Re: Restricting access by IP address
Thomas Markus wrote:
try a generic RegexMatcher (all untested :) )
I solved it temporarily by simply passing the IP address into the XSLT
stylesheet and doing the substringing there: that also let me output a
suitably-formatted eror message for off-siters. Thanks for your help.
///Peter
in your sitemap add this to components with your pattern:
map:matchers default=wildcard
map:matcher name=regular src=test.RegexMatcher
pattern^192\.168\.\d+\.\d+/pattern
/map:matcher
/map:matchers
and in your pipeline:
map:match pattern={request:remoteAddr} type=regular
!-- matched content, access regex groups with {0} or {1} ... --
/map:match
!-- unmatched content --
package test;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Pattern;
import org.apache.avalon.framework.configuration.Configurable;
import org.apache.avalon.framework.configuration.Configuration;
import org.apache.avalon.framework.configuration.ConfigurationException;
import org.apache.avalon.framework.logger.AbstractLogEnabled;
import org.apache.avalon.framework.parameters.Parameters;
import org.apache.avalon.framework.thread.ThreadSafe;
import org.apache.cocoon.matching.Matcher;
import org.apache.cocoon.sitemap.PatternException;
public class RegexMatcher extends AbstractLogEnabled implements Matcher,
Configurable, ThreadSafe {
private Patternregexpattern;
public void configure(Configuration configuration) throws
ConfigurationException {
regexpattern =
Pattern.compile(configuration.getChild(pattern).getValue().trim());
}
public Map match(String pattern, Map objectModel, Parameters
parameters) throws PatternException {
java.util.regex.Matcher m = regexpattern.matcher(pattern);
if (m.matches()) {
HashMapString, String h = new HashMapString, String();
for (int i = 0, j = m.groupCount(); i = j; i++)
h.put(String.valueOf(i), m.group(i));
return h;
}
return null;
}
}
Peter Flynn schrieb:
Peter Flynn wrote:
Thomas Markus wrote:
hi,
look at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#access
or use a matcher/selector in your sitemap
map:select type=parameter
map:parameter name=parameter-selector-test
value={request:remoteAddr} /
map:when test=127.0.0.1
!-- actions for this ip --
/map:when
map:otherwise
!-- --
/map:otherwise
/map:select
That look like the right approach...except I can't find any
documentation at
http://cocoon.apache.org/2.2/core-modules/core/2.2/840_1_1.html on
the syntax of the test attribute.
I found some under the entry for Parameter Selector but it appears
that the test will only perform a plain equality. Is there a way to
perform a substring operation; when testing an IP address for access
permission I want to allow all xxx.yyy.*.* and prohibit everything else.
///Peter
-
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org
Re: Restricting access by IP address
Thomas Markus wrote:
hi,
look at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#access
or use a matcher/selector in your sitemap
map:select type=parameter
map:parameter name=parameter-selector-test
value={request:remoteAddr} /
map:when test=127.0.0.1
!-- actions for this ip --
/map:when
map:otherwise
!-- --
/map:otherwise
/map:select
That look like the right approach...except I can't find any
documentation at
http://cocoon.apache.org/2.2/core-modules/core/2.2/840_1_1.html on the
syntax of the test attribute.
What I'm looking for is something like
test=substring($parameter-selector-test,1,7)='xxx.yyy'
Your example looks as if test is a binary operator implying equality,
but the documentation is blank about this.
///Peter
-
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org
Re: Restricting access by IP address
Peter Flynn wrote:
Thomas Markus wrote:
hi,
look at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#access
or use a matcher/selector in your sitemap
map:select type=parameter
map:parameter name=parameter-selector-test
value={request:remoteAddr} /
map:when test=127.0.0.1
!-- actions for this ip --
/map:when
map:otherwise
!-- --
/map:otherwise
/map:select
That look like the right approach...except I can't find any
documentation at
http://cocoon.apache.org/2.2/core-modules/core/2.2/840_1_1.html on the
syntax of the test attribute.
I found some under the entry for Parameter Selector but it appears that
the test will only perform a plain equality. Is there a way to perform a
substring operation; when testing an IP address for access permission I
want to allow all xxx.yyy.*.* and prohibit everything else.
///Peter
-
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org
Re: Restricting access by IP address
try a generic RegexMatcher (all untested :) )
greets
thomas
in your sitemap add this to components with your pattern:
map:matchers default=wildcard
map:matcher name=regular src=test.RegexMatcher
pattern^192\.168\.\d+\.\d+/pattern
/map:matcher
/map:matchers
and in your pipeline:
map:match pattern={request:remoteAddr} type=regular
!-- matched content, access regex groups with {0} or {1} ... --
/map:match
!-- unmatched content --
package test;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Pattern;
import org.apache.avalon.framework.configuration.Configurable;
import org.apache.avalon.framework.configuration.Configuration;
import org.apache.avalon.framework.configuration.ConfigurationException;
import org.apache.avalon.framework.logger.AbstractLogEnabled;
import org.apache.avalon.framework.parameters.Parameters;
import org.apache.avalon.framework.thread.ThreadSafe;
import org.apache.cocoon.matching.Matcher;
import org.apache.cocoon.sitemap.PatternException;
public class RegexMatcher extends AbstractLogEnabled implements Matcher,
Configurable, ThreadSafe {
private Patternregexpattern;
public void configure(Configuration configuration) throws
ConfigurationException {
regexpattern =
Pattern.compile(configuration.getChild(pattern).getValue().trim());
}
public Map match(String pattern, Map objectModel, Parameters
parameters) throws PatternException {
java.util.regex.Matcher m = regexpattern.matcher(pattern);
if (m.matches()) {
HashMapString, String h = new HashMapString, String();
for (int i = 0, j = m.groupCount(); i = j; i++)
h.put(String.valueOf(i), m.group(i));
return h;
}
return null;
}
}
Peter Flynn schrieb:
Peter Flynn wrote:
Thomas Markus wrote:
hi,
look at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#access
or use a matcher/selector in your sitemap
map:select type=parameter
map:parameter name=parameter-selector-test
value={request:remoteAddr} /
map:when test=127.0.0.1
!-- actions for this ip --
/map:when
map:otherwise
!-- --
/map:otherwise
/map:select
That look like the right approach...except I can't find any
documentation at
http://cocoon.apache.org/2.2/core-modules/core/2.2/840_1_1.html on
the syntax of the test attribute.
