Take a look at this block of code in the AuthenticatingFilter: https://github.com/apache/shiro/blob/ef5450b9f4be74ee930401115394823b9e1fc3e6/web/src/main/java/org/apache/shiro/web/filter/authc/AuthenticatingFilter.java#L62-L72
Are you trying to restrict an IP/range for a individual users. Or a range for the whole application? A realm would work for the user case. For the application case, you could probably just create a filter. Either way, great stuff! On Tue, Jan 10, 2017 at 11:39 AM, Richard Wheeldon < [email protected]> wrote: > Hi, > > > > Having broken the back of the token based MFA, my next quest in bolting > down my app is to add configurable IP-based restrictions. I’m thinking of a > realm which reads a list of IPs or ranges (v4 or v6) from a DB then checks > if the host matches. > > > > Two questions: > > 1. Is there any interest in my producing a generic / re-usable > JdbcHostRestrictionRealm and kicking it back upstream? I can probably do > this by cribbing from JdbcRealm. > 2. My app is sat behind a load balancer which changes the IP address. > Since we control the load balancer we can trust the X-Forwarded-For header > in a downstream app. Is there a preferable place to hook in the logic to > read it from the request and set it on the token? > > > > Richard >
