Attachment #27689 for bug #51953

View | Details | Raw Unified | Return to bug 51953
Collapse All | Expand All




/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */


package org.apache.catalina.filters;


import org.apache.catalina.comet.CometEvent;
import org.apache.catalina.comet.CometFilterChain;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.io.IOException;


/**
 * Concrete implementation of <code>RequestNetmaskFilter</code> that filters
 * based on the string representation of the remote client's IP address.
 *
 */

public final class RemoteNetmaskFilter
    extends RequestFilter {

    // ----------------------------------------------------- Instance Variables
    private static final Log log = LogFactory.getLog(RemoteNetmaskFilter.class);


    // ------------------------------------------------------------- Properties



    // --------------------------------------------------------- Public Methods


    /**
     * Extract the desired request property, and pass it (along with the
     * specified request and response objects and associated filter chain) to
     * the protected <code>process()</code> method to perform the actual
     * filtering.
     *
     * @param request  The servlet request to be processed
     * @param response The servlet response to be created
     * @param chain    The filter chain for this request
     *
     * @exception java.io.IOException if an input/output error occurs
     * @exception javax.servlet.ServletException if a servlet error occurs
     */
    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

        process(request.getRemoteAddr(), request, response, chain);

    }

    /**
     * Extract the desired request property, and pass it (along with the comet
     * event and filter chain) to the protected <code>process()</code> method
     * to perform the actual filtering.
     *
     * @param event The comet event to be processed
     * @param chain The filter chain for this event
     *
     * @exception java.io.IOException if an input/output error occurs
     * @exception javax.servlet.ServletException if a servlet error occurs
     */
    @Override
    public void doFilterEvent(CometEvent event, CometFilterChain chain)
            throws IOException, ServletException {
        processCometEvent(event.getHttpServletRequest().getRemoteHost(),
                event, chain);        
    }

    @Override
    protected Log getLogger() {
        return log;
    }
}




/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */


package org.apache.catalina.filters;


import org.apache.catalina.comet.CometEvent;
import org.apache.catalina.comet.CometFilter;
import org.apache.catalina.comet.CometFilterChain;
import org.apache.catalina.util.NetMask;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.List;

/**
 * Implementation of a Filter that performs filtering based on comparing the
 * appropriate request property (selected based on which subclass you choose
 * to configure into your Container's pipeline) against the regular expressions
 * configured for this Filter.
 * <p>
 * This filter is configured by setting the <code>allow</code> and/or
 * <code>deny</code> properties to a regular expressions (in the syntax
 * supported by {@link java.util.regex.Pattern}) to which the appropriate request property will
 * be compared.  Evaluation proceeds as follows:
 * <ul>
 * <li>The subclass extracts the request property to be filtered, and
 *     calls the common <code>process()</code> method.
 * <li>If there is a deny expression configured, the property will be compared
 *     to the expression. If a match is found, this request will be rejected
 *     with a "Forbidden" HTTP response.</li>
 * <li>If there is a allow expression configured, the property will be compared
 *     to the expression. If a match is found, this request will be allowed to
 *     pass through to the next filter in the current pipeline.</li>
 * <li>If a deny expression was specified but no allow expression, allow this
 *     request to pass through (because none of the deny expressions matched
 *     it).
 * <li>The request will be rejected with a "Forbidden" HTTP response.</li>
 * </ul>
 */

public abstract class RequestNetmaskFilter
    extends FilterBase implements CometFilter {


    // ----------------------------------------------------- Instance Variables

    /**
     * The regular expression used to test for allowed requests.
     */
    protected final List<NetMask> allow = new ArrayList<NetMask>();

    /**
     * The regular expression used to test for denied requests.
     */
    protected final List<NetMask> deny = new ArrayList<NetMask>();

    /**
     * mime type -- "text/plain"
     */
    private static final String PLAIN_TEXT_MIME_TYPE = "text/plain";


    // ------------------------------------------------------------- Properties


    /**
     * Return a string representation of the NetMask list in allow.
     */
    public String getAllow() {
        return allow.toString();
    }


    /**
     * Fill the allow list with the list of netmasks provided as an argument,
     * if any.
     *
     * @param input The list of netmasks, as a comma separated string
     */
    public void setAllow(final String input) {
        if (input == null || input.length() == 0)
            return;

