
>
> String host = getHost();
>
> for (IpAddressMatcher matcher : matchers) {
>
> if (matcher.matches(host)) {
>
> return true;
>
> }
>
> }
>
> return false;
>
> }
>
> }
>
>
>
> package com.voxsmart.stuff;
>
>
>
> public class XffIpFilter extends IpFilter {
>
> @Override
>
> public getHost()
>
> parseIpAddressFromXffHeader(request.getHeader(XFF_HEADER))
>
> }
>
> }
>
>
>
> package com.voxsmart.stuff;
>
>
>
> public class DatabaseIpSource {
>
>
>
> @Override
>
> public getIpRanges() {
>
> ... select range from ...
>
> }
>
> }
>
>
>
> And put in shiro.ini:
>
> [main]
>
> ipSource = com.voxsmart.stuff.DatabaseIpSource
>
> ipFilter = com.voxsmart.stuff.XffIpFilter
>
> ipFilter.ipSource = ipSource
>
>
>
> [urls]
>
> /* = ipSource,...
>
>
>
> Does this seem reasonable?
>
>
>
> *From:* Brian Demers [mailto:brian.demers@gmail.com]
> *Sent:* Tuesday, January 10, 2017 5:14 PM
> *To:* user@shiro.apache.org
> *Subject:* Re: IP Based Restrictions
>
>
>
> Take a look at this block of code in the AuthenticatingFilter:
>
> https://github.com/apache/shiro/blob/ef5450b9f4be74ee93040111539482
> 3b9e1fc3e6/web/src/main/java/org/apache/shiro/web/filter/
> authc/AuthenticatingFilter.java#L62-L72
>
>
>
> Are you trying to restrict an IP/range for a individual users. Or a range
> for the whole application? A realm would work for the user case. For the
> application case, you could probably just create a filter.
>
>
>
> Either way, great stuff!
>
>
>
>
>
>
>
>
>
> On Tue, Jan 10, 2017 at 11:39 AM, Richard Wheeldon <
> richard.wheeldon@voxsmart.com> wrote:
>
> Hi,
>
>
>
> Having broken the back of the token based MFA, my next quest in
> bolting down my app is to add configurable IP-based restrictions. I’m
> thinking of a realm which reads a list of IPs or ranges (v4 or v6)
> from a DB then checks if the host matches.
>
>
>
> Two questions:
>
> 1. Is there any interest in my producing a generic / re-usable
> JdbcHostRestrictionRealm and kicking it back upstream? I can probably do
> this by cribbing from JdbcRealm.
> 2. My app is sat behind a load balancer which changes the IP address.
> Since we control the load balancer we can trust the X-Forwarded-For header
> in a downstream app. Is there a preferable place to hook in the logic to
> read it from the request and set it on the token?
>
>
>
> Richard
>
>
>
>
>
Re: IP Based Restrictions
Posted by Brian Demers <br...@gmail.com>.
Can you put this in a pull request for github.com/apache/shiro ?
On Tue, Jan 31, 2017 at 1:35 PM, Richard Wheeldon <
richard.wheeldon@voxsmart.com> wrote:
> Done. See http://rswheeldon.com/shiro-ip-filter.tgz
>
>
>
> If someone would like to take a look / fix the default ini / help me get
> it into trunk it’d be appreciated,
>
>
>
> Regards,
>
>
>
> Richard
>
>
>
> *From:* Brian Demers [mailto:brian.demers@gmail.com]
> *Sent:* Thursday, January 12, 2017 4:16 PM
>
> *To:* user@shiro.apache.org
> *Subject:* Re: IP Based Restrictions
>
>
>
> I like it, we could even create a default IpSource so the INI file could
> work out of the box, something like:
>
>
>
> [main]
>
> ipFilter.ipSource = x.x.x.x, x.x.x.x/24
>
>
>
>
>
> On Thu, Jan 12, 2017 at 5:25 AM, Richard Wheeldon <
> richard.wheeldon@voxsmart.com> wrote:
>
> It’s the whole app for now.
