View | Details | Raw Unified | Return to bug 51953
Collapse All | Expand All

(-)java/org/apache/catalina/filters/RequestFilter.java (-1 / +1 lines)
Lines 218-224 Link Here
218
     * @return          <code>true</code> if this request should be allowed,
218
     * @return          <code>true</code> if this request should be allowed,
219
     *                  <code>false</code> otherwise
219
     *                  <code>false</code> otherwise
220
     */
220
     */
221
    private boolean isAllowed(String property) {
221
    protected boolean isAllowed(String property) {
222
        if (deny != null && deny.matcher(property).matches()) {
222
        if (deny != null && deny.matcher(property).matches()) {
223
            return false;
223
            return false;
224
        }
224
        }
(-)java/org/apache/catalina/filters/RemoteAddrNetmaskFilter.java (+284 lines)
Line 0 Link Here
1
package org.apache.catalina.filters;
2
3
import java.math.BigInteger;
4
import java.net.InetAddress;
5
import java.net.UnknownHostException;
6
7
8
import org.apache.catalina.comet.CometEvent;
9
import org.apache.catalina.comet.CometFilter;
10
import org.apache.catalina.comet.CometFilterChain;
11
12
import javax.servlet.FilterChain;
13
import javax.servlet.FilterConfig;
14
import javax.servlet.ServletException;
15
import javax.servlet.ServletRequest;
16
import javax.servlet.ServletResponse;
17
import javax.servlet.http.HttpServletResponse;
18
import java.io.IOException;
19
import java.net.InetAddress;
20
import java.net.UnknownHostException;
21
import java.util.ArrayList;
22
import java.util.List;
23
import org.apache.juli.logging.Log;
24
import org.apache.juli.logging.LogFactory;
25
26
/**
27
 * Implementation of a Filter that performs filtering based on comparing the
28
 * appropriate request property (selected based on which subclass you choose
29
 * to configure into your Container's pipeline) against the regular expressions
30
 * configured for this Filter.
31
 * <p>
32
 * This filter is configured by setting the <code>allow</code> and/or
33
 * <code>deny</code> properties to a regular expressions (in the syntax
34
 * supported by {@link java.util.regex.Pattern}) to which the appropriate request property will
35
 * be compared.  Evaluation proceeds as follows:
36
 * <ul>
37
 * <li>The subclass extracts the request property to be filtered, and
38
 *     calls the common <code>process()</code> method.
39
 * <li>If there is a deny expression configured, the property will be compared
40
 *     to the expression. If a match is found, this request will be rejected
41
 *     with a "Forbidden" HTTP response.</li>
42
 * <li>If there is a allow expression configured, the property will be compared
43
 *     to the expression. If a match is found, this request will be allowed to
44
 *     pass through to the next filter in the current pipeline.</li>
45
 * <li>If a deny expression was specified but no allow expression, allow this
46
 *     request to pass through (because none of the deny expressions matched
47
 *     it).
48
 * <li>The request will be rejected with a "Forbidden" HTTP response.</li>
49
 * </ul>
50
 */
51
52
public class RemoteAddrNetmaskFilter
53
    extends RequestFilter
54
{
55
    // ----------------------------------------------------- Instance Variables
56
    private static final Log log = LogFactory.getLog(RemoteAddrFilter.class);
57
58
    /**
59
     * The matchers used to test for allowed requests.
60
     */
61
    protected final List<IPMatcher> allow = new ArrayList<IPMatcher>();
62
63
    /**
64
     * The matchers used to test for denied requests.
65
     */
66
    protected final List<IPMatcher> deny = new ArrayList<IPMatcher>();
67
68
    // ------------------------------------------------------------- Properties
69
70
    // --------------------------------------------------------- Public Methods
71
72
    @Override
73
    public void init(FilterConfig filterConfig) throws ServletException {
74
        super.init(filterConfig);
75
76
        final String denies = super.getDeny();
77
        for(final String s: denies.split("\\s*,\\s*"))
78
        {
79
            try {
80
                if(s.contains("/"))
81
                    deny.add(new NetMaskIPMatcher(s));
82
                else
83
                    deny.add(new StringIPMatcher(s));
84
            } catch (IllegalArgumentException e) {
85
                // FIXME: log
86
            }
87
        }
88
89
        final String allows = super.getDeny();
90
        for(final String s: allows.split("\\s*,\\s*"))
91
        {
92
            try {
93
                if(s.contains("/"))
94
                    allow.add(new NetMaskIPMatcher(s));
95
                else
96
                    allow.add(new StringIPMatcher(s));
97
            } catch (IllegalArgumentException e) {
98
                // FIXME: log
99
            }
100
        }
101
102
    }
103
104
    public void doFilter(ServletRequest request,
105
                         ServletResponse response,
106
                         FilterChain chain)
107
        throws ServletException, IOException
108
    {
109
        process(request.getRemoteAddr(), request, response, chain);
110
    }                         
111
112
    /**
113
     * Extract the desired request property, and pass it (along with the comet
114
     * event and filter chain) to the protected <code>process()</code> method
115
     * to perform the actual filtering.
116
     *
117
     * @param event The comet event to be processed
118
     * @param chain The filter chain for this event
119
     *
120
     * @exception IOException if an input/output error occurs
121
     * @exception ServletException if a servlet error occurs
122
     */
123
    @Override
124
    public void doFilterEvent(CometEvent event, CometFilterChain chain)
125
            throws IOException, ServletException {
126
        processCometEvent(event.getHttpServletRequest().getRemoteAddr(),
127
                event, chain);        
128
    }
129
130
    // ------------------------------------------------------ Protected Methods
131
132
    @Override
133
    protected boolean isAllowed(String property) {
134
        final InetAddress addr;
135
136
        try {
137
            addr = InetAddress.getByName(property);
138
        } catch (UnknownHostException e) {
139
            // FIXME: log
140
            return false;
141
        }
142
143
        for (final IPMatcher m: deny)
144
            if (m.matches(addr))
145
                return false;
146
147
        for (final IPMatcher m: allow)
148
            if (m.matches(addr))
149
                return true;
150
151
        // Allow if denies specified but not allows
152
        if (!deny.isEmpty() && allow.isEmpty())
153
            return true;
154
155
        // Deny this request
156
        return false;
157
    }
158
159
    @Override
160
    protected Log getLogger() {
161
        return log;
162
    }
163
164
    private interface IPMatcher
165
    {
166
        boolean matches(InetAddress address);
167
    }
168
169
    static class StringIPMatcher
170
        implements IPMatcher
171
    {
172
        private String address;
173
174
        public StringIPMatcher(final String address)
175
        {
176
            this.address = address;
177
        }
178
179
        public boolean matches(final InetAddress address)
180
        {
181
            return address.getHostAddress().equals(this.address);
182
        }
183
    }
184
185
    
