Line 0
Link Here
|
|
|
1 |
package org.apache.catalina.filters; |
2 |
|
3 |
import org.apache.catalina.comet.CometEvent; |
4 |
import org.apache.catalina.comet.CometFilter; |
5 |
import org.apache.catalina.comet.CometFilterChain; |
6 |
import org.apache.catalina.util.NetMask; |
7 |
import org.apache.juli.logging.Log; |
8 |
import org.apache.juli.logging.LogFactory; |
9 |
|
10 |
import javax.servlet.FilterChain; |
11 |
import javax.servlet.ServletException; |
12 |
import javax.servlet.ServletRequest; |
13 |
import javax.servlet.ServletResponse; |
14 |
import javax.servlet.http.HttpServletResponse; |
15 |
import java.io.IOException; |
16 |
import java.io.PrintWriter; |
17 |
import java.net.InetAddress; |
18 |
import java.net.UnknownHostException; |
19 |
import java.util.ArrayList; |
20 |
import java.util.Collections; |
21 |
import java.util.LinkedList; |
22 |
import java.util.List; |
23 |
|
24 |
public final class RemoteCIDRFilter |
25 |
extends FilterBase |
26 |
implements CometFilter { |
27 |
|
28 |
/** |
29 |
* text/plain MIME type: this is the MIME type we return when a |
30 |
* {@link ServletResponse} is not an {@link HttpServletResponse} |
31 |
*/ |
32 |
|
33 |
private static final String PLAIN_TEXT_MIME_TYPE = "text/plain"; |
34 |
|
35 |
/** |
36 |
* Our logger |
37 |
*/ |
38 |
|
39 |
private static final Log log = LogFactory.getLog(RemoteCIDRFilter.class); |
40 |
|
41 |
/** |
42 |
* The list of allowed {@link NetMask}s |
43 |
*/ |
44 |
|
45 |
private final List<NetMask> allow = new ArrayList<NetMask>(); |
46 |
|
47 |
/** |
48 |
* The list of denied {@link NetMask}s |
49 |
*/ |
50 |
|
51 |
private final List<NetMask> deny = new ArrayList<NetMask>(); |
52 |
|
53 |
/** |
54 |
* Return a string representation of the {@link NetMask} list in #allow. |
55 |
* |
56 |
* @return the #allow list as a string, without the leading '[' and |
57 |
* trailing ']' |
58 |
*/ |
59 |
|
60 |
public String getAllow() { |
61 |
return allow.toString().replace("[", "").replace("]", ""); |
62 |
} |
63 |
|
64 |
|
65 |
/** |
66 |
* Fill the #allow list with the list of netmasks provided as an argument, |
67 |
* if any. Calls #fillFromInput. |
68 |
* |
69 |
* @param input The list of netmasks, as a comma separated string |
70 |
* @throws IllegalArgumentException One or more netmasks are invalid |
71 |
*/ |
72 |
|
73 |
public void setAllow(final String input) { |
74 |
final List<String> messages = fillFromInput(input, allow); |
75 |
|
76 |
if (messages.isEmpty()) |
77 |
return; |
78 |
|
79 |
for (final String message:messages) |
80 |
log.error(message); |
81 |
|
82 |
throw new IllegalArgumentException("Filter error, see messages above"); |
83 |
} |
84 |
|
85 |
|
86 |
/** |
87 |
* Return a string representation of the {@link NetMask} list in #deny. |
88 |
* |
89 |
* @return the #deny list as string, without the leading '[' and trailing |
90 |
* ']' |
91 |
*/ |
92 |
|
93 |
public String getDeny() { |
94 |
return deny.toString().replace("[", "").replace("]", ""); |
95 |
} |
96 |
|
97 |
|
98 |
/** |
99 |
* Fill the #deny list with the list of netmasks provided as an argument, |
100 |
* if any. Calls #fillFromInput. |
101 |
* |
102 |
* @param input The list of netmasks, as a comma separated string |
103 |
* @throws IllegalArgumentException One or more netmasks are invalid |
104 |
*/ |
105 |
|
106 |
public void setDeny(final String input) { |
107 |
final List<String> messages = fillFromInput(input, deny); |
108 |
|
109 |
if (messages.isEmpty()) |
110 |
return; |
111 |
|
112 |
for (final String message: messages) |
113 |
log.error(message); |
114 |
|
115 |
throw new IllegalArgumentException("Filter error: illegal netmask(s) " + |
116 |
"in allow, see messages above"); |
117 |
} |
118 |
|
119 |
@Override |
120 |
