Re: Restricting access by IP address
Thomas Markus wrote: try a generic RegexMatcher (all untested :) ) I solved it temporarily by simply passing the IP address into the XSLT stylesheet and doing the substringing there: that also let me output a suitably-formatted eror message for off-siters. Thanks for your help. ///Peter in your sitemap add this to components with your pattern: map:matchers default=wildcard map:matcher name=regular src=test.RegexMatcher pattern^192\.168\.\d+\.\d+/pattern /map:matcher /map:matchers and in your pipeline: map:match pattern={request:remoteAddr} type=regular !-- matched content, access regex groups with {0} or {1} ... -- /map:match !-- unmatched content -- package test; import java.util.HashMap; import java.util.Map; import java.util.regex.Pattern; import org.apache.avalon.framework.configuration.Configurable; import org.apache.avalon.framework.configuration.Configuration; import org.apache.avalon.framework.configuration.ConfigurationException; import org.apache.avalon.framework.logger.AbstractLogEnabled; import org.apache.avalon.framework.parameters.Parameters; import org.apache.avalon.framework.thread.ThreadSafe; import org.apache.cocoon.matching.Matcher; import org.apache.cocoon.sitemap.PatternException; public class RegexMatcher extends AbstractLogEnabled implements Matcher, Configurable, ThreadSafe { private Patternregexpattern; public void configure(Configuration configuration) throws ConfigurationException { regexpattern = Pattern.compile(configuration.getChild(pattern).getValue().trim()); } public Map match(String pattern, Map objectModel, Parameters parameters) throws PatternException { java.util.regex.Matcher m = regexpattern.matcher(pattern); if (m.matches()) { HashMapString, String h = new HashMapString, String(); for (int i = 0, j = m.groupCount(); i = j; i++) h.put(String.valueOf(i), m.group(i)); return h; } return null; } } Peter Flynn schrieb: Peter Flynn wrote: Thomas Markus wrote: hi, look at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#access or use a matcher/selector in your sitemap map:select type=parameter map:parameter name=parameter-selector-test value={request:remoteAddr} / map:when test=127.0.0.1 !-- actions for this ip -- /map:when map:otherwise !-- -- /map:otherwise /map:select That look like the right approach...except I can't find any documentation at http://cocoon.apache.org/2.2/core-modules/core/2.2/840_1_1.html on the syntax of the test attribute. I found some under the entry for Parameter Selector but it appears that the test will only perform a plain equality. Is there a way to perform a substring operation; when testing an IP address for access permission I want to allow all xxx.yyy.*.* and prohibit everything else. ///Peter - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
Re: Restricting access by IP address
Thomas Markus wrote: hi, look at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#access or use a matcher/selector in your sitemap map:select type=parameter map:parameter name=parameter-selector-test value={request:remoteAddr} / map:when test=127.0.0.1 !-- actions for this ip -- /map:when map:otherwise !-- -- /map:otherwise /map:select That look like the right approach...except I can't find any documentation at http://cocoon.apache.org/2.2/core-modules/core/2.2/840_1_1.html on the syntax of the test attribute. What I'm looking for is something like test=substring($parameter-selector-test,1,7)='xxx.yyy' Your example looks as if test is a binary operator implying equality, but the documentation is blank about this. ///Peter - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
Re: Restricting access by IP address
Peter Flynn wrote: Thomas Markus wrote: hi, look at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#access or use a matcher/selector in your sitemap map:select type=parameter map:parameter name=parameter-selector-test value={request:remoteAddr} / map:when test=127.0.0.1 !-- actions for this ip -- /map:when map:otherwise !-- -- /map:otherwise /map:select That look like the right approach...except I can't find any documentation at http://cocoon.apache.org/2.2/core-modules/core/2.2/840_1_1.html on the syntax of the test attribute. I found some under the entry for Parameter Selector but it appears that the test will only perform a plain equality. Is there a way to perform a substring operation; when testing an IP address for access permission I want to allow all xxx.yyy.*.* and prohibit everything else. ///Peter - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
Re: Restricting access by IP address
try a generic RegexMatcher (all untested :) ) greets thomas in your sitemap add this to components with your pattern: map:matchers default=wildcard map:matcher name=regular src=test.RegexMatcher pattern^192\.168\.\d+\.\d+/pattern /map:matcher /map:matchers and in your pipeline: map:match pattern={request:remoteAddr} type=regular !-- matched content, access regex groups with {0} or {1} ... -- /map:match !-- unmatched content -- package test; import java.util.HashMap; import java.util.Map; import java.util.regex.Pattern; import org.apache.avalon.framework.configuration.Configurable; import org.apache.avalon.framework.configuration.Configuration; import org.apache.avalon.framework.configuration.ConfigurationException; import org.apache.avalon.framework.logger.AbstractLogEnabled; import org.apache.avalon.framework.parameters.Parameters; import org.apache.avalon.framework.thread.ThreadSafe; import org.apache.cocoon.matching.Matcher; import org.apache.cocoon.sitemap.PatternException; public class RegexMatcher extends AbstractLogEnabled implements Matcher, Configurable, ThreadSafe { private Patternregexpattern; public void configure(Configuration configuration) throws ConfigurationException { regexpattern = Pattern.compile(configuration.getChild(pattern).getValue().trim()); } public Map match(String pattern, Map objectModel, Parameters parameters) throws PatternException { java.util.regex.Matcher m = regexpattern.matcher(pattern); if (m.matches()) { HashMapString, String h = new HashMapString, String(); for (int i = 0, j = m.groupCount(); i = j; i++) h.put(String.valueOf(i), m.group(i)); return h; } return null; } } Peter Flynn schrieb: Peter Flynn wrote: Thomas Markus wrote: hi, look at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#access or use a matcher/selector in your sitemap map:select type=parameter map:parameter name=parameter-selector-test value={request:remoteAddr} / map:when test=127.0.0.1 !