        NetMask nm;

        for (final String s: input.split("\\s*,\\s*"))
            try {
                nm = new NetMask(s);
                allow.add(nm);
            } catch (IllegalArgumentException e) {
                // FIXME: log
            }
    }


    /**
     * Return a string representation of the NetMask list in deny.
     */
    public String getDeny() {
        if (deny == null) {
            return null;
        }
        return deny.toString();
    }


    /**
     * Fill the deny list with the list of netmasks provided as an argument,
     * if any.
     *
     * @param input The list of netmasks, as a comma separated string
     */
    public void setDeny(String input) {
        if (input == null || input.length() == 0)
            return;

        NetMask nm;

        for (final String s: input.split("\\s*,\\s*"))
            try {
                nm = new NetMask(s);
                deny.add(nm);
            } catch (IllegalArgumentException e) {
                // FIXME: log
            }
    }


    // --------------------------------------------------------- Public Methods


    /**
     * Extract the desired request property, and pass it (along with the
     * specified request and response objects) to the protected
     * <code>process()</code> method to perform the actual filtering.
     * This method must be implemented by a concrete subclass.
     *
     * @param request The servlet request to be processed
     * @param response The servlet response to be created
     * @param chain The filter chain
     *
     * @exception java.io.IOException if an input/output error occurs
     * @exception javax.servlet.ServletException if a servlet error occurs
     */
    @Override
    public abstract void doFilter(ServletRequest request,
            ServletResponse response, FilterChain chain) throws IOException,
            ServletException;


    // ------------------------------------------------------ Protected Methods


    /**
     * Perform the filtering that has been configured for this Filter, matching
     * against the specified request property.
     *
     * @param property The request property on which to filter
     * @param request The servlet request to be processed
     * @param response The servlet response to be processed
     * @param chain The filter chain
     *
     * @exception java.io.IOException if an input/output error occurs
     * @exception javax.servlet.ServletException if a servlet error occurs
     */
    protected void process(String property, ServletRequest request,
            ServletResponse response, FilterChain chain)
            throws IOException, ServletException {

        if (isAllowed(property)) {
            chain.doFilter(request, response);
            return;
        }

        if (!(response instanceof HttpServletResponse)) {
            sendErrorWhenNotHttp(response);
            return;
        }

        ((HttpServletResponse) response)
            .sendError(HttpServletResponse.SC_FORBIDDEN);
    }

    /**
     * Perform the filtering that has been configured for this Filter, matching
     * against the specified request property.
     *
     * @param property  The property to check against the allow/deny rules
     * @param event     The comet event to be filtered
     * @param chain     The comet filter chain
     * @exception java.io.IOException if an input/output error occurs
     * @exception javax.servlet.ServletException if a servlet error occurs
     */
    protected void processCometEvent(String property, CometEvent event,
            CometFilterChain chain) throws IOException, ServletException {
        HttpServletResponse response = event.getHttpServletResponse();
        
        if (isAllowed(property)) {
            chain.doFilterEvent(event);
            return;
        }

        response.sendError(HttpServletResponse.SC_FORBIDDEN);
        event.close();
    }

    /**
     * Process the allow and deny rules for the provided property.
     * 
     * @param property  The property to test against the allow and deny lists
     * @return          <code>true</code> if this request should be allowed,
     *                  <code>false</code> otherwise
     */
    private boolean isAllowed(String property) {
        final InetAddress addr;

        try {
            addr = InetAddress.getByName(property);
        } catch (UnknownHostException e) {
            //Eh?
            return false;
        }

        for (final NetMask nm: deny)
            if (nm.matches(addr))
                return false;

        for (final NetMask nm: allow)
            if (nm.matches(addr))
                return true;

        // Allow if denies specified but not allows
        if (!deny.isEmpty() && allow.isEmpty())
            return true;

        // Deny this request
        return false;
    }

    private void sendErrorWhenNotHttp(ServletResponse response)
            throws IOException {
        response.setContentType(PLAIN_TEXT_MIME_TYPE);
        response.getWriter().write(sm.getString("http.403"));
        response.getWriter().flush();
    }
}




package org.apache.catalina.util;

import java.math.BigInteger;
import java.net.InetAddress;
import java.net.UnknownHostException;

