hazza/DSpace
1
0
Fork 0
mirror of https://github.com/DSpace/DSpace.git synced 2025-10-17 15:03:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

[DS-213] IPAuthentication extended to allow negative matching

Browse Source 
git-svn-id: http://scm.dspace.org/svn/repo/dspace/trunk@3990 9c30dcfa-912a-0410-8fc2-9e0234be79fd
This commit is contained in:
Stuart Lewis
2009-06-30 22:27:13 +00:00
parent ee081784df
commit 9d23f14c1c
3 changed files with 74 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
dspace-api/src/main/java/org/dspace/authenticate/IPAuthentication.java
View File

@@ -62,6 +62,11 @@ import org.dspace.eperson.Group;
* <P> * <P>
* e.g. {@code authentication.ip.MIT = 18., 192.25.0.0/255.255.0.0} * e.g. {@code authentication.ip.MIT = 18., 192.25.0.0/255.255.0.0}
* <P> * <P>
* Negative matches can be included by prepending the range with a '-'. For example if you want
* to include all of a class B network except for users of a contained class c network, you could use:
* <P>
* 111.222,-111.222.333.
* <p>
* For supported IP ranges see {@link org.dspace.authenticate.IPMatcher}. * For supported IP ranges see {@link org.dspace.authenticate.IPMatcher}.
* *
* @version $Revision$ * @version $Revision$
@@ -75,6 +80,9 @@ public class IPAuthentication implements AuthenticationMethod
/** All the IP matchers */ /** All the IP matchers */
private List<IPMatcher> ipMatchers; private List<IPMatcher> ipMatchers;
/** All the negative IP matchers */
private List<IPMatcher> ipNegativeMatchers;
/** /**
* Maps IPMatchers to group names when we don't know group DB ID yet. When * Maps IPMatchers to group names when we don't know group DB ID yet. When
* the DB ID is known, the IPMatcher is moved to ipMatcherGroupIDs and then * the DB ID is known, the IPMatcher is moved to ipMatcherGroupIDs and then
@@ -92,6 +100,7 @@ public class IPAuthentication implements AuthenticationMethod
public IPAuthentication() public IPAuthentication()
{ {
ipMatchers = new ArrayList<IPMatcher>(); ipMatchers = new ArrayList<IPMatcher>();
ipNegativeMatchers = new ArrayList<IPMatcher>();
ipMatcherGroupIDs = new HashMap<IPMatcher, Integer>(); ipMatcherGroupIDs = new HashMap<IPMatcher, Integer>();
ipMatcherGroupNames = new HashMap<IPMatcher, String>(); ipMatcherGroupNames = new HashMap<IPMatcher, String>();
@@ -130,17 +139,26 @@ public class IPAuthentication implements AuthenticationMethod
{ {
String[] ranges = ipRanges.split("\\s*,\\s*"); String[] ranges = ipRanges.split("\\s*,\\s*");
for (int i = 0; i < ranges.length; i++) for (String entry : ranges)
{ {
try try
{ {
IPMatcher ipm = new IPMatcher(ranges[i]); IPMatcher ipm;
ipMatchers.add(ipm); if (entry.startsWith("-"))
{
ipm = new IPMatcher(entry.substring(1));
ipNegativeMatchers.add(ipm);
}
else
{
ipm = new IPMatcher(entry);
ipMatchers.add(ipm);
}
ipMatcherGroupNames.put(ipm, groupName); ipMatcherGroupNames.put(ipm, groupName);
if (log.isDebugEnabled()) if (log.isDebugEnabled())
{ {
log.debug("Configured " + ranges[i] + " for special group " log.debug("Configured " + entry + " for special group "
+ groupName); + groupName);
} }
} }
@@ -181,10 +199,8 @@ public class IPAuthentication implements AuthenticationMethod
String addr = request.getRemoteAddr(); String addr = request.getRemoteAddr();
for (int i = 0; i < ipMatchers.size(); i++) for (IPMatcher ipm : ipMatchers)
{ {
IPMatcher ipm = ipMatchers.get(i);
try try
{ {
if (ipm.match(addr)) if (ipm.match(addr))
@@ -229,6 +245,54 @@ public class IPAuthentication implements AuthenticationMethod
} }
} }
// Now remove any negative matches
for (IPMatcher ipm : ipNegativeMatchers)
{
try
{
if (ipm.match(addr))
{
// Do we know group ID?
Integer g = ipMatcherGroupIDs.get(ipm);
if (g != null)
{
groupIDs.remove(g);
}
else
{
// See if we have a group name
String groupName = ipMatcherGroupNames.get(ipm);
if (groupName != null)
{
Group group = Group.findByName(context, groupName);
if (group != null)
{
// Add ID so we won't have to do lookup again
ipMatcherGroupIDs.put(ipm, new Integer(group
.getID()));
ipMatcherGroupNames.remove(ipm);
groupIDs.remove(new Integer(group.getID()));
}
else
{
log.warn(LogManager.getHeader(context,
"configuration_error", "unknown_group="
+ groupName));
}
}
}
}
}
catch (IPMatcherException ipme)
{
log.warn(LogManager.getHeader(context, "configuration_error",
"bad_ip=" + addr), ipme);
}
}
int[] results = new int[groupIDs.size()]; int[] results = new int[groupIDs.size()];
for (int i = 0; i < groupIDs.size(); i++) for (int i = 0; i < groupIDs.size(); i++)
{ {
@@ -243,7 +307,7 @@ public class IPAuthentication implements AuthenticationMethod
{ {
if (i > 0) if (i > 0)
gsb.append(","); gsb.append(",");
gsb.append(results[i]); gsb.append(results[i]);
} }
log.debug(LogManager.getHeader(context, "authenticated", log.debug(LogManager.getHeader(context, "authenticated",