-- actions for this ip -- /map:when map:otherwise !-- -- /map:otherwise /map:select That look like the right approach...except I can't find any documentation at http://cocoon.apache.org/2.2/core-modules/core/2.2/840_1_1.html on the syntax of the test attribute. I found some under the entry for Parameter Selector but it appears that the test will only perform a plain equality. Is there a way to perform a substring operation; when testing an IP address for access permission I want to allow all xxx.yyy.*.* and prohibit everything else. ///Peter - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
Re: Restricting access by IP address
hi, look at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#access or use a matcher/selector in your sitemap map:select type=parameter map:parameter name=parameter-selector-test value={request:remoteAddr} / map:when test=127.0.0.1 !-- actions for this ip -- /map:when map:otherwise !-- -- /map:otherwise /map:select regards thomas Peter Flynn schrieb: Jeroen Reijn wrote: Hi Peter, have you also considered doing this with a webserver in front of your cocoon application? Yes, we currently front Tomcat with Apache httpd as a virtual host, but it's at the top level, eg VirtualHost *:80 ServerAdmin pfl...@ucc.ie ProxyPreserveHost On ProxyPass / ajp://localhost:8009/ ProxyPassReverse / ajp://localhost:8009/ ServerName foobar.ucc.ie ErrorLog logs/foobar.ucc.ie-error_log CustomLog logs/foobar.ucc.ie-access_log combined /VirtualHost I can't seem to find any information about how to refine this so that access to the specific URI for the feed gets checked, and all other accesses get allowed, unless I create a separate VH for that feed only. ///Peter - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
Re: Restricting access by IP address
Another option is to use servlet filters [1] if you prefer to implement the access restriction in Java. Alex [1] http://java.sun.com/products/servlet/Filters.html On Sep 10, 2009, at 8:47 , Thomas Markus wrote: hi, look at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#access or use a matcher/selector in your sitemap map:select type=parameter map:parameter name=parameter-selector-test value={request:remoteAddr} / map:when test=127.0.0.1 !-- actions for this ip -- /map:when map:otherwise !-- -- /map:otherwise /map:select regards thomas Peter Flynn schrieb: Jeroen Reijn wrote: Hi Peter, have you also considered doing this with a webserver in front of your cocoon application? Yes, we currently front Tomcat with Apache httpd as a virtual host, but it's at the top level, eg VirtualHost *:80 ServerAdmin pfl...@ucc.ie ProxyPreserveHost On ProxyPass / ajp://localhost:8009/ ProxyPassReverse / ajp://localhost:8009/ ServerName foobar.ucc.ie ErrorLog logs/foobar.ucc.ie-error_log CustomLog logs/foobar.ucc.ie-access_log combined /VirtualHost I can't seem to find any information about how to refine this so that access to the specific URI for the feed gets checked, and all other accesses get allowed, unless I create a separate VH for that feed only. ///Peter - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
Re: Restricting access by IP address
Hi Peter, have you also considered doing this with a webserver in front of you cocoon application? Regards, Jeroen Peter Flynn wrote: I have developed an RSS feed summarising posts to an internal mailing list, but I need to restrict access to it by IP address so that it is usable only internally to the organisation. I can't see any way to do this using the authentication framework. Are there other ways to implement IP address checks within (eg) the sitemap? ///Peter - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
Re: Restricting access by IP address
Jeroen Reijn wrote: Hi Peter, have you also considered doing this with a webserver in front of your cocoon application? Yes, we currently front Tomcat with Apache httpd as a virtual host, but it's at the top level, eg VirtualHost *:80 ServerAdmin pfl...@ucc.ie ProxyPreserveHost On ProxyPass / ajp://localhost:8009/ ProxyPassReverse / ajp://localhost:8009/ ServerName foobar.ucc.ie ErrorLog logs/foobar.ucc.ie-error_log CustomLog logs/foobar.ucc.ie-access_log combined /VirtualHost I can't seem to find any information about how to refine this so that access to the specific URI for the feed gets checked, and all other accesses get allowed, unless I create a separate VH for that feed only. ///Peter - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
Re: Restricting access by IP address
Hi Peter, i'm not really a sysadmin, so I'm no expert on Apache configurations, but can't you use the Location directive to handle this? http://httpd.apache.org/docs/2.0/mod/core.html#location Otherwise if you would want to solve it in Cocoon, I guess a combination of input modules and a selector would do the trick. Regards, Jeroen Peter Flynn wrote: Jeroen Reijn wrote: Hi Peter, have you also considered doing this with a webserver in front of your cocoon application? Yes, we currently front Tomcat with Apache httpd as a virtual host, but it's at the top level, eg VirtualHost *:80 ServerAdmin pfl...@ucc.ie ProxyPreserveHost On ProxyPass / ajp://localhost:8009/ ProxyPassReverse / ajp://localhost:8009/ ServerName foobar.ucc.ie ErrorLog logs/foobar.ucc.ie-error_log CustomLog logs/foobar.ucc.ie-access_log combined /VirtualHost I can't seem to find any information about how to refine this so that access to the specific URI for the feed gets checked, and all other accesses get allowed, unless I create a separate VH for that feed only. ///Peter - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org