Line 0
Link Here
|
|
|
1 |
package org.apache.catalina.filters; |
2 |
|
3 |
import java.math.BigInteger; |
4 |
import java.net.InetAddress; |
5 |
import java.net.UnknownHostException; |
6 |
|
7 |
|
8 |
import org.apache.catalina.comet.CometEvent; |
9 |
import org.apache.catalina.comet.CometFilter; |
10 |
import org.apache.catalina.comet.CometFilterChain; |
11 |
|
12 |
import javax.servlet.FilterChain; |
13 |
import javax.servlet.FilterConfig; |
14 |
import javax.servlet.ServletException; |
15 |
import javax.servlet.ServletRequest; |
16 |
import javax.servlet.ServletResponse; |
17 |
import javax.servlet.http.HttpServletResponse; |
18 |
import java.io.IOException; |
19 |
import java.net.InetAddress; |
20 |
import java.net.UnknownHostException; |
21 |
import java.util.ArrayList; |
22 |
import java.util.List; |
23 |
import org.apache.juli.logging.Log; |
24 |
import org.apache.juli.logging.LogFactory; |
25 |
|
26 |
/** |
27 |
* Implementation of a Filter that performs filtering based on comparing the |
28 |
* appropriate request property (selected based on which subclass you choose |
29 |
* to configure into your Container's pipeline) against the regular expressions |
30 |
* configured for this Filter. |
31 |
* <p> |
32 |
* This filter is configured by setting the <code>allow</code> and/or |
33 |
* <code>deny</code> properties to a regular expressions (in the syntax |
34 |
* supported by {@link java.util.regex.Pattern}) to which the appropriate request property will |
35 |
* be compared. Evaluation proceeds as follows: |
36 |
* <ul> |
37 |
* <li>The subclass extracts the request property to be filtered, and |
38 |
* calls the common <code>process()</code> method. |
39 |
* <li>If there is a deny expression configured, the property will be compared |
40 |
* to the expression. If a match is found, this request will be rejected |
41 |
* with a "Forbidden" HTTP response.</li> |
42 |
* <li>If there is a allow expression configured, the property will be compared |
43 |
* to the expression. If a match is found, this request will be allowed to |
44 |
* pass through to the next filter in the current pipeline.</li> |
45 |
* <li>If a deny expression was specified but no allow expression, allow this |
46 |
* request to pass through (because none of the deny expressions matched |
47 |
* it). |
48 |
* <li>The request will be rejected with a "Forbidden" HTTP response.</li> |
49 |
* </ul> |
50 |
*/ |
51 |
|
52 |
public class RemoteAddrNetmaskFilter |
53 |
extends RequestFilter |
54 |
{ |
55 |
// ----------------------------------------------------- Instance Variables |
56 |
private static final Log log = LogFactory.getLog(RemoteAddrFilter.class); |
57 |
|
58 |
/** |
59 |
* The matchers used to test for allowed requests. |
60 |
*/ |
61 |
protected final List<IPMatcher> allow = new ArrayList<IPMatcher>(); |
62 |
|
63 |
/** |
64 |
* The matchers used to test for denied requests. |
65 |
*/ |
66 |
protected final List<IPMatcher> deny = new ArrayList<IPMatcher>(); |
67 |
|
68 |
// ------------------------------------------------------------- Properties |
69 |
|
70 |
// --------------------------------------------------------- Public Methods |
71 |
|
72 |
@Override |
73 |
public void init(FilterConfig filterConfig) throws ServletException { |
74 |
super.init(filterConfig); |
75 |
|
76 |
final String denies = super.getDeny(); |
77 |
for(final String s: denies.split("\\s*,\\s*")) |
78 |
{ |
79 |
try { |
80 |
if(s.contains("/")) |
81 |
deny.add(new NetMaskIPMatcher(s)); |
82 |
else |
83 |
deny.add(new StringIPMatcher(s)); |
84 |
} catch (IllegalArgumentException e) { |
85 |
// FIXME: log |
86 |
} |
87 |
} |
88 |
|
89 |
final String allows = super.getDeny(); |
90 |
for(final String s: allows.split("\\s*,\\s*")) |
91 |
{ |
92 |
try { |
93 |
if(s.contains("/")) |
94 |
allow.add(new NetMaskIPMatcher(s)); |
95 |
else |
96 |
allow.add(new StringIPMatcher(s)); |
97 |
} catch (IllegalArgumentException e) { |
98 |
// FIXME: log |
99 |
} |
100 |
} |
101 |
|
102 |
} |
103 |
|
104 |
public void doFilter(ServletRequest request, |
105 |
ServletResponse response, |
106 |
FilterChain chain) |
107 |
throws ServletException, IOException |
108 |
{ |
109 |
process(request.getRemoteAddr(), request, response, chain); |
110 |
} |
111 |
|
112 |
/** |
113 |
* Extract the desired request property, and pass it (along with the comet |
114 |
* event and filter chain) to the protected <code>process()</code> method |
115 |
* to perform the actual filtering. |
116 |
* |
117 |
* @param event The comet event to be processed |
118 |
* @param chain The filter chain for this event |
119 |
* |
120 |
* @exception IOException if an input/output error occurs |
121 |
* @exception ServletException if a servlet error occurs |
122 |
*/ |
123 |
@Override |
124 |
public void doFilterEvent(CometEvent event, CometFilterChain chain) |
125 |