>
>
>
> So I could grab the IpAddressMatcher from Spring sec and repackage it
> (rather than introducing a dep between shiro and spring which would be a
> bit crazy)
>
> https://github.com/spring-projects/spring-security/blob/
> master/web/src/main/java/org/springframework/security/web/
> util/matcher/IpAddressMatcher.java
>
>
>
> Then create:
>
>
>
> package org.apache.shiro.web.filter.authz;
>
>
>
> public interface IpSource {
>
> public List<String> getIpRanges();
>
> }
>
>
>
> package org.apache.shiro.web.filter.authz;
>
>
>
> public class IpFilter extends AuthorizationFilter {
>
> public void setIps(List<String> ips) { ... }
>
> public void setIpSource(IpSource source) { ... }
>
> public getHost(ServletRequest request) {
>
> return request.getRemoteHost();
>
> }
>
> @Override
>
> protected boolean isAccessAllowed(ServletRequest request,
> ServletResponse response, Object mappedValue) throws Exception {
>
> ...
>
> String host = getHost();
>
> for (IpAddressMatcher matcher : matchers) {
>
> if (matcher.matches(host)) {
>
> return true;
>
> }
>
> }
>
> return false;
>
> }
>
> }
>
>
>
> package com.voxsmart.stuff;
>
>
>
> public class XffIpFilter extends IpFilter {
>
> @Override
>
> public getHost()
>
> parseIpAddressFromXffHeader(request.getHeader(XFF_HEADER))
>
> }
>
> }
>
>
>
> package com.voxsmart.stuff;
>
>
>
> public class DatabaseIpSource {
>
>
>
> @Override
>
> public getIpRanges() {
>
> ... select range from ...
>
> }
>
> }
>
>
>
> And put in shiro.ini:
>
> [main]
>
> ipSource = com.voxsmart.stuff.DatabaseIpSource
>
> ipFilter = com.voxsmart.stuff.XffIpFilter
>
> ipFilter.ipSource = ipSource
>
>
>
> [urls]
>
> /* = ipSource,...
>
>
>
> Does this seem reasonable?
>
>
>
> *From:* Brian Demers [mailto:brian.demers@gmail.com]
> *Sent:* Tuesday, January 10, 2017 5:14 PM
> *To:* user@shiro.apache.org
> *Subject:* Re: IP Based Restrictions
>
>
>
> Take a look at this block of code in the AuthenticatingFilter:
>
> https://github.com/apache/shiro/blob/ef5450b9f4be74ee93040111539482
> 3b9e1fc3e6/web/src/main/java/org/apache/shiro/web/filter/
> authc/AuthenticatingFilter.java#L62-L72
>
>
>
> Are you trying to restrict an IP/range for a individual users. Or a range
> for the whole application? A realm would work for the user case. For the
> application case, you could probably just create a filter.
>
>
>
> Either way, great stuff!
>
>
>
>
>
>
>
>
>
> On Tue, Jan 10, 2017 at 11:39 AM, Richard Wheeldon <
> richard.wheeldon@voxsmart.com> wrote:
>
> Hi,
>
>
>
> Having broken the back of the token based MFA, my next quest in bolting
> down my app is to add configurable IP-based restrictions. I’m thinking of a
> realm which reads a list of IPs or ranges (v4 or v6) from a DB then checks
> if the host matches.
>
>
>
> Two questions:
>
> 1. Is there any interest in my producing a generic / re-usable
> JdbcHostRestrictionRealm and kicking it back upstream? I can probably do
> this by cribbing from JdbcRealm.
> 2. My app is sat behind a load balancer which changes the IP address.
> Since we control the load balancer we can trust the X-Forwarded-For header
> in a downstream app. Is there a preferable place to hook in the logic to
> read it from the request and set it on the token?
>
>
>
> Richard
>
>
>
>
>
Re: IP Based Restrictions
Posted by Brian Demers <br...@gmail.com>.
Can you put this in a pull request for github.com/apache/shiro ?
On Tue, Jan 31, 2017 at 1:35 PM, Richard Wheeldon <
richard.wheeldon@voxsmart.com> wrote:
> Done. See http://rswheeldon.com/shiro-ip-filter.tgz
>
>
>
> If someone would like to take a look / fix the default ini / help me get
> it into trunk it’d be appreciated,
>
>
>
> Regards,
>
>
>
> Richard
>
>
>
> *From:* Brian Demers [mailto:brian.demers@gmail.com]
> *Sent:* Thursday, January 12, 2017 4:16 PM
>
> *To:* user@shiro.apache.org
> *Subject:* Re: IP Based Restrictions
>
>
>
> I like it, we could even create a default IpSource so the INI file could
> work out of the box, something like:
>
>
>
> [main]
>
> ipFilter.ipSource = x.x.x.x, x.x.x.x/24
>
>
>
>
>
> On Thu, Jan 12, 2017 at 5:25 AM, Richard Wheeldon <
> richard.wheeldon@voxsmart.com> wrote:
>
> It’s the whole app for now.
