Package org.dspace.authenticate

Class IPAuthentication

java.lang.Object
org.dspace.authenticate.IPAuthentication
All Implemented Interfaces:
AuthenticationMethod
public class IPAuthentication extends Object implements AuthenticationMethod
Adds users to special groups based on IP address. Configuration parameter form is:

authentication.ip.<GROUPNAME> = <IPRANGE>[, <IPRANGE> ...]

e.g. authentication.ip.MIT = 18., 192.25.0.0/255.255.0.0

Negative matches can be included by prepending the range with a '-'. For example if you want to include all of a class B network except for users of a contained class c network, you could use:

111.222,-111.222.333.

For supported IP ranges see IPMatcher.

Version:
$Revision$
Author:
Robert Tansley

  • Field Details

    • ipMatchers

      protected List<IPMatcher> ipMatchers
      All the IP matchers

    • ipNegativeMatchers

      protected List<IPMatcher> ipNegativeMatchers
      All the negative IP matchers

    • groupService

      protected GroupService groupService

    • clientInfoService

      protected ClientInfoService clientInfoService

    • ipMatcherGroupNames

      protected Map<IPMatcher,String> ipMatcherGroupNames
      Maps IPMatchers to group names when we don't know group DB ID yet. When the DB ID is known, the IPMatcher is moved to ipMatcherGroupIDs and then points to the DB ID.

    • ipMatcherGroupIDs

      protected Map<IPMatcher,UUID> ipMatcherGroupIDs
      Maps IPMatchers to group IDs (Integers) where we know the group DB ID

  • Constructor Details

    • IPAuthentication

      public IPAuthentication()
      Initialize an IP authenticator, reading in the configuration. Note this will never fail if the configuration is bad -- a warning will be logged.

  • Method Details

    • addMatchers

      protected void addMatchers(String groupName, String[] ipRanges)
      Add matchers for the given comma-delimited IP ranges and group.
      Parameters:
      groupName - name of group
      ipRanges - IP ranges

    • canSelfRegister

      public boolean canSelfRegister(Context context, jakarta.servlet.http.HttpServletRequest request, String username) throws SQLException
      Description copied from interface: AuthenticationMethod
      Predicate, whether to allow new EPerson to be created. The answer determines whether a new user is created when the credentials describe a valid entity but there is no corresponding EPerson in DSpace yet. The EPerson is only created if authentication succeeds.
      Specified by:
      canSelfRegister in interface AuthenticationMethod
      Parameters:
      context - DSpace context
      request - HTTP request, in case it's needed. May be null.
      username - Username, if available. May be null.
      Returns:
      true if new ePerson should be created.
      Throws:
      SQLException - if database error

    • initEPerson

      public void initEPerson(Context context, jakarta.servlet.http.HttpServletRequest request, EPerson eperson) throws SQLException
      Description copied from interface: AuthenticationMethod
      Initialize a new EPerson record for a self-registered new user. Set any data in the EPerson that is specific to this authentication method.
      Specified by:
      initEPerson in interface AuthenticationMethod
      Parameters:
      context - DSpace context
      request - HTTP request, in case it's needed. May be null.
      eperson - newly created EPerson record - email + information from the registration form will have been filled out.
      Throws:
      SQLException - if database error

    • allowSetPassword

      public boolean allowSetPassword(Context context, jakarta.servlet.http.HttpServletRequest request, String username) throws SQLException
      Description copied from interface: AuthenticationMethod
      Should (or can) we allow the user to change their password. Note that this means the password stored in the EPerson record, so if any method in the stack returns true, the user is allowed to change it.
      Specified by:
      allowSetPassword in interface AuthenticationMethod
      Parameters:
      context - DSpace context
      request - HTTP request, in case it's needed. May be null.
      username - Username, if available. May be null.
      Returns:
      true if this method allows user to change ePerson password.
      Throws:
      SQLException - if database error

    • isImplicit

      public boolean isImplicit()
      Description copied from interface: AuthenticationMethod
      Predicate, is this an implicit authentication method. An implicit method gets credentials from the environment (such as an HTTP request or even Java system properties) rather than the explicit username and password. For example, a method that reads the X.509 certificates in an HTTPS request is implicit.
      Specified by:
      isImplicit in interface AuthenticationMethod
      Returns:
      true if this method uses implicit authentication.

