Thanks Alexander! We also have a CONTRIBUTING.md <https://github.com/apache/shiro/blob/master/CONTRIBUTING.md> in the root of the repo.
Richard, thanks! we can move the rest of the discussion over there. On Wed, Feb 1, 2017 at 6:45 AM, Richard Wheeldon < [email protected]> wrote: > Cool. Thanks. Done. https://github.com/apache/shiro/pull/57 > > Richard > > -----Original Message----- > From: Alexander Openkowski [mailto:[email protected]] > Sent: Wednesday, February 1, 2017 10:52 AM > To: [email protected] > Subject: Re: IP Based Restrictions > > This one looks good to me: > https://gist.github.com/Chaser324/ce0505fbed06b947d962 > > On 02/01/2017 11:18 AM, Richard Wheeldon wrote: > > Sure. How? Is there a cheat sheet around? > > > > -----Original Message----- > > From: Brian Demers [mailto:[email protected]] > > Sent: Tuesday, January 31, 2017 8:49 PM > > To: [email protected] > > Cc: [email protected] > > Subject: Re: IP Based Restrictions > > > > Can you put this in a pull request for github.com/apache/shiro ? > > > > On Tue, Jan 31, 2017 at 1:35 PM, Richard Wheeldon < > [email protected]> wrote: > > > >> Done. See http://rswheeldon.com/shiro-ip-filter.tgz > >> > >> > >> > >> If someone would like to take a look / fix the default ini / help me > >> get it into trunk it’d be appreciated, > >> > >> > >> > >> Regards, > >> > >> > >> > >> Richard > >> > >> > >> > >> *From:* Brian Demers [mailto:[email protected]] > >> *Sent:* Thursday, January 12, 2017 4:16 PM > >> > >> *To:* [email protected] > >> *Subject:* Re: IP Based Restrictions > >> > >> > >> > >> I like it, we could even create a default IpSource so the INI file > >> could work out of the box, something like: > >> > >> > >> > >> [main] > >> > >> ipFilter.ipSource = x.x.x.x, x.x.x.x/24 > >> > >> > >> > >> > >> > >> On Thu, Jan 12, 2017 at 5:25 AM, Richard Wheeldon < > >> [email protected]> wrote: > >> > >> It’s the whole app for now. > >> > >> > >> > >> So I could grab the IpAddressMatcher from Spring sec and repackage it > >> (rather than introducing a dep between shiro and spring which would > >> be a bit crazy) > >> > >> https://github.com/spring-projects/spring-security/blob/ > >> master/web/src/main/java/org/springframework/security/web/ > >> util/matcher/IpAddressMatcher.java > >> > >> > >> > >> Then create: > >> > >> > >> > >> package org.apache.shiro.web.filter.authz; > >> > >> > >> > >> public interface IpSource { > >> > >> public List<String> getIpRanges(); > >> > >> } > >> > >> > >> > >> package org.apache.shiro.web.filter.authz; > >> > >> > >> > >> public class IpFilter extends AuthorizationFilter { > >> > >> public void setIps(List<String> ips) { ... } > >> > >> public void setIpSource(IpSource source) { ... } > >> > >> public getHost(ServletRequest request) { > >> > >> return request.getRemoteHost(); > >> > >> } > >> > >> @Override > >> > >> protected boolean isAccessAllowed(ServletRequest request, > >> ServletResponse response, Object mappedValue) throws Exception { > >> > >> ... > >> > >> String host = getHost(); > >> > >> for (IpAddressMatcher matcher : matchers) { > >> > >> if (matcher.matches(host)) { > >> > >> return true; > >> > >> } > >> > >> } > >> > >> return false; > >> > >> } > >> > >> } > >> > >> > >> > >> package com.voxsmart.stuff; > >> > >> > >> > >> public class XffIpFilter extends IpFilter { > >> > >> @Override > >> > >> public getHost() > >> > >> parseIpAddressFromXffHeader(request.getHeader(XFF_HEADER)) > >> > >> } > >> > >> } > >> > >> > >> > >> package com.voxsmart.stuff; > >> > >> > >> > >> public class DatabaseIpSource { > >> > >> > >> > >> @Override > >> > >> public getIpRanges() { > >> > >> ... select range from ... > >> > >> } > >> > >> } > >> > >> > >> > >> And put in shiro.ini: > >> > >> [main] > >> > >> ipSource = com.voxsmart.stuff.DatabaseIpSource > >> > >> ipFilter = com.voxsmart.stuff.XffIpFilter > >> > >> ipFilter.ipSource = ipSource > >> > >> > >> > >> [urls] > >> > >> /* = ipSource,... > >> > >> > >> > >> Does this seem reasonable? > >> > >> > >> > >> *From:* Brian Demers [mailto:[email protected]] > >> *Sent:* Tuesday, January 10, 2017 5:14 PM > >> *To:* [email protected] > >> *Subject:* Re: IP Based Restrictions > >> > >> > >> > >> Take a look at this block of code in the AuthenticatingFilter: > >> > >> https://github.com/apache/shiro/blob/ef5450b9f4be74ee93040111539482 > >> 3b9e1fc3e6/web/src/main/java/org/apache/shiro/web/filter/ > >> authc/AuthenticatingFilter.java#L62-L72 > >> > >> > >> > >> Are you trying to restrict an IP/range for a individual users. Or a > range > >> for the whole application? A realm would work for the user case. For > the > >> application case, you could probably just create a filter. > >> > >> > >> > >> Either way, great stuff! > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> On Tue, Jan 10, 2017 at 11:39 AM, Richard Wheeldon < > >> [email protected]> wrote: > >> > >> Hi, > >> > >> > >> > >> Having broken the back of the token based MFA, my next quest in > >> bolting down my app is to add configurable IP-based restrictions. I’m > >> thinking of a realm which reads a list of IPs or ranges (v4 or v6) > >> from a DB then checks if the host matches. > >> > >> > >> > >> Two questions: > >> > >> 1. Is there any interest in my producing a generic / re-usable > >> JdbcHostRestrictionRealm and kicking it back upstream? I can > probably do > >> this by cribbing from JdbcRealm. > >> 2. My app is sat behind a load balancer which changes the IP address. > >> Since we control the load balancer we can trust the X-Forwarded-For > header > >> in a downstream app. Is there a preferable place to hook in the > logic to > >> read it from the request and set it on the token? > >> > >> > >> > >> Richard > >> > >> > >> > >> > >> > >