/**
 * A class representing a netmask, which is at the core of this valve.
 *
 * <p>The constructor takes a {@link java.lang.String} representing a
 * CIDR netmask as an argument and extracts two informations from it: the
 * network address and the CIDR. It then turns the address into a {@link
 * java.math.BigInteger}, calculates the right shift and shifts that
 * BigInteger by it.</p>
 * <p>The process to verify whether an IP address falls within the mask
 * is to also convert it to a BigInteger, shifting it right and comparing
 * it to the stored BigInteger.
 * </p>
 */

public final class NetMask {
    /**
     * The argument to the constructor, used for .toString()
     */
    private final String expression;

    /**
     * The number of bits a matching candidate needs to be shifted right
     * in order to see if it matches
     */
    private final int shift;

    /**
     * The network address, already shifted right
     */
    private final BigInteger mask;

    /**
     * Constructor.
     *
     * @param expression the CIDR netmask
     * @throws IllegalArgumentException if the netmask is not correct
     * (invalid address specification, malformed CIDR prefix, etc)
     */
    public NetMask(final String expression) {
        final int idx = expression.indexOf("/");
        final int cidr, addrlen;
        final String addressPart;
        final InetAddress addr;
        final byte[] bytes;

        if (idx == -1) {
            cidr = -1;
            addressPart = expression;
        } else {
            final String substring = expression.substring(idx + 1);
            try {
                cidr = Integer.parseInt(substring);
                if (cidr < 0)
                    throw new NumberFormatException("CIDR is negative");
            } catch (NumberFormatException ignored) {
                throw new IllegalArgumentException("provided CIDR mask ("
                    + substring + ") is invalid");
            }
            addressPart = expression.substring(0, idx);
        }

        try {
            addr = InetAddress.getByName(addressPart);
        } catch (UnknownHostException e) {
            throw new IllegalArgumentException("provided address ("
                + addressPart + ") is invalid");
        }

        bytes = addr.getAddress();
        addrlen = bytes.length * 8;
        shift = cidr == -1 ? 0 : addrlen - cidr;

        if (shift < 0)
            throw new IllegalArgumentException("CIDR prefix (" + cidr
                + ") is greater than address length (" + addrlen + ")");
        mask = new BigInteger(bytes).shiftRight(shift);
        this.expression = expression;
    }

    /**
     * Test if a given address matches this netmask
     *
     * @param addr The {@link java.net.InetAddress} to test
     * @return true on match, false otherwise
     */
    public boolean matches (final InetAddress addr) {
        final BigInteger provided = new BigInteger(addr.getAddress())
            .shiftRight(shift);

        return mask.equals(provided);
    }

    @Override
    public String toString() {
        return expression;
    }
}




/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */


package org.apache.catalina.valves;


import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;

import javax.servlet.ServletException;
import java.io.IOException;


/**
 * Concrete implementation of <code>RequestFilterValve</code> that filters
 * based on the string representation of the remote client's IP address.
 *
 * @author Craig R. McClanahan
 * @version $Id$
 */

public final class RemoteNetmaskValve
    extends RequestNetmaskValve
{


    // ----------------------------------------------------- Instance Variables


    /**
     * The descriptive information related to this implementation.
     */
    private static final String info =
        "org.apache.catalina.valves.RemoteNetmaskValve/1.0";


    // ------------------------------------------------------------- Properties


    /**
     * Return descriptive information about this Valve implementation.
     */
    @Override
    public String getInfo() {
        return (info);
    }


    // --------------------------------------------------------- Public Methods


    /**
     * Extract the desired request property, and pass it (along with the
     * specified request and response objects) to the protected
     * <code>process()</code> method to perform the actual filtering.
     * This method must be implemented by a concrete subclass.
     *
     * @param request The servlet request to be processed
     * @param response The servlet response to be created
     *
     * @exception java.io.IOException if an input/output error occurs
     * @exception javax.servlet.ServletException if a servlet error occurs
     */
    @Override
    public void invoke(Request request, Response response)
        throws IOException, ServletException {
        process(request.getRequest().getRemoteAddr(), request, response);
    }


