Package org.jivesoftware.admin

Class AuthCheckFilter

  • All Implemented Interfaces:
    javax.servlet.Filter
    public class AuthCheckFilter
extends Object
implements javax.servlet.Filter
    A simple filter which checks for the auth token in the user's session. If it's not there the filter will redirect to the login page.

    • Field Detail

      • SERVLET_REQUEST_AUTHENTICATOR

        public static final SystemProperty<Class> SERVLET_REQUEST_AUTHENTICATOR

      • IP_ACCESS_BLOCKLIST

        public static final SystemProperty<Set<String>> IP_ACCESS_BLOCKLIST
        List of IP addresses that are not allowed to access the admin console.

      • IP_ACCESS_ALLOWLIST

        public static final SystemProperty<Set<String>> IP_ACCESS_ALLOWLIST
        List of IP addresses that are allowed to access the admin console. When empty, this list is ignored.

      • IP_ACCESS_IGNORE_EXCLUDES

        public static final SystemProperty<Boolean> IP_ACCESS_IGNORE_EXCLUDES
        Controls if IP Access lists are applied to excluded URLs.

      • ALLOW_WILDCARDS_IN_EXCLUDES

        public static final SystemProperty<Boolean> ALLOW_WILDCARDS_IN_EXCLUDES
        Controls whether wildcards are allowed in URLs that are excluded from auth checks.

    • Constructor Detail

      • AuthCheckFilter

        public AuthCheckFilter()

    • Method Detail

      • getInstance

        public static AuthCheckFilter getInstance()
        Returns a singleton instance of the AuthCheckFilter.
        Returns:
        an instance.

      • isServletRequestAuthenticatorInstanceOf

        public static boolean isServletRequestAuthenticatorInstanceOf​(Class<? extends ServletRequestAuthenticator> clazz)
        Indicates if the currently-installed ServletRequestAuthenticator is an instance of a specific class.
        Parameters:
        clazz - the class to check
        Returns:
        true if the currently-installed ServletRequestAuthenticator is an instance of clazz, otherwise false.

      • addExclude

        public static void addExclude​(String exclude)
        Adds a new string that when present in the requested URL will skip the "is logged" checking.
        Parameters:
        exclude - the string to exclude.

      • removeExclude

        public static void removeExclude​(String exclude)
        Removes a string that when present in the requested URL will skip the "is logged" checking.
        Parameters:
        exclude - the string that was being excluded.

      • testURLPassesExclude

        public static boolean testURLPassesExclude​(String url,
                                           String exclude)
        Returns true if a URL passes an exclude rule.
        Parameters:
        url - the URL to test.
        exclude - the exclude rule.
        Returns:
        true if the URL passes the exclude test.

      • init

        public void init​(javax.servlet.FilterConfig config)
          throws javax.servlet.ServletException
        Specified by:
        init in interface javax.servlet.Filter
        Throws:
        javax.servlet.ServletException

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest req,
                     javax.servlet.ServletResponse res,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException
        Specified by:
        doFilter in interface javax.servlet.Filter
        Throws:
        IOException
        javax.servlet.ServletException

      • destroy

        public void destroy()
        Specified by:
        destroy in interface javax.servlet.Filter

      • passesBlocklist

        public static boolean passesBlocklist​(@Nonnull
                                      javax.servlet.ServletRequest req)
        Verifies that the remote address of the request is not on the blocklist. If this method returns 'false', the request should not be allowed to be serviced.
        Parameters:
        req - The request for which the check the remote address.
        Returns:
        true if the remote address of the request is not on the blacklist.

      • passesAllowList

        public static boolean passesAllowList​(@Nonnull
                                      javax.servlet.ServletRequest req)
        Verifies that the remote address of the request is either on the allowlist, or the allowlist is empty. If this method returns 'false', the request should not be allowed to be serviced.
        Parameters:
        req - The request for which the check the remote address.
        Returns:
        true if the remote address of the request is on the allowlist, or when the allowlist is empty.

      • isOnList

        public static boolean isOnList​(@Nonnull
                               Set<String> list,
                               @Nonnull
                               String ipAddress)
        Checks if a particular IP address is on a list of addresses. The IP address is expected to be an IPv4 or IPv6 address. The list can contain IPv4 and IPv6 addresses, but also IPv4 and IP46 address ranges. Ranges can be expressed as dash separated strings (eg: "192.168.0.0-192.168.255.255") or in CIDR notation (eg: "192.168.0.0/16").
        Parameters:
        list - The list of addresses
        ipAddress - the address to check
        Returns:
        true if the address is detected in the list, otherwise false.

      • removeBracketsFromIpv6Address

        @Nonnull
public static String removeBracketsFromIpv6Address​(@Nonnull
                                                   String address)
        When the provided input is an IPv6 literal that is enclosed in brackets (the [] style as expressed in https://tools.ietf.org/html/rfc2732 and https://tools.ietf.org/html/rfc6874), this method returns the value stripped from those brackets (the IPv6 address, instead of the literal). In all other cases, the input value is returned.
        Parameters:
        address - The value from which to strip brackets.
        Returns:
        the input value, stripped from brackets if applicable.

      • loadSetupExcludes

        public static void loadSetupExcludes()