throws IOException, ServletException { |
126 |
processCometEvent(event.getHttpServletRequest().getRemoteAddr(), |
127 |
event, chain); |
128 |
} |
129 |
|
130 |
// ------------------------------------------------------ Protected Methods |
131 |
|
132 |
@Override |
133 |
protected boolean isAllowed(String property) { |
134 |
final InetAddress addr; |
135 |
|
136 |
try { |
137 |
addr = InetAddress.getByName(property); |
138 |
} catch (UnknownHostException e) { |
139 |
// FIXME: log |
140 |
return false; |
141 |
} |
142 |
|
143 |
for (final IPMatcher m: deny) |
144 |
if (m.matches(addr)) |
145 |
return false; |
146 |
|
147 |
for (final IPMatcher m: allow) |
148 |
if (m.matches(addr)) |
149 |
return true; |
150 |
|
151 |
// Allow if denies specified but not allows |
152 |
if (!deny.isEmpty() && allow.isEmpty()) |
153 |
return true; |
154 |
|
155 |
// Deny this request |
156 |
return false; |
157 |
} |
158 |
|
159 |
@Override |
160 |
protected Log getLogger() { |
161 |
return log; |
162 |
} |
163 |
|
164 |
private interface IPMatcher |
165 |
{ |
166 |
boolean matches(InetAddress address); |
167 |
} |
168 |
|
169 |
static class StringIPMatcher |
170 |
implements IPMatcher |
171 |
{ |
172 |
private String address; |
173 |
|
174 |
public StringIPMatcher(final String address) |
175 |
{ |
176 |
this.address = address; |
177 |
} |
178 |
|
179 |
public boolean matches(final InetAddress address) |
180 |
{ |
181 |
return address.getHostAddress().equals(this.address); |
182 |
} |
183 |
} |
184 |
|
185 |
|
186 |
/** |
187 |
* A class representing a netmask, which is at the core of this valve. |
188 |
* |
189 |
* <p>The constructor takes a {@link java.lang.String} representing a |
190 |
* CIDR netmask as an argument and extracts two informations from it: the |
191 |
* network address and the CIDR. It then turns the address into a |
192 |
* {@link java.math.BigInteger}, calculates the right shift and shifts that |
193 |
* BigInteger by it.</p> |
194 |
* <p>The process to verify whether an IP address falls within the mask |
195 |
* is to also convert it to a BigInteger, shifting it right and comparing |
196 |
* it to the stored BigInteger. |
197 |
* </p> |
198 |
*/ |
199 |
static class NetMaskIPMatcher |
200 |
implements IPMatcher |
201 |
{ |
202 |
/** |
203 |
* The argument to the constructor, used for .toString() |
204 |
*/ |
205 |
private final String expression; |
206 |
|
207 |
/** |
208 |
* The number of bits a matching candidate needs to be shifted right |
209 |
* in order to see if it matches |
210 |
*/ |
211 |
private final int shift; |
212 |
|
213 |
/** |
214 |
* The network address, already shifted right |
215 |
*/ |
216 |
private final BigInteger mask; |
217 |
|
218 |
/** |
219 |
* Constructor. |
220 |
* |
221 |
* @param expression the CIDR netmask |
222 |
* @throws IllegalArgumentException if the netmask is not correct |
223 |
* (invalid address specification, malformed CIDR prefix, etc) |
224 |
*/ |
225 |
public NetMaskIPMatcher(final String expression) { |
226 |
final int idx = expression.indexOf("/"); |
227 |
final int cidr, addrlen; |
228 |
final String addressPart; |
229 |
final InetAddress addr; |
230 |
final byte[] bytes; |
231 |
|
232 |
if (idx == -1) { |
233 |
cidr = -1; |
234 |
addressPart = expression; |
235 |
} else { |
236 |
final String substring = expression.substring(idx + 1); |
237 |
try { |
238 |
cidr = Integer.parseInt(substring); |
239 |
if (cidr < 0) |
240 |
throw new NumberFormatException("CIDR is negative"); |
241 |
} catch (NumberFormatException ignored) { |
242 |
throw new IllegalArgumentException("provided CIDR mask (" |
243 |
+ substring + ") is invalid"); |
244 |
} |
245 |
addressPart = expression.substring(0, idx); |
246 |
} |
247 |
|
248 |
try { |
249 |
addr = InetAddress.getByName(addressPart); |
250 |
} catch (UnknownHostException e) { |
251 |
throw new IllegalArgumentException("provided address (" |
252 |
+ addressPart + ") is invalid"); |
253 |
} |
254 |
|
255 |
bytes = addr.getAddress(); |
256 |
addrlen = bytes.length * 8; |
257 |
shift = cidr == -1 ? 0 : addrlen - cidr; |
258 |
|
259 |
if (shift < 0) |
260 |
throw new IllegalArgumentException("CIDR prefix (" + cidr |
261 |
+ ") is greater than address length (" + addrlen + ")"); |
262 |
mask = new BigInteger(bytes).shiftRight(shift); |
263 |
this.expression = expression; |
264 |
} |
265 |
|
266 |
/** |
267 |
* Test if a given address matches this netmask |
268 |
* |
269 |
* @param addr The {@link java.net.InetAddress} to test |
270 |
* @return true on match, false otherwise |
271 |
*/ |
272 |
public boolean matches (final InetAddress addr) { |
273 |
final BigInteger provided = new BigInteger(addr.getAddress()) |
274 |
.shiftRight(shift); |
275 |
|
276 |
return mask.equals(provided); |
277 |
} |
278 |
|
279 |
@Override |
280 |
public String toString() { |
281 |
return expression; |
282 |
} |
283 |
} |
284 |
} |