}




/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */


package org.apache.catalina.valves;


import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.util.NetMask;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.math.BigInteger;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;

/**
 * Implementation of a Valve that performs IP filtering of a remote host
 * based on the remote's IP address. This valve replicates (some of) Apache's
 * "Order", "Allow from" and "Deny" directives with a few limitations:
 * <ul>
 *     <li>"Order" will always be "deny, allow";</li>
 *     <li>the netmasks in the "allow" and "deny" properties must be fully
 *     qualified CIDR netmasks, and the CIDR <b>must</b> be an integer
 *     (expressions like "10.", "13.0.0.0/255.255.192.0" or ".foo.bar" will
 *     not work);</li>
 *     <li>as a side effect of using @{link java.net.InetAddress},
 *     expressions like "my.host.com/27" <b>will</b> work,
 *     however their use is discouraged.</li>
 * </ul>
 * <p>Note that IPv6 is supported. Also note that invalid netmasks will be
 * ignored.</p>
 * <p>
 * This Valve may be attached to any Container, depending on the granularity
 * of the filtering you wish to perform.</p>
 *
 * @author Francis Galiegue
 */

public abstract class RequestNetmaskValve
    extends ValveBase {

    //------------------------------------------------------ Constructor
    public RequestNetmaskValve() {
        super(true);
    }

    // ----------------------------------------------------- Class Variables


    /**
     * The descriptive information related to this implementation.
     */
    private static final String info =
        "org.apache.catalina.valves.RequestNetmaskValve/1.0";

    // ----------------------------------------------------- Instance Variables

    /**
     * List of allowed netmasks, if any
     */

    protected final List<NetMask> allow = new ArrayList<NetMask>();

    /**
     * List of denied netmasks, if any
     */

    protected final List<NetMask> deny = new ArrayList<NetMask>();

    // ------------------------------------------------------------- Properties


    /**
     * Return the allowed netmask list as a string.
     */
    public String getAllow() {
        return allow.toString();
    }


    /**
     * Fills the allowed Netmask list.
     *
     * @param input The input expression
     */
    public void setAllow(final String input) {
        if (input == null || input.length() == 0)
            return;

        NetMask nm;

        for (final String s: input.split("\\s*,\\s*"))
            try {
                nm = new NetMask(s);
                this.allow.add(nm);
            } catch (IllegalArgumentException e) {
                // FIXME: log
            }
    }


    /**
     * Return the denied netmask list as a string.
     */
    public String getDeny() {
        return deny.toString();
    }


    /**
     * Set the regular expression used to test for denied requests for this
     * Valve, if any.
     *
     * @param input The new input expression
     */
    public void setDeny(final String input) {
       if (input == null || input.length() == 0)
           return;

        NetMask nm;

        for (final String s: input.split("\\s*,\\s*"))
            try {
                nm = new NetMask(s);
                this.deny.add(nm);
            } catch (IllegalArgumentException e) {
                // FIXME: log
            }
    }


    /**
     * Return descriptive information about this Valve implementation.
     */
    @Override
    public String getInfo() {
        return (info);
    }


    // --------------------------------------------------------- Public Methods


    /**
     * Extract the desired request property, and pass it (along with the
     * specified request and response objects) to the protected
     * <code>process()</code> method to perform the actual filtering.
     * This method must be implemented by a concrete subclass.
     *
     * @param request The servlet request to be processed
     * @param response The servlet response to be created
     *
     * @exception java.io.IOException if an input/output error occurs
     * @exception javax.servlet.ServletException if a servlet error occurs
     */
    @Override
    public abstract void invoke(Request request, Response response)
        throws IOException, ServletException;


