View Javadoc

1   //
2   //  ========================================================================
3   //  Copyright (c) 1995-2016 Mort Bay Consulting Pty. Ltd.
4   //  ------------------------------------------------------------------------
5   //  All rights reserved. This program and the accompanying materials
6   //  are made available under the terms of the Eclipse Public License v1.0
7   //  and Apache License v2.0 which accompanies this distribution.
8   //
9   //      The Eclipse Public License is available at
10  //      http://www.eclipse.org/legal/epl-v10.html
11  //
12  //      The Apache License v2.0 is available at
13  //      http://www.opensource.org/licenses/apache2.0.php
14  //
15  //  You may elect to redistribute this code under either of these licenses.
16  //  ========================================================================
17  //
18  
19  package org.eclipse.jetty.server.handler;
20  
21  import java.io.IOException;
22  import java.net.InetAddress;
23  import java.net.InetSocketAddress;
24  
25  import javax.servlet.ServletException;
26  import javax.servlet.http.HttpServletRequest;
27  import javax.servlet.http.HttpServletResponse;
28  
29  import org.eclipse.jetty.http.HttpStatus;
30  import org.eclipse.jetty.io.EndPoint;
31  import org.eclipse.jetty.server.HttpChannel;
32  import org.eclipse.jetty.server.Request;
33  import org.eclipse.jetty.util.IncludeExcludeSet;
34  import org.eclipse.jetty.util.InetAddressSet;
35  import org.eclipse.jetty.util.log.Log;
36  import org.eclipse.jetty.util.log.Logger;
37  
38  
39  /**
40   * Inet Address Access Handler
41   * <p>
42   * Controls access to the wrapped handler by the real remote IP. Control is provided
43   * by and {@link IncludeExcludeSet} over a {@link InetAddressSet}. This handler
44   * uses the real internet address of the connection, not one reported in the forwarded
45   * for headers, as this cannot be as easily forged.
46   * <p>
47  
48   */
49  public class InetAccessHandler extends HandlerWrapper
50  {
51      private static final Logger LOG = Log.getLogger(InetAccessHandler.class);
52      IncludeExcludeSet<String, InetAddress> _set = new IncludeExcludeSet<>(InetAddressSet.class);
53  
54      /* ------------------------------------------------------------ */
55      /**
56       * Creates new handler object
57       */
58      public InetAccessHandler()
59      {
60          super();
61      }
62  
63      /* ------------------------------------------------------------ */
64      /**
65       * Include a InetAddress pattern
66       * @see InetAddressSet
67       * @param pattern InetAddress pattern to exclude
68       */
69      public void include(String pattern)
70      {
71          _set.include(pattern);
72      }
73      
74      /* ------------------------------------------------------------ */
75      /**
76       * Include a InetAddress pattern
77       * @see InetAddressSet
78       * @param patterns InetAddress patterns to exclude
79       */
80      public void include(String... patterns)
81      {
82          _set.include(patterns);
83      }
84      
85      /* ------------------------------------------------------------ */
86      /**
87       * Exclude a InetAddress pattern
88       * @see InetAddressSet
89       * @param pattern InetAddress pattern to exclude
90       */
91      public void exclude(String pattern)
92      {
93          _set.exclude(pattern);
94      }
95      
96      /* ------------------------------------------------------------ */
97      /**
98       * Include a InetAddress pattern
99       * @see InetAddressSet
100      * @param patterns InetAddress patterns to exclude
101      */
102     public void exclude(String... patterns)
103     {
104         _set.exclude(patterns);
105     }
106 
107 
108     /* ------------------------------------------------------------ */
109     /**
110      * Checks the incoming request against the whitelist and blacklist
111      *
112      * @see org.eclipse.jetty.server.handler.HandlerWrapper#handle(java.lang.String, org.eclipse.jetty.server.Request, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
113      */
114     @Override
115     public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
116     {
117         // Get the real remote IP (not the one set by the forwarded headers (which may be forged))
118         HttpChannel channel = baseRequest.getHttpChannel();
119         if (channel!=null)
120         {
121             EndPoint endp=channel.getEndPoint();
122             if (endp!=null)
123             {
124                 InetSocketAddress address = endp.getRemoteAddress();
125                 if (address!=null && !isAllowed(address.getAddress()))
126                 {
127                     response.sendError(HttpStatus.FORBIDDEN_403);
128                     baseRequest.setHandled(true);
129                     return;
130                 }
131             }
132         }
133 
134         getHandler().handle(target,baseRequest, request, response);
135     }
136 
137     /* ------------------------------------------------------------ */
138     /**
139      * Check if specified request is allowed by current IPAccess rules.
140      *
141      * @param address internet address
142      * @return true if address is allowed
143      *
144      */
145     protected boolean isAllowed(InetAddress address)
146     {
147         return _set.test(address);
148     }
149 
150     /* ------------------------------------------------------------ */
151     @Override
152     public void dump(Appendable out, String indent) throws IOException
153     {
154         dumpBeans(out,indent,_set.getIncluded(),_set.getExcluded());
155     }
156  }