2
dspace/CHANGES
View File

@@ -21,6 +21,7 @@
- [DS-204] New -zip option for item exporter and importer - [DS-204] New -zip option for item exporter and importer
- [DS-209] Context.java turnOffAuthorisationSystem() can throw a NPE - [DS-209] Context.java turnOffAuthorisationSystem() can throw a NPE
- [DS-212] NPE thrown during Harvest of non-items when visibility restriction is enabled - [DS-212] NPE thrown during Harvest of non-items when visibility restriction is enabled
- [DS-213] IPAuthentication extended to allow negative matching
- [DS-216] Migrating items that use additional metadata schemas causes an NPE - [DS-216] Migrating items that use additional metadata schemas causes an NPE
- [DS-221] XMLUI 'current activity' recognises Google Chrome as Safari - [DS-221] XMLUI 'current activity' recognises Google Chrome as Safari
@@ -40,7 +41,6 @@
- [DS-218] Cannot add/remove email subscriptions from Profile page in XMLUI - [DS-218] Cannot add/remove email subscriptions from Profile page in XMLUI
- [DS-238] Move item function in xmlui - [DS-238] Move item function in xmlui
(Tim Donohue / Andrea Bollini) (Tim Donohue / Andrea Bollini)
- [DS-228] Community Admin XMLUI: Delegated Admins Patch - [DS-228] Community Admin XMLUI: Delegated Admins Patch

1
dspace/docs/docbook/configure.xml
View File

@@ -1953,6 +1953,7 @@ plugin.sequence.org.dspace.authenticate.AuthenticationMethod =
netmask netmask
</screen> </screen>
<para>Negative metches can be set by prepending the entry with a '-'. For example if you want to include all of a class B network except for users of a contained class c network, you could use: 111.222,-111.222.333.</para>
<para><emphasis role="bold">Note:</emphasis> if the Groupname contains blanks you must escape the, e.g. Department\ of\ Statistics</para> <para><emphasis role="bold">Note:</emphasis> if the Groupname contains blanks you must escape the, e.g. Department\ of\ Statistics</para>
</section> </section>
<section remap="h4"> <section remap="h4">