    • getSpecialGroups

      public List<Group> getSpecialGroups(Context context, jakarta.servlet.http.HttpServletRequest request) throws SQLException
      Description copied from interface: AuthenticationMethod
      Get list of extra groups that user implicitly belongs to. Note that this method will be invoked regardless of the authentication status of the user (logged-in or not) e.g. a group that depends on the client network-address.

      It might make sense to implement this method by itself in a separate authentication method that just adds special groups, if the code doesn't belong with any existing auth method. The stackable authentication system was designed expressly to separate functions into "stacked" methods to keep your site-specific code modular and tidy.

      Specified by:
      getSpecialGroups in interface AuthenticationMethod
      Parameters:
      context - A valid DSpace context.
      request - The request that started this operation, or null if not applicable.
      Returns:
      array of EPerson-group IDs, possibly 0-length, but never null.
      Throws:
      SQLException - if database error

    • areSpecialGroupsApplicable

      public boolean areSpecialGroupsApplicable(Context context, jakarta.servlet.http.HttpServletRequest request)
      Description copied from interface: AuthenticationMethod
      Returns true if the special groups returned by AuthenticationMethod.getSpecialGroups(Context, HttpServletRequest) should be implicitly be added to the groups related to the current user. By default this is true if the authentication method is the actual authentication mechanism used by the user.
      Specified by:
      areSpecialGroupsApplicable in interface AuthenticationMethod
      Parameters:
      context - A valid DSpace context.
      request - The request that started this operation, or null if not applicable.
      Returns:
      true is the special groups must be considered, false otherwise

    • authenticate

      public int authenticate(Context context, String username, String password, String realm, jakarta.servlet.http.HttpServletRequest request) throws SQLException
      Description copied from interface: AuthenticationMethod
      Authenticate the given or implicit credentials. This is the heart of the authentication method: test the credentials for authenticity, and if accepted, attempt to match (or optionally, create) an EPerson. If an EPerson is found it is set in the Context that was passed.
      Specified by:
      authenticate in interface AuthenticationMethod
      Parameters:
      context - DSpace context, will be modified (ePerson set) upon success.
      username - Username (or email address) when method is explicit. Use null for implicit method.
      password - Password for explicit auth, or null for implicit method.
      realm - Realm is an extra parameter used by some authentication methods, leave null if not applicable.
      request - The HTTP request that started this operation, or null if not applicable.
      Returns:
      One of: SUCCESS, BAD_CREDENTIALS, CERT_REQUIRED, NO_SUCH_USER, BAD_ARGS

      Meaning:
      SUCCESS - authenticated OK.
      BAD_CREDENTIALS - user exists, but credentials (e.g. passwd) don't match
      CERT_REQUIRED - not allowed to login this way without X.509 cert.
      NO_SUCH_USER - user not found using this method.
      BAD_ARGS - user/pw not appropriate for this method

      Throws:
      SQLException - if database error

    • loginPageURL

      public String loginPageURL(Context context, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Description copied from interface: AuthenticationMethod
      Get an external login page to which to redirect. Returns URL (as string) to which to redirect to obtain credentials (either password prompt or e.g. HTTPS port for client cert.); null means no redirect. Note: Starting with DSpace 7, session logins will be managed through the REST API. Therefore, only authn providers with external login pages (such as Shibboleth) should return a login page.
      Specified by:
      loginPageURL in interface AuthenticationMethod
      Parameters:
      context - DSpace context, will be modified (ePerson set) upon success.
      request - The HTTP request that started this operation, or null if not applicable.
      response - The HTTP response from the servlet method.
      Returns:
      fully-qualified URL or null

    • getName

      public String getName()
      Description copied from interface: AuthenticationMethod
      Returns a short name that uniquely identifies this authentication method
      Specified by:
      getName in interface AuthenticationMethod
      Returns:
      The authentication method name

    • isUsed

      public boolean isUsed(Context context, jakarta.servlet.http.HttpServletRequest request)
      Description copied from interface: AuthenticationMethod
      Get whether the authentication method is being used.
      Specified by:
      isUsed in interface AuthenticationMethod
      Parameters:
      context - The DSpace context
      request - The current request
      Returns:
      whether the authentication method is being used.

    • canChangePassword

      public boolean canChangePassword(Context context, EPerson ePerson, String currentPassword)
      Description copied from interface: AuthenticationMethod
      Check if the given current password is valid to change the password of the given ePerson
      Specified by:
      canChangePassword in interface AuthenticationMethod
      Parameters:
      context - The DSpace context
      ePerson - the ePerson related to the password change
      currentPassword - The current password to check
      Returns:
      true if the provided password matches with current password