Jetty.project: InetAccessHandler needs InetAddress & Path based restrictions like IPAccessHandler did

Created on 4 Nov 2016  路  3Comments  路  Source: eclipse/jetty.project

I can't seem to figure out why IPAccessHandler was deprecated. https://github.com/mashuai/jetty.project/blob/jetty-9.3.x/jetty-server/src/main/java/org/eclipse/jetty/server/handler/IPAccessHandler.java I saw some merge commit make this happen but didn't follow it further. I'm aware of it's recommended replacement, InetAccessHandler but it doesn't restrict by paths, which is super-useful in conjunction with IPs.

Enhancement

All 3 comments

Correct, the IPAccessHandler was deprecated as part of issue #882 and the effort to roll out IPv6 support.

The IPAccessHandler did things in strange IPv4 specific ways.

The InetAccessHandler was created to make a single AccessHandler that could work for IPv4 or IPv6.

The ability to restrict by path was not implemented as the existing ContextHandler mechanisms were thought sufficient to fit that role.

Do you have some use cases where ContextHandler is insufficient?

Can you please provide me a pointer to how one can restrict based on paths via the ContextHandler mechanisms?

My specific configuration with IPAccessHandler is as follows:

             <New id="IPAccessHandler" class="org.eclipse.jetty.server.handler.IPAccessHandler">
               <Set name="white">
                 <Array type="String">
                   <Item>127.0.0.1</Item>
                   <Item>-.-.-.-|/solr/techproducts/select</Item>
                 </Array>
               </Set>
               <Set name="whiteListByPath">false</Set>
               <Set name="handler">
                 <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
               </Set>
             </New>

So connections from localhost can do anything, but anybody else is severely restricted.

We added an overridable method `isAllowed(InetAddress, HttpServletRequest), so that you will be able to override that method and perform your checks on the path too.

That also opens up the possibility to write a subclass of InetAccessHandler that performs the checks with a syntax similar to that of IPAccessHandler, but that is to be done.

Was this page helpful?
0 / 5 - 0 ratings