Class IPAccessHandler

  extended by org.eclipse.jetty.util.component.AbstractLifeCycle
      extended by org.eclipse.jetty.util.component.AggregateLifeCycle
          extended by org.eclipse.jetty.server.handler.AbstractHandler
              extended by org.eclipse.jetty.server.handler.AbstractHandlerContainer
                  extended by org.eclipse.jetty.server.handler.HandlerWrapper
                      extended by org.eclipse.jetty.server.handler.IPAccessHandler
All Implemented Interfaces:
Handler, HandlerContainer, Destroyable, Dumpable, LifeCycle

public class IPAccessHandler
extends HandlerWrapper

IP Access Handler

Controls access to the wrapped handler by the real remote IP. Control is provided by white/black lists that include both internet addresses and URIs. This handler uses the real internet address of the connection, not one reported in the forwarded for headers, as this cannot be as easily forged.

Typically, the black/white lists will be used in one of three modes:

An empty white list is treated as match all. If there is at least one entry in the white list, then a request must match a white list entry. Black list entries are always applied, so that even if an entry matches the white list, a black list entry will override it.

Internet addresses may be specified as absolute address or as a combination of four octet wildcard specifications (a.b.c.d) that are defined as follows.

 nnn - an absolute value (0-255)
 mmm-nnn - an inclusive range of absolute values, 
           with following shorthand notations:
           nnn- => nnn-255
           -nnn => 0-nnn
           -    => 0-255
 a,b,... - a list of wildcard specifications

Internet address specification is separated from the URI pattern using the "|" (pipe) character. URI patterns follow the servlet specification for simple * prefix and suffix wild cards (e.g. /, /foo, /foo/bar, /foo/bar/*, *.baz).

Earlier versions of the handler used internet address prefix wildcard specification to define a range of the internet addresses (e.g. 127., 10.10., 172.16.1.). They also used the first "/" character of the URI pattern to separate it from the internet address. Both of these features have been deprecated in the current version.

Examples of the entry specifications are:

Earlier versions of the handler used internet address prefix wildcard specification to define a range of the internet addresses (e.g. 127., 10.10., 172.16.1.). They also used the first "/" character of the URI pattern to separate it from the internet address. Both of these features have been deprecated in the current version.

Nested Class Summary
Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle
Field Summary
Fields inherited from class org.eclipse.jetty.server.handler.HandlerWrapper
Fields inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
Constructor Summary
          Creates new handler object
IPAccessHandler(String[] white, String[] black)
          Creates new handler object and initializes white- and black-list
Method Summary
protected  void add(String entry, IPAddressMap<PathMap> patternMap)
          Helper method to parse the new entry and add it to the specified address pattern map.
 void addBlack(String entry)
          Add a blacklist entry to an existing handler configuration
 void addWhite(String entry)
          Add a whitelist entry to an existing handler configuration
protected  void doStart()
          Dump the white- and black-list configurations when started
 String dump()
          Dump the handler configuration
protected  void dump(StringBuilder buf, IPAddressMap<PathMap> patternMap)
          Dump a pattern map into a StringBuilder buffer
 void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response)
          Checks the incoming request against the whitelist and blacklist
protected  boolean isAddrUriAllowed(String addr, String path)
          Check if specified request is allowed by current IPAccess rules.
protected  void set(String[] entries, IPAddressMap<PathMap> patternMap)
          Helper method to process a list of new entries and replace the content of the specified address pattern map
 void setBlack(String[] entries)
          Re-initialize the blacklist of existing handler object
 void setWhite(String[] entries)
          Re-initialize the whitelist of existing handler object
Methods inherited from class org.eclipse.jetty.server.handler.HandlerWrapper
destroy, doStop, expandChildren, getHandler, getHandlers, getNestedHandlerByClass, setHandler, setServer
Methods inherited from class org.eclipse.jetty.server.handler.AbstractHandlerContainer
dump, expandHandler, getChildHandlerByClass, getChildHandlers, getChildHandlersByClass
Methods inherited from class org.eclipse.jetty.server.handler.AbstractHandler
dumpThis, getServer
Methods inherited from class org.eclipse.jetty.util.component.AggregateLifeCycle
addBean, dump, dump, dump, dumpStdErr, getBean, getBeans, getBeans, removeBean, removeBeans
Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
addLifeCycleListener, getState, getState, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.eclipse.jetty.util.component.LifeCycle
addLifeCycleListener, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop

Constructor Detail


public IPAccessHandler()
Creates new handler object


public IPAccessHandler(String[] white,
                       String[] black)
Creates new handler object and initializes white- and black-list

white - array of whitelist entries
black - array of blacklist entries
Method Detail


public void addWhite(String entry)
Add a whitelist entry to an existing handler configuration

entry - new whitelist entry


public void addBlack(String entry)
Add a blacklist entry to an existing handler configuration

entry - new blacklist entry


public void setWhite(String[] entries)
Re-initialize the whitelist of existing handler object

entries - array of whitelist entries


public void setBlack(String[] entries)
Re-initialize the blacklist of existing handler object

entries - array of blacklist entries


public void handle(String target,
                   Request baseRequest,
                   HttpServletRequest request,
                   HttpServletResponse response)
            throws IOException,
Checks the incoming request against the whitelist and blacklist

Specified by:
handle in interface Handler
handle in class HandlerWrapper
target - The target of the request - either a URI or a name.
baseRequest - The original unwrapped request object.
request - The request either as the Request object or a wrapper of that request. The HttpConnection.getCurrentConnection() method can be used access the Request object if required.
response - The response as the Response object or a wrapper of that request. The HttpConnection.getCurrentConnection() method can be used access the Response object if required.
See Also:
HandlerWrapper.handle(java.lang.String, org.eclipse.jetty.server.Request, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)


protected void add(String entry,
                   IPAddressMap<PathMap> patternMap)
Helper method to parse the new entry and add it to the specified address pattern map.

entry - new entry
patternMap - target address pattern map


protected void set(String[] entries,
                   IPAddressMap<PathMap> patternMap)
Helper method to process a list of new entries and replace the content of the specified address pattern map

entries - new entries
patternMap - target address pattern map


protected boolean isAddrUriAllowed(String addr,
                                   String path)
Check if specified request is allowed by current IPAccess rules.

addr - internet address
path - context path
true if request is allowed


protected void doStart()
                throws Exception
Dump the white- and black-list configurations when started

doStart in class HandlerWrapper
See Also:


public String dump()
Dump the handler configuration

Specified by:
dump in interface Dumpable
dump in class AggregateLifeCycle


protected void dump(StringBuilder buf,
                    IPAddressMap<PathMap> patternMap)
Dump a pattern map into a StringBuilder buffer

buf - buffer
patternMap - pattern map to dump

Copyright © 1995-2011 Mort Bay Consulting. All Rights Reserved.