Class examples.security.net.SimpleConnectionFilter

All Examples  Security Examples

Class examples.security.net.SimpleConnectionFilter

java.lang.Object
    |
    +----examples.security.net.SimpleConnectionFilter

public class SimpleConnectionFilter
extends java.lang.Object
implements weblogic.security.net.ConnectionFilter

Simple rule-based connection filter example. This example reads in a set of rules from a file and bases its filtering decisions on these rules.

Syntax of the rule file is as follows: each rule is written on a single line. Tokens in a rule are separated by whitespace. "#" is the comment character; everything after it on a line is ignored. Whitespace before or after a rule is ignored. Lines consisting solely of whitespace or comments are skipped.

All rules follow this form:

target	action	protocols

where target is a specification of one or more hosts to filter, action is the action to perform (and must be either allow or deny), and protocols is the list of protocol names to match (must be one of http, https, t3, t3s, or giop; if no protocols are listed, all protocols will match a rule).

This example recognizes two kinds of rule:

A "fast" rule applies to a hostname or IP address, with an optional netmask. If a hostname corresponds to multiple IP addresses, multiple rules are generated (in no particular order). Netmasks can be specified either in numeric or dotted-quad form. Examples:
```
dialup-650-555-1212.pa.example.net  deny   t3 t3s     # http and https OK
192.168.81.0/255.255.254.0          allow             # 23-bit netmask
192.168.0.0/16                      deny              # like /255.255.0.0
```
Hostnames for fast rules are looked up once, at server startup time. While this greatly reduces connect-time overhead, it can result in the filter having an out-of-date idea of what addresses correspond to a hostname. For maximal comfort of mind, use numeric IP addresses instead.
A "slow" rule applies to part of a domain name. Since it requires a connect-time DNS lookup on a client in order to perform a match, it may be much slower than the "fast" rule, and it may also be subject to DNS spoofing. Slow rules are specified as follows:
```
.script-kiddiez.org	deny
```
The "*" only matches at the head of a pattern. If you specify one anywhere else, it will be treated as part of the pattern (and so that pattern will never match anything, since "*" is not a legal part of a domain name).

When a client connects, these rules are evaluated in the order in which they were written, and the first rule to match determines how the connection is treated. If no rules match, the connection is permitted.

If you want to "lock down" your server and only allow connections from certain addresses, you can specify 0.0.0.0/0 deny as your last rule.

This example does not take full advantage of the information provided by the connection filter. This this example assumes IPv4 addresses, but it should be easy to convert it to use IPv6 addresses, if necessary.

Author:: Copyright (c) 1999-2000 by BEA Systems, Inc. All Rights Reserved.

FILTER_FILE: The name of the filter rule file.

SimpleConnectionFilter(): Construct a new connection filter.
SimpleConnectionFilter(InputStream): Construct a new connection filter.

accept(ConnectionEvent): Filter a client connection event.
main(String[]): Simple test harness.
parseAction(String): Parse an action and return its meaning.
parseAddresses(String): Given a string, return an array of IPv4 addresses corresponding to that string as a host.
parseLine(String, Vector): Parse an individual line of the rule file.
parseNetmask(String): Return an IPv4 netmask, as derived from a spec string.
parseProtocols(StringTokenizer): Parse a list of protocols and return a bitmask that will let us match a protocol quickly at connect time.

FILTER_FILE

public static final java.lang.String FILTER_FILE

The name of the filter rule file.

SimpleConnectionFilter

public SimpleConnectionFilter() throws java.io.IOException

Throws:: java.io.IOException - a problem occurred while reading the rule file
See Also:: FILTER_FILE

SimpleConnectionFilter

public SimpleConnectionFilter(java.io.InputStream is) throws java.io.IOException

Parameters:: is - stream to read from
Throws:: java.io.IOException - a problem occurred while reading the rule file

parseLine

protected void parseLine(java.lang.String line,
                         java.util.Vector entries) throws java.io.IOException, java.lang.IllegalArgumentException

Parameters:: line - the line to parse (guaranteed not to contain comments, surrounding whitespace, or be empty); entries - the running list of rules

accept

public void accept(weblogic.security.net.ConnectionEvent evt) throws weblogic.security.net.FilterException

Parameters:: evt - the connection event
Throws:: weblogic.security.net.FilterException - the connection should be rejected by the server

parseProtocols

protected static final int parseProtocols(java.util.StringTokenizer toks) throws weblogic.security.net.FilterException

Parse a list of protocols and return a bitmask that will let us match a protocol quickly at connect time.

parseAddresses

protected static final int[] parseAddresses(java.lang.String str) throws java.io.IOException

Parameters:: str - hostname or IPv4 address in string form

parseNetmask

protected static final int parseNetmask(java.lang.String maskStr) throws java.io.IOException

Parameters:: maskStr - mask spec string

parseAction

protected static final boolean parseAction(java.lang.String whatever) throws java.io.IOException

Parameters:: whatever - the action string

main

public static void main(java.lang.String args[]) throws java.lang.Exception

Simple test harness. You can use this to write rules by hand, and then check them.

All Examples  Security Examples