1 // 2 // ======================================================================== 3 // Copyright (c) 1995-2016 Mort Bay Consulting Pty. Ltd. 4 // ------------------------------------------------------------------------ 5 // All rights reserved. This program and the accompanying materials 6 // are made available under the terms of the Eclipse Public License v1.0 7 // and Apache License v2.0 which accompanies this distribution. 8 // 9 // The Eclipse Public License is available at 10 // http://www.eclipse.org/legal/epl-v10.html 11 // 12 // The Apache License v2.0 is available at 13 // http://www.opensource.org/licenses/apache2.0.php 14 // 15 // You may elect to redistribute this code under either of these licenses. 16 // ======================================================================== 17 // 18 19 package org.eclipse.jetty.server.handler; 20 21 import java.io.IOException; 22 import java.net.InetAddress; 23 import java.net.InetSocketAddress; 24 25 import javax.servlet.ServletException; 26 import javax.servlet.http.HttpServletRequest; 27 import javax.servlet.http.HttpServletResponse; 28 29 import org.eclipse.jetty.http.HttpStatus; 30 import org.eclipse.jetty.io.EndPoint; 31 import org.eclipse.jetty.server.HttpChannel; 32 import org.eclipse.jetty.server.Request; 33 import org.eclipse.jetty.util.IncludeExcludeSet; 34 import org.eclipse.jetty.util.InetAddressSet; 35 import org.eclipse.jetty.util.log.Log; 36 import org.eclipse.jetty.util.log.Logger; 37 38 39 /** 40 * Inet Address Access Handler 41 * <p> 42 * Controls access to the wrapped handler by the real remote IP. Control is provided 43 * by and {@link IncludeExcludeSet} over a {@link InetAddressSet}. This handler 44 * uses the real internet address of the connection, not one reported in the forwarded 45 * for headers, as this cannot be as easily forged. 46 * <p> 47 48 */ 49 public class InetAccessHandler extends HandlerWrapper 50 { 51 private static final Logger LOG = Log.getLogger(InetAccessHandler.class); 52 IncludeExcludeSet<String, InetAddress> _set = new IncludeExcludeSet<>(InetAddressSet.class); 53 54 /* ------------------------------------------------------------ */ 55 /** 56 * Creates new handler object 57 */ 58 public InetAccessHandler() 59 { 60 super(); 61 } 62 63 /* ------------------------------------------------------------ */ 64 /** 65 * Include a InetAddress pattern 66 * @see InetAddressSet 67 * @param pattern InetAddress pattern to exclude 68 */ 69 public void include(String pattern) 70 { 71 _set.include(pattern); 72 } 73 74 /* ------------------------------------------------------------ */ 75 /** 76 * Include a InetAddress pattern 77 * @see InetAddressSet 78 * @param patterns InetAddress patterns to exclude 79 */ 80 public void include(String... patterns) 81 { 82 _set.include(patterns); 83 } 84 85 /* ------------------------------------------------------------ */ 86 /** 87 * Exclude a InetAddress pattern 88 * @see InetAddressSet 89 * @param pattern InetAddress pattern to exclude 90 */ 91 public void exclude(String pattern) 92 { 93 _set.exclude(pattern); 94 } 95 96 /* ------------------------------------------------------------ */ 97 /** 98 * Include a InetAddress pattern 99 * @see InetAddressSet 100 * @param patterns InetAddress patterns to exclude 101 */ 102 public void exclude(String... patterns) 103 { 104 _set.exclude(patterns); 105 } 106 107 108 /* ------------------------------------------------------------ */ 109 /** 110 * Checks the incoming request against the whitelist and blacklist 111 * 112 * @see org.eclipse.jetty.server.handler.HandlerWrapper#handle(java.lang.String, org.eclipse.jetty.server.Request, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) 113 */ 114 @Override 115 public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException 116 { 117 // Get the real remote IP (not the one set by the forwarded headers (which may be forged)) 118 HttpChannel channel = baseRequest.getHttpChannel(); 119 if (channel!=null) 120 { 121 EndPoint endp=channel.getEndPoint(); 122 if (endp!=null) 123 { 124 InetSocketAddress address = endp.getRemoteAddress(); 125 if (address!=null && !isAllowed(address.getAddress())) 126 { 127 response.sendError(HttpStatus.FORBIDDEN_403); 128 baseRequest.setHandled(true); 129 return; 130 } 131 } 132 } 133 134 getHandler().handle(target,baseRequest, request, response); 135 } 136 137 /* ------------------------------------------------------------ */ 138 /** 139 * Check if specified request is allowed by current IPAccess rules. 140 * 141 * @param address internet address 142 * @return true if address is allowed 143 * 144 */ 145 protected boolean isAllowed(InetAddress address) 146 { 147 return _set.test(address); 148 } 149 150 /* ------------------------------------------------------------ */ 151 @Override 152 public void dump(Appendable out, String indent) throws IOException 153 { 154 dumpBeans(out,indent,_set.getIncluded(),_set.getExcluded()); 155 } 156 }