186
    /**
187
     * A class representing a netmask, which is at the core of this valve.
188
     *
189
     * <p>The constructor takes a {@link java.lang.String} representing a
190
     * CIDR netmask as an argument and extracts two informations from it: the
191
     * network address and the CIDR. It then turns the address into a
192
     * {@link java.math.BigInteger}, calculates the right shift and shifts that
193
     * BigInteger by it.</p>
194
     * <p>The process to verify whether an IP address falls within the mask
195
     * is to also convert it to a BigInteger, shifting it right and comparing
196
     * it to the stored BigInteger.
197
     * </p>
198
     */
199
    static class NetMaskIPMatcher
200
        implements IPMatcher
201
    {
202
        /**
203
         * The argument to the constructor, used for .toString()
204
         */
205
        private final String expression;
206
207
        /**
208
         * The number of bits a matching candidate needs to be shifted right
209
         * in order to see if it matches
210
         */
211
        private final int shift;
212
213
        /**
214
         * The network address, already shifted right
215
         */
216
        private final BigInteger mask;
217
218
        /**
219
         * Constructor.
220
         *
221
         * @param expression the CIDR netmask
222
         * @throws IllegalArgumentException if the netmask is not correct
223
         * (invalid address specification, malformed CIDR prefix, etc)
224
         */
225
        public NetMaskIPMatcher(final String expression) {
226
            final int idx = expression.indexOf("/");
227
            final int cidr, addrlen;
228
            final String addressPart;
229
            final InetAddress addr;
230
            final byte[] bytes;
231
232
            if (idx == -1) {
233
                cidr = -1;
234
                addressPart = expression;
235
            } else {
236
                final String substring = expression.substring(idx + 1);
237
                try {
238
                    cidr = Integer.parseInt(substring);
239
                    if (cidr < 0)
240
                        throw new NumberFormatException("CIDR is negative");
241
                } catch (NumberFormatException ignored) {
242
                    throw new IllegalArgumentException("provided CIDR mask ("
243
                                                       + substring + ") is invalid");
244
                }
245
                addressPart = expression.substring(0, idx);
246
            }
247
248
            try {
249
                addr = InetAddress.getByName(addressPart);
250
            } catch (UnknownHostException e) {
251
                throw new IllegalArgumentException("provided address ("
252
                                                   + addressPart + ") is invalid");
253
            }
254
255
            bytes = addr.getAddress();
256
            addrlen = bytes.length * 8;
257
            shift = cidr == -1 ? 0 : addrlen - cidr;
258
259
            if (shift < 0)
260
                throw new IllegalArgumentException("CIDR prefix (" + cidr
261
                                                   + ") is greater than address length (" + addrlen + ")");
262
            mask = new BigInteger(bytes).shiftRight(shift);
263
            this.expression = expression;
264
        }
265
266
        /**
267
         * Test if a given address matches this netmask
268
         *
269
         * @param addr The {@link java.net.InetAddress} to test
270
         * @return true on match, false otherwise
271
         */
272
        public boolean matches (final InetAddress addr) {
273
            final BigInteger provided = new BigInteger(addr.getAddress())
274
                .shiftRight(shift);
275
276
            return mask.equals(provided);
277
        }
278
279
        @Override
280
            public String toString() {
281
            return expression;
282
        }
283
    }
284
}

Return to bug 51953