>
>
>
> So I could grab the IpAddressMatcher from Spring sec and repackage it
> (rather than introducing a dep between shiro and spring which would be a
> bit crazy)
>
> https://github.com/spring-projects/spring-security/blob/
> master/web/src/main/java/org/springframework/security/web/
> util/matcher/IpAddressMatcher.java
>
>
>
> Then create:
>
>
>
> package org.apache.shiro.web.filter.authz;
>
>
>
> public interface IpSource {
>
> public List<String> getIpRanges();
>
> }
>
>
>
> package org.apache.shiro.web.filter.authz;
>
>
>
> public class IpFilter extends AuthorizationFilter {
>
> public void setIps(List<String> ips) { ... }
>
> public void setIpSource(IpSource source) { ... }
>
> public getHost(ServletRequest request) {
>
> return request.getRemoteHost();
>
> }
>
> @Override
>
> protected boolean isAccessAllowed(ServletRequest request,
> ServletResponse response, Object mappedValue) throws Exception {
>
> ...
>
> String host = getHost();
>
> for (IpAddressMatcher matcher : matchers) {
>
> if (matcher.matches(host)) {
>
> return true;
>
> }
>
> }
>
> return false;
>
> }
>
> }
>
>
>
> package com.voxsmart.stuff;
>
>
>
> public class XffIpFilter extends IpFilter {
>
> @Override
>
> public getHost()
>
> parseIpAddressFromXffHeader(request.getHeader(XFF_HEADER))
>
> }
>
> }
>
>
>
> package com.voxsmart.stuff;
>
>
>
> public class DatabaseIpSource {
>
>
>
> @Override
>
> public getIpRanges() {
>
> ... select range from ...
>
> }
>
> }
>
>
>
> And put in shiro.ini:
>
> [main]
>
> ipSource = com.voxsmart.stuff.DatabaseIpSource
>
> ipFilter = com.voxsmart.stuff.XffIpFilter
>
> ipFilter.ipSource = ipSource
>
>
>
> [urls]
>
> /* = ipSource,...
>
>
>
> Does this seem reasonable?
>
>
>
> *From:* Brian Demers [mailto:brian.demers@gmail.com]
> *Sent:* Tuesday, January 10, 2017 5:14 PM
> *To:* user@shiro.apache.org
> *Subject:* Re: IP Based Restrictions
>
>
>
> Take a look at this block of code in the AuthenticatingFilter:
>
> https://github.com/apache/shiro/blob/ef5450b9f4be74ee93040111539482
> 3b9e1fc3e6/web/src/main/java/org/apache/shiro/web/filter/
> authc/AuthenticatingFilter.java#L62-L72
>
>
>
> Are you trying to restrict an IP/range for a individual users. Or a range
> for the whole application? A realm would work for the user case. For the
> application case, you could probably just create a filter.
>
>
>
> Either way, great stuff!
>
>
>
>
>
>
>
>
>
> On Tue, Jan 10, 2017 at 11:39 AM, Richard Wheeldon <
> richard.wheeldon@voxsmart.com> wrote:
>
> Hi,
>
>
>
> Having broken the back of the token based MFA, my next quest in bolting
> down my app is to add configurable IP-based restrictions. I’m thinking of a
> realm which reads a list of IPs or ranges (v4 or v6) from a DB then checks
> if the host matches.
>
>
>
> Two questions:
>
> 1. Is there any interest in my producing a generic / re-usable
> JdbcHostRestrictionRealm and kicking it back upstream? I can probably do
> this by cribbing from JdbcRealm.
> 2. My app is sat behind a load balancer which changes the IP address.
> Since we control the load balancer we can trust the X-Forwarded-For header
> in a downstream app. Is there a preferable place to hook in the logic to
> read it from the request and set it on the token?
>
>
>
> Richard
>
>
>
>
>