WebLogic Server 7.0 Examples: Class SimpleConnectionFilter2

Class

WebLogic Server 7.0 Code Examples, BEA Systems, Inc.

SUMMARY: INNER | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

examples.security.net
Class SimpleConnectionFilter2

java.lang.Object
  |
  +--examples.security.net.SimpleConnectionFilter2

All Implemented Interfaces:: weblogic.security.net.ConnectionFilter, weblogic.security.net.ConnectionFilterRulesListener, java.util.EventListener

public class SimpleConnectionFilter2
extends java.lang.Object
implements weblogic.security.net.ConnectionFilter, weblogic.security.net.ConnectionFilterRulesListener

Simple rules-based connection filter example. This example checks and sets a list of rules from the ConnectionFilterRules MBean and based on the implementaion of the checkRules() and setRules() methods in this example. It then bases its filtering decisions on these rules.

Syntax of the MBean ConnectionFilterRules is as follows: each rule is written on a single line. Tokens in a rule are separated by white space. "#" is the comment character; everything after it on a line is ignored. Whitespace before or after a rule is ignored. Lines consisting solely of whitespace or comments are skipped.

All rules follow this form:

target	localAddress	localPort	action	protocols

where target is a specification of one or more hosts to filter, localAddress is the server local address (a "*" specified here will match all local IP's), localPort is the servers local port (a "*" specified here will match all local Ports), action is the action to perform (and must be either allow or deny), and protocols is the list of protocol names to match (must be one of http, https, t3, t3s, giop, giops, dcom, or ftp; if no protocols are listed, all protocols will match a rule).

This example recognizes two kinds of rule:

A "fast" rule applies to a hostname or IP address, with an optional netmask. If a hostname corresponds to multiple IP addresses, multiple rules are generated (in no particular order). Netmasks can be specified either in numeric or dotted-quad form. Examples:
```
dialup-555-1212.pa.example.net	127.0.0.1  7001	deny  t3 t3s # http(s) OK
192.168.81.0/255.255.254.0	*	   8001	allow  	     # 23-bit netmask
192.168.0.0/16			127.0.0.1  8002	deny	     # like /255.255.0.0
```
Hostnames for fast rules are looked up once, at server startup time. While this greatly reduces connect-time overhead, it can result in the filter having an out-of-date idea of what addresses correspond to a hostname. For maximal comfort of mind, use numeric IP addresses instead.
A "slow" rule applies to part of a domain name. Since it requires a connect-time DNS lookup on a client in order to perform a match, it may be much slower than the "fast" rule, and it may also be subject to DNS spoofing. Slow rules are specified as follows:
```
.script-kiddiez.org	127.0.0.1	7001	deny
```
The "*" only matches at the head of a pattern. If you specify one anywhere else, it will be treated as part of the pattern (and so that pattern will never match anything, since "*" is not a legal part of a domain name).

When a client connects, these rules are evaluated in the order in which they were written, and the first rule to match determines how the connection is treated. If no rules match, the connection is permitted.

If you want to "lock down" your server and only allow connections from certain addresses, you can specify 0.0.0.0/0 * * deny as your last rule.

Note: This example does not take full advantage of the information provided by the connection filter. Further expansion is left as an exercise for the reader. It assumes IPv4 addresses, but it should be easy to convert it to use IPv6 addresses, if necessary.

Author:: Copyright (c) 1999-2002 by BEA Systems, Inc. All Rights Reserved.

Constructor Summary

SimpleConnectionFilter2()
          Constructs a new connection filter.

Method Summary

void accept(weblogic.security.net.ConnectionEvent evt)
          Filters a client connection event.

(package private) static int addressToInt(java.net.InetAddress addr)
          Turns an address object into a single IPv4 address.

void checkRules(java.lang.String[] filterList)
          Check the current rules.

protected static boolean parseAction(java.lang.String whatever)
          Parses an action and returns its meaning.

protected static int[] parseAddresses(java.lang.String str)
          Given a string, returns an array of IPv4 addresses corresponding to that string as a host.

protected void parseLine(java.lang.String line, java.util.Vector entries)
          Parses an individual line of the rules.

protected static int parseNetmask(java.lang.String maskStr)
          Returns an IPv4 netmask, as derived from a spec string.

protected static int parseProtocols(java.util.StringTokenizer toks)
          Parses a list of protocols and returns a bitmask that will let us match a protocol quickly at connect time.

protected static int parseSingleAddress(java.lang.String str)
          Given a string, returns a single IPv4 addresses corresponding to that string as a host.

void setRules(java.lang.String[] filterList)
          Set and check the current rules.

Methods inherited from class java.lang.Object

, clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SimpleConnectionFilter2

public SimpleConnectionFilter2()

Constructs a new connection filter.

Method Detail

accept

public void accept(weblogic.security.net.ConnectionEvent evt)
            throws weblogic.security.net.FilterException

Filters a client connection event. If the connection should be allowed, this method returns normally.

Specified by:: accept in interface weblogic.security.net.ConnectionFilter

Parameters:: evt - the connection event
Throws:: weblogic.security.net.FilterException - the connection should be rejected by the server

addressToInt

static final int addressToInt(java.net.InetAddress addr)

Turns an address object into a single IPv4 address.

checkRules

public void checkRules(java.lang.String[] filterList)
                throws java.text.ParseException

Check the current rules.

Specified by:: checkRules in interface weblogic.security.net.ConnectionFilterRulesListener

Parameters:: is - list of filter rules.
Throws:: java.text.ParseException - a problem occurred while reading the rules.

parseAction

protected static final boolean parseAction(java.lang.String whatever)
                                    throws java.io.IOException

Parses an action and returns its meaning. True to allow, false to deny.

Parameters:: whatever - the action string

parseAddresses

protected static final int[] parseAddresses(java.lang.String str)
                                     throws java.io.IOException

Given a string, returns an array of IPv4 addresses corresponding to that string as a host.

Parameters:: str - hostname or IPv4 address in string form

parseLine

protected void parseLine(java.lang.String line,
                         java.util.Vector entries)
                  throws java.io.IOException,
                         java.lang.IllegalArgumentException

Parses an individual line of the rules. Any resulting rules are added to the given entries vector.

Parameters:: line - the line to parse (guaranteed not to contain comments, surrounding whitespace, or be empty); entries - the running list of rules

parseNetmask

protected static final int parseNetmask(java.lang.String maskStr)
                                 throws java.io.IOException

Returns an IPv4 netmask, as derived from a spec string. The string can either be a number, for a mask length, or a dotted-quad mask.

Parameters:: maskStr - mask spec string

parseProtocols

protected static final int parseProtocols(java.util.StringTokenizer toks)
                                   throws weblogic.security.net.FilterException

Parses a list of protocols and returns a bitmask that will let us match a protocol quickly at connect time.

parseSingleAddress

protected static final int parseSingleAddress(java.lang.String str)
                                       throws java.io.IOException

Given a string, returns a single IPv4 addresses corresponding to that string as a host.

Parameters:: str - hostname or IPv4 address in string form

setRules

public void setRules(java.lang.String[] filterList)
              throws java.text.ParseException

Set and check the current rules.

Specified by:: setRules in interface weblogic.security.net.ConnectionFilterRulesListener

Parameters:: is - list of filter rules.
Throws:: java.text.ParseException - a problem occurred while reading the rules.

Overview

Package