    // ------------------------------------------------------ Protected Methods


    /**
     * Perform the filtering that has been configured for this Valve, matching
     * against the specified request property.
     *
     * @param property The request property on which to filter
     * @param request The servlet request to be processed
     * @param response The servlet response to be processed
     *
     * @exception java.io.IOException if an input/output error occurs
     * @exception javax.servlet.ServletException if a servlet error occurs
     */
    protected void process(String property, Request request, Response response)
        throws IOException, ServletException {

        final InetAddress addr = InetAddress.getByName(property);

        for (final NetMask nm: deny)
            if (nm.matches(addr)) {
                response.sendError(HttpServletResponse.SC_FORBIDDEN);
                return;
            }

        if (allow.isEmpty()) {
            getNext().invoke(request, response);
            return;
        }

        for (final NetMask nm: allow)
            if (nm.matches(addr)) {
                getNext().invoke(request, response);
                return;
            }

        response.sendError(HttpServletResponse.SC_FORBIDDEN);
    }
}

Return to bug 51953

Line 0 Link Here

(-)a/java/org/apache/catalina/valves/RemoteNetmaskValve.java (+86 lines)
		1	/*
		2	* Licensed to the Apache Software Foundation (ASF) under one or more
		3	* contributor license agreements. See the NOTICE file distributed with
		4	* this work for additional information regarding copyright ownership.
		5	* The ASF licenses this file to You under the Apache License, Version 2.0
		6	* (the "License"); you may not use this file except in compliance with
		7	* the License. You may obtain a copy of the License at
		8	*
		9	* http://www.apache.org/licenses/LICENSE-2.0
		10	*
		11	* Unless required by applicable law or agreed to in writing, software
		12	* distributed under the License is distributed on an "AS IS" BASIS,
		13	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		14	* See the License for the specific language governing permissions and
		15	* limitations under the License.
		16	*/
		17
		18
		19	package org.apache.catalina.valves;
		20
		21
		22	import org.apache.catalina.connector.Request;
		23	import org.apache.catalina.connector.Response;
		24
		25	import javax.servlet.ServletException;
		26	import java.io.IOException;
		27
		28
		29	/**
		30	* Concrete implementation of <code>RequestFilterValve</code> that filters
		31	* based on the string representation of the remote client's IP address.
		32	*
		33	* @author Craig R. McClanahan
		34	* @version $Id$
		35	*/
		36
		37	public final class RemoteNetmaskValve
		38	extends RequestNetmaskValve
		39	{
		40
		41
		42	// ----------------------------------------------------- Instance Variables
		43
		44
		45	/**
		46	* The descriptive information related to this implementation.
		47	*/
		48	private static final String info =
		49	"org.apache.catalina.valves.RemoteNetmaskValve/1.0";
		50
		51
		52	// ------------------------------------------------------------- Properties
		53
		54
		55	/**
		56	* Return descriptive information about this Valve implementation.
		57	*/
		58	@Override
		59	public String getInfo() {
		60	return (info);
		61	}
		62
		63
		64	// --------------------------------------------------------- Public Methods
65
66
67	/**
68	* Extract the desired request property, and pass it (along with the
69	* specified request and response objects) to the protected
70	* <code>process()</code> method to perform the actual filtering.
71	* This method must be implemented by a concrete subclass.
72	*
73	* @param request The servlet request to be processed
74	* @param response The servlet response to be created
75	*
76	* @exception java.io.IOException if an input/output error occurs
77	* @exception javax.servlet.ServletException if a servlet error occurs
78	*/
79	@Override
80	public void invoke(Request request, Response response)
81	throws IOException, ServletException {
82	process(request.getRequest().getRemoteAddr(), request, response);
83	}
84
85
86	}