I found some under the entry for Parameter Selector but it appears
that the test will only perform a plain equality. Is there a way to
perform a substring operation; when testing an IP address for access
permission I want to allow all xxx.yyy.*.* and prohibit everything else.
///Peter
-
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org
Re: Restricting access by IP address
hi,
look at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#access
or use a matcher/selector in your sitemap
map:select type=parameter
map:parameter name=parameter-selector-test
value={request:remoteAddr} /
map:when test=127.0.0.1
!-- actions for this ip --
/map:when
map:otherwise
!-- --
/map:otherwise
/map:select
regards
thomas
Peter Flynn schrieb:
Jeroen Reijn wrote:
Hi Peter,
have you also considered doing this with a webserver in front of your
cocoon application?
Yes, we currently front Tomcat with Apache httpd as a virtual host,
but it's at the top level, eg
VirtualHost *:80
ServerAdmin pfl...@ucc.ie
ProxyPreserveHost On
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
ServerName foobar.ucc.ie
ErrorLog logs/foobar.ucc.ie-error_log
CustomLog logs/foobar.ucc.ie-access_log combined
/VirtualHost
I can't seem to find any information about how to refine this so that
access to the specific URI for the feed gets checked, and all other
accesses get allowed, unless I create a separate VH for that feed only.
///Peter
-
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org
Re: Restricting access by IP address
Another option is to use servlet filters [1] if you prefer to
implement the access restriction in Java.
Alex
[1] http://java.sun.com/products/servlet/Filters.html
On Sep 10, 2009, at 8:47 , Thomas Markus wrote:
hi,
look at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#access
or use a matcher/selector in your sitemap
map:select type=parameter
map:parameter name=parameter-selector-test
value={request:remoteAddr} /
map:when test=127.0.0.1
!-- actions for this ip --
/map:when
map:otherwise
!-- --
/map:otherwise
/map:select
regards
thomas
Peter Flynn schrieb:
Jeroen Reijn wrote:
Hi Peter,
have you also considered doing this with a webserver in front of
your
cocoon application?
Yes, we currently front Tomcat with Apache httpd as a virtual host,
but it's at the top level, eg
VirtualHost *:80
ServerAdmin pfl...@ucc.ie
ProxyPreserveHost On
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
ServerName foobar.ucc.ie
ErrorLog logs/foobar.ucc.ie-error_log
CustomLog logs/foobar.ucc.ie-access_log combined
/VirtualHost
I can't seem to find any information about how to refine this so that
access to the specific URI for the feed gets checked, and all other
accesses get allowed, unless I create a separate VH for that feed
only.
///Peter
-
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org
Re: Restricting access by IP address
Hi Peter, have you also considered doing this with a webserver in front of you cocoon application? Regards, Jeroen Peter Flynn wrote: I have developed an RSS feed summarising posts to an internal mailing list, but I need to restrict access to it by IP address so that it is usable only internally to the organisation. I can't see any way to do this using the authentication framework. Are there other ways to implement IP address checks within (eg) the sitemap? ///Peter - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
Re: Restricting access by IP address
Jeroen Reijn wrote: Hi Peter, have you also considered doing this with a webserver in front of your cocoon application? Yes, we currently front Tomcat with Apache httpd as a virtual host, but it's at the top level, eg VirtualHost *:80 ServerAdmin pfl...@ucc.ie ProxyPreserveHost On ProxyPass / ajp://localhost:8009/ ProxyPassReverse / ajp://localhost:8009/ ServerName foobar.ucc.ie ErrorLog logs/foobar.ucc.ie-error_log CustomLog logs/foobar.ucc.ie-access_log combined /VirtualHost I can't seem to find any information about how to refine this so that access to the specific URI for the feed gets checked, and all other accesses get allowed, unless I create a separate VH for that feed only. ///Peter - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
Re: Restricting access by IP address
Hi Peter, i'm not really a sysadmin, so I'm no expert on Apache configurations, but can't you use the Location directive to handle this? http://httpd.apache.org/docs/2.0/mod/core.html#location Otherwise if you would want to solve it in Cocoon, I guess a combination of input modules and a selector would do the trick. Regards, Jeroen Peter Flynn wrote: Jeroen Reijn wrote: Hi Peter, have you also considered doing this with a webserver in front of your cocoon application? Yes, we currently front Tomcat with Apache httpd as a virtual host, but it's at the top level, eg VirtualHost *:80 ServerAdmin pfl...@ucc.ie ProxyPreserveHost On ProxyPass / ajp://localhost:8009/ ProxyPassReverse / ajp://localhost:8009/ ServerName foobar.ucc.ie ErrorLog logs/foobar.ucc.ie-error_log CustomLog logs/foobar.ucc.ie-access_log combined /VirtualHost I can't seem to find any information about how to refine this so that access to the specific URI for the feed gets checked, and all other accesses get allowed, unless I create a separate VH for that feed only. ///Peter - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
