Package org.duracloud.security.vote

Class UserIpLimitsAccessVoter

java.lang.Object

org.duracloud.security.vote.UserIpLimitsAccessVoter

All Implemented Interfaces:

org.springframework.security.access.AccessDecisionVoter

public class UserIpLimitsAccessVoter
extends Object
implements org.springframework.security.access.AccessDecisionVoter

Votes on access depending on user IP limits. If IP limits are defined for a user, then any requests made by that user must originate from a valid IP range. If no IP limits are defined, ABSTAIN. If IP limits are defined and the user's request is in a valid range, GRANT. If IP limits are defined and the user's request is not in a defined valid range, DENY.

Author:

Bill Branan Date: 04/15/15

Field Summary

Fields inherited from interface org.springframework.security.access.AccessDecisionVoter

ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED

Constructor Summary

Constructors

Constructor	Description
UserIpLimitsAccessVoter()

Method Summary

Modifier and Type	Method	Description
protected String	getUserIpLimits(org.springframework.security.core.Authentication auth)	Retrieves the ip limits defined for a given user
protected boolean	ipInRange(String ipAddress, String range)	Determines if a given IP address is in the given IP range.
boolean	supports(Class aClass)	This methods returns true if the arg class is an instance of or subclass of FilterInvocation.
boolean	supports(org.springframework.security.access.ConfigAttribute configAttribute)	This method always returns true because all configAttributes are able to be handled by this voter.
int	vote(org.springframework.security.core.Authentication auth, Object resource, Collection config)	This method checks the IP limits of the principal and denys access if those limits exist and the request is coming from outside the specified range.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

UserIpLimitsAccessVoter

public UserIpLimitsAccessVoter()

Method Detail

supports

public boolean supports(org.springframework.security.access.ConfigAttribute configAttribute)

This method always returns true because all configAttributes are able to be handled by this voter.

Specified by:

supports in interface org.springframework.security.access.AccessDecisionVoter

Parameters:

configAttribute - any att

Returns:

true

supports

public boolean supports(Class aClass)

This methods returns true if the arg class is an instance of or subclass of FilterInvocation. No other classes can be handled by this voter.

Specified by:

supports in interface org.springframework.security.access.AccessDecisionVoter

Parameters:

aClass - to be analyized for an AuthZ vote.

Returns:

true if is an instance of or subclass of FilterInvocation

vote

public int vote(org.springframework.security.core.Authentication auth,
                Object resource,
                Collection config)

This method checks the IP limits of the principal and denys access if those limits exist and the request is coming from outside the specified range.

Specified by:

vote in interface org.springframework.security.access.AccessDecisionVoter

Parameters:

auth - principal seeking AuthZ

resource - that is under protection

config - access-attributes defined on resource

Returns:

vote (AccessDecisionVoter.ACCESS_GRANTED, ACCESS_DENIED, ACCESS_ABSTAIN)

getUserIpLimits

protected String getUserIpLimits(org.springframework.security.core.Authentication auth)

Retrieves the ip limits defined for a given user

Parameters:

auth - Authentication where user details can be found

Returns:

user ip limits, or null if no limits are set

ipInRange

protected boolean ipInRange(String ipAddress,
                            String range)

Determines if a given IP address is in the given IP range.

Parameters:

ipAddress - single IP address

range - IP address range using CIDR notation

Returns:

true if the address is in the range, false otherwise