Line 0 Link Here

(-)a/java/org/apache/catalina/filters/RemoteNetmaskFilter.java (+97 lines)
		1	/*
		2	* Licensed to the Apache Software Foundation (ASF) under one or more
		3	* contributor license agreements. See the NOTICE file distributed with
		4	* this work for additional information regarding copyright ownership.
		5	* The ASF licenses this file to You under the Apache License, Version 2.0
		6	* (the "License"); you may not use this file except in compliance with
		7	* the License. You may obtain a copy of the License at
		8	*
		9	* http://www.apache.org/licenses/LICENSE-2.0
		10	*
		11	* Unless required by applicable law or agreed to in writing, software
		12	* distributed under the License is distributed on an "AS IS" BASIS,
		13	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		14	* See the License for the specific language governing permissions and
		15	* limitations under the License.
		16	*/
		17
		18
		19	package org.apache.catalina.filters;
		20
		21
		22	import org.apache.catalina.comet.CometEvent;
		23	import org.apache.catalina.comet.CometFilterChain;
		24	import org.apache.juli.logging.Log;
		25	import org.apache.juli.logging.LogFactory;
		26
		27	import javax.servlet.FilterChain;
		28	import javax.servlet.ServletException;
		29	import javax.servlet.ServletRequest;
		30	import javax.servlet.ServletResponse;
		31	import java.io.IOException;
		32
		33
		34	/**
		35	* Concrete implementation of <code>RequestNetmaskFilter</code> that filters
		36	* based on the string representation of the remote client's IP address.
		37	*
		38	*/
		39
		40	public final class RemoteNetmaskFilter
		41	extends RequestFilter {
		42
		43	// ----------------------------------------------------- Instance Variables
		44	private static final Log log = LogFactory.getLog(RemoteNetmaskFilter.class);
		45
		46
		47	// ------------------------------------------------------------- Properties
		48
		49
		50
		51	// --------------------------------------------------------- Public Methods
		52
		53
		54	/**
		55	* Extract the desired request property, and pass it (along with the
		56	* specified request and response objects and associated filter chain) to
		57	* the protected <code>process()</code> method to perform the actual
		58	* filtering.
		59	*
		60	* @param request The servlet request to be processed
		61	* @param response The servlet response to be created
		62	* @param chain The filter chain for this request
		63	*
		64	* @exception java.io.IOException if an input/output error occurs
65	* @exception javax.servlet.ServletException if a servlet error occurs
66	*/
67	@Override
68	public void doFilter(ServletRequest request, ServletResponse response,
69	FilterChain chain) throws IOException, ServletException {
70
71	process(request.getRemoteAddr(), request, response, chain);
72
73	}
74
75	/**
76	* Extract the desired request property, and pass it (along with the comet
77	* event and filter chain) to the protected <code>process()</code> method
78	* to perform the actual filtering.
79	*
80	* @param event The comet event to be processed
81	* @param chain The filter chain for this event
82	*
83	* @exception java.io.IOException if an input/output error occurs
84	* @exception javax.servlet.ServletException if a servlet error occurs
85	*/
86	@Override
87	public void doFilterEvent(CometEvent event, CometFilterChain chain)
88	throws IOException, ServletException {
89	processCometEvent(event.getHttpServletRequest().getRemoteHost(),
90	event, chain);
91	}
92
93	@Override
94	protected Log getLogger() {
95	return log;
96	}
97	}