public void doFilterEvent(CometEvent event, CometFilterChain chain) |
121 |
throws IOException, ServletException { |
122 |
processCometEvent(event.getHttpServletRequest().getRemoteHost(), |
123 |
event, chain); |
124 |
} |
125 |
|
126 |
@Override |
127 |
public void doFilter(final ServletRequest request, |
128 |
final ServletResponse response, final FilterChain chain) |
129 |
throws IOException, ServletException { |
130 |
process(request.getRemoteAddr(), request, response, chain); |
131 |
} |
132 |
|
133 |
public void processCometEvent(final String property, final CometEvent event, |
134 |
final CometFilterChain chain) |
135 |
throws IOException, ServletException { |
136 |
HttpServletResponse response = event.getHttpServletResponse(); |
137 |
|
138 |
if (isAllowed(property)) { |
139 |
chain.doFilterEvent(event); |
140 |
return; |
141 |
} |
142 |
|
143 |
response.sendError(HttpServletResponse.SC_FORBIDDEN); |
144 |
event.close(); |
145 |
} |
146 |
|
147 |
public void process(final String property, final ServletRequest request, |
148 |
final ServletResponse response, final FilterChain chain) |
149 |
throws IOException, ServletException { |
150 |
|
151 |
if (isAllowed(property)) { |
152 |
chain.doFilter(request, response); |
153 |
return; |
154 |
} |
155 |
|
156 |
if (!(response instanceof HttpServletResponse)) { |
157 |
sendErrorWhenNotHttp(response); |
158 |
return; |
159 |
} |
160 |
|
161 |
((HttpServletResponse) response) |
162 |
.sendError(HttpServletResponse.SC_FORBIDDEN); |
163 |
} |
164 |
|
165 |
@Override |
166 |
public Log getLogger() { |
167 |
return log; |
168 |
} |
169 |
|
170 |
/** |
171 |
* Test if a remote's IP address is allowed to proceed. |
172 |
* |
173 |
* @param property The remote's IP address, as a string |
174 |
* @return true if allowed |
175 |
*/ |
176 |
|
177 |
private boolean isAllowed(final String property) { |
178 |
final InetAddress addr; |
179 |
|
180 |
try { |
181 |
addr = InetAddress.getByName(property); |
182 |
} catch (UnknownHostException e) { |
183 |
//Eh? |
184 |
log.error("Eh? Our remote doesn't even have a valid IP address? ", |
185 |
e); |
186 |
return false; |
187 |
} |
188 |
|
189 |
for (final NetMask nm: deny) |
190 |
if (nm.matches(addr)) |
191 |
return false; |
192 |
|
193 |
for (final NetMask nm: allow) |
194 |
if (nm.matches(addr)) |
195 |
return true; |
196 |
|
197 |
// Allow if deny is specified but allow isn't |
198 |
if (!deny.isEmpty() && allow.isEmpty()) |
199 |
return true; |
200 |
|
201 |
// Deny this request |
202 |
return false; |
203 |
} |
204 |
|
205 |
private void sendErrorWhenNotHttp(ServletResponse response) |
206 |
throws IOException { |
207 |
final PrintWriter writer = response.getWriter(); |
208 |
response.setContentType(PLAIN_TEXT_MIME_TYPE); |
209 |
writer.write(sm.getString("http.403")); |
210 |
writer.flush(); |
211 |
} |
212 |
|
213 |
/** |
214 |
* Fill a {@link NetMask} list from a string input containing a |
215 |
* comma-separated list of (hopefully valid) {@link NetMask}s. |
216 |
* |
217 |
* @param input The input string |
218 |
* @param victim The list to fill |
219 |
* @return a string list of processing errors (empty when no errors) |
220 |
*/ |
221 |
|
222 |
private List<String> fillFromInput(final String input, |
223 |
final List<NetMask> victim) { |
224 |
victim.clear(); |
225 |
if (input == null || input.isEmpty()) |
226 |
return Collections.emptyList(); |
227 |
|
228 |
final List<String> messages = new LinkedList<String>(); |
229 |
NetMask nm; |
230 |
|
231 |
for (final String s: input.split("\\s*,\\s*")) |
232 |
try { |
233 |
nm = new NetMask(s); |
234 |
victim.add(nm); |
235 |
} catch (IllegalArgumentException e) { |
236 |
messages.add(s + ": " + e.getMessage()); |
237 |
} |
238 |
|
239 |
return Collections.unmodifiableList(messages); |
240 |
} |
241 |
} |