Line 0 Link Here

(-)a/java/org/apache/catalina/util/NetMask.java (+103 lines)
		1	package org.apache.catalina.util;
		2
		3	import java.math.BigInteger;
		4	import java.net.InetAddress;
		5	import java.net.UnknownHostException;
		6
		7	/**
		8	* A class representing a netmask, which is at the core of this valve.
		9	*
		10	* <p>The constructor takes a {@link java.lang.String} representing a
		11	* CIDR netmask as an argument and extracts two informations from it: the
		12	* network address and the CIDR. It then turns the address into a {@link
		13	* java.math.BigInteger}, calculates the right shift and shifts that
		14	* BigInteger by it.</p>
		15	* <p>The process to verify whether an IP address falls within the mask
		16	* is to also convert it to a BigInteger, shifting it right and comparing
		17	* it to the stored BigInteger.
		18	* </p>
		19	*/
		20
		21	public final class NetMask {
		22	/**
		23	* The argument to the constructor, used for .toString()
		24	*/
		25	private final String expression;
		26
		27	/**
		28	* The number of bits a matching candidate needs to be shifted right
		29	* in order to see if it matches
		30	*/
		31	private final int shift;
		32
		33	/**
		34	* The network address, already shifted right
		35	*/
		36	private final BigInteger mask;
		37
		38	/**
		39	* Constructor.
		40	*
		41	* @param expression the CIDR netmask
		42	* @throws IllegalArgumentException if the netmask is not correct
		43	* (invalid address specification, malformed CIDR prefix, etc)
		44	*/
		45	public NetMask(final String expression) {
		46	final int idx = expression.indexOf("/");
		47	final int cidr, addrlen;
		48	final String addressPart;
		49	final InetAddress addr;
		50	final byte[] bytes;
		51
		52	if (idx == -1) {
		53	cidr = -1;
		54	addressPart = expression;
		55	} else {
		56	final String substring = expression.substring(idx + 1);
		57	try {
		58	cidr = Integer.parseInt(substring);
		59	if (cidr < 0)
		60	throw new NumberFormatException("CIDR is negative");
		61	} catch (NumberFormatException ignored) {
		62	throw new IllegalArgumentException("provided CIDR mask ("
		63	+ substring + ") is invalid");
		64	}
65	addressPart = expression.substring(0, idx);
66	}
67
68	try {
69	addr = InetAddress.getByName(addressPart);
70	} catch (UnknownHostException e) {
71	throw new IllegalArgumentException("provided address ("
72	+ addressPart + ") is invalid");
73	}
74
75	bytes = addr.getAddress();
76	addrlen = bytes.length * 8;
77	shift = cidr == -1 ? 0 : addrlen - cidr;
78
79	if (shift < 0)
80	throw new IllegalArgumentException("CIDR prefix (" + cidr
81	+ ") is greater than address length (" + addrlen + ")");
82	mask = new BigInteger(bytes).shiftRight(shift);
83	this.expression = expression;
84	}
85
86	/**
87	* Test if a given address matches this netmask
88	*
89	* @param addr The {@link java.net.InetAddress} to test
90	* @return true on match, false otherwise
91	*/
92	public boolean matches (final InetAddress addr) {
93	final BigInteger provided = new BigInteger(addr.getAddress())
94	.shiftRight(shift);
95
96	return mask.equals(provided);
97	}
98
99	@Override
100	public String toString() {
101	return expression;
102	}
103	}

Line 0 Link Here

(-)a/java/org/apache/catalina/valves/RequestNetmaskValve.java (+220 lines)
		1	/*
		2	* Licensed to the Apache Software Foundation (ASF) under one or more
		3	* contributor license agreements. See the NOTICE file distributed with
		4	* this work for additional information regarding copyright ownership.
		5	* The ASF licenses this file to You under the Apache License, Version 2.0
		6	* (the "License"); you may not use this file except in compliance with
		7	* the License. You may obtain a copy of the License at
		8	*
		9	* http://www.apache.org/licenses/LICENSE-2.0
		10	*
		11	* Unless required by applicable law or agreed to in writing, software
		12	* distributed under the License is distributed on an "AS IS" BASIS,
		13	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		14	* See the License for the specific language governing permissions and
		15	* limitations under the License.
		16	*/
		17
		18
		19	package org.apache.catalina.valves;
		20
		21
		22	import org.apache.catalina.connector.Request;
		23	import org.apache.catalina.connector.Response;
		24	import org.apache.catalina.util.NetMask;
		25
		26	import javax.servlet.ServletException;
		27	import javax.servlet.http.HttpServletResponse;
		28	import java.io.IOException;
		29	import java.math.BigInteger;
		30	import java.net.InetAddress;
		31	import java.net.UnknownHostException;
		32	import java.util.ArrayList;
		33	import java.util.Arrays;
		34	import java.util.Collections;
		35	import java.util.List;
		36
		37	/**
		38	* Implementation of a Valve that performs IP filtering of a remote host
		39	* based on the remote's IP address. This valve replicates (some of) Apache's
		40	* "Order", "Allow from" and "Deny" directives with a few limitations:
		41	* <ul>
		42	* <li>"Order" will always be "deny, allow";</li>
		43	* <li>the netmasks in the "allow" and "deny" properties must be fully
		44	* qualified CIDR netmasks, and the CIDR <b>must</b> be an integer
		45	* (expressions like "10.", "13.0.0.0/255.255.192.0" or ".foo.bar" will
		46	* not work);</li>
		47	* <li>as a side effect of using @{link java.net.InetAddress},
		48	* expressions like "my.host.com/27" <b>will</b> work,
		49	* however their use is discouraged.</li>
		50	* </ul>
		51	* <p>Note that IPv6 is supported. Also note that invalid netmasks will be
		52	* ignored.</p>
		53	* <p>
		54	* This Valve may be attached to any Container, depending on the granularity
		55	* of the filtering you wish to perform.</p>
		56	*
		57	* @author Francis Galiegue
		58	*/
		59
		60	public abstract class RequestNetmaskValve
		61	extends ValveBase {
		62
		63	//------------------------------------------------------ Constructor
		64	public RequestNetmaskValve() {
65	super(true);
66	}
67
68	// ----------------------------------------------------- Class Variables
69
70
71	/**
72	* The descriptive information related to this implementation.
73	*/
74	private static final String info =
75	"org.apache.catalina.valves.RequestNetmaskValve/1.0";
76
77	// ----------------------------------------------------- Instance Variables
78
79	/**
80	* List of allowed netmasks, if any
81	*/
82
83	protected final List<NetMask> allow = new ArrayList<NetMask>();
84
85	/**
86	* List of denied netmasks, if any
87	*/
88
89	protected final List<NetMask> deny = new ArrayList<NetMask>();
90
91	// ------------------------------------------------------------- Properties
92
93
94	/**
95	* Return the allowed netmask list as a string.
96	*/
97	public String getAllow() {
98	return allow.toString();
99	}
100
101
102	/**
103	* Fills the allowed Netmask list.
104	*
105	* @param input The input expression
106	*/
107	public void setAllow(final String input) {
108	if (input == null \|\| input.length() == 0)
109	return;
110
111	NetMask nm;
112
113	for (final String s: input.split("\\s,\\s"))
114	try {
115	nm = new NetMask(s);
116	this.allow.add(nm);
117	} catch (IllegalArgumentException e) {
118	// FIXME: log
119	}
120	}
121
122
123	/**
124	* Return the denied netmask list as a string.
125	*/
126	public String getDeny() {
127	return deny.toString();
128	}
129
130
131	/**
132	* Set the regular expression used to test for denied requests for this
133	* Valve, if any.
134	*
135	* @param input The new input expression
136	*/
137	public void setDeny(final String input) {
138	if (input == null \|\| input.length() == 0)
139	return;
140
141	NetMask nm;
142
143	for (final String s: input.split("\\s,\\s"))
144	try {
145	nm = new NetMask(s);
146	this.deny.add(nm);
147	} catch (IllegalArgumentException e) {
148	// FIXME: log
149	}
150	}
151
152
153	/**
154	* Return descriptive information about this Valve implementation.
155	*/
156	@Override
157	public String getInfo() {
158	return (info);
159	}
160
161
162	// --------------------------------------------------------- Public Methods
163
164
165	/**
166	* Extract the desired request property, and pass it (along with the
167	* specified request and response objects) to the protected
168	* <code>process()</code> method to perform the actual filtering.
169	* This method must be implemented by a concrete subclass.
170	*
171	* @param request The servlet request to be processed
172	* @param response The servlet response to be created
173	*
174	* @exception java.io.IOException if an input/output error occurs
175	* @exception javax.servlet.ServletException if a servlet error occurs
176	*/
177	@Override
178	public abstract void invoke(Request request, Response response)
179	throws IOException, ServletException;
180
181
182	// ------------------------------------------------------ Protected Methods
183
184
185	/**
186	* Perform the filtering that has been configured for this Valve, matching
187	* against the specified request property.
188	*
189	* @param property The request property on which to filter
190	* @param request The servlet request to be processed
191	* @param response The servlet response to be processed
192	*
193	* @exception java.io.IOException if an input/output error occurs
194	* @exception javax.servlet.ServletException if a servlet error occurs
195	*/
196	protected void process(String property, Request request, Response response)
197	throws IOException, ServletException {
198
199	final InetAddress addr = InetAddress.getByName(property);
200
201	for (final NetMask nm: deny)
202	if (nm.matches(addr)) {
203	response.sendError(HttpServletResponse.SC_FORBIDDEN);
204	return;
205	}
206
207	if (allow.isEmpty()) {
208	getNext().invoke(request, response);
209	return;
210	}
211
212	for (final NetMask nm: allow)
213	if (nm.matches(addr)) {
214	getNext().invoke(request, response);
215	return;
216	}
217
218	response.sendError(HttpServletResponse.SC_FORBIDDEN);
219	}
220	}