Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with IP authentication in Version 2.4.0 #408

Open
aquast opened this issue Oct 16, 2019 · 3 comments
Open

Issue with IP authentication in Version 2.4.0 #408

aquast opened this issue Oct 16, 2019 · 3 comments

Comments

@aquast
Copy link

aquast commented Oct 16, 2019
edited
Loading

Due to issue #398 we updated to version 2.4.0
Unfortunately version 2.4.0 doesn't support IP authentification which was supported by version 2.3.2. wayback.xml looks like:

<property name="authentication"> <bean class="org.archive.wayback.authenticationcontrol.IPMatchesBooleanOperator"> <property name="allowedRanges"> <list> <value>IP-Range</value> </list> </property> </bean> </property>

wayback throws nullpointerexception:

Okt 16, 2019 4:39:03 PM org.archive.wayback.webapp.AccessPoint logError
WARNING: Runtime Error
java.lang.NullPointerException
at org.archive.wayback.authenticationcontrol.IPMatchesBooleanOperator.getClientIPFromForwardedForHeader(IPMatchesBooleanOperator.java:102)
at org.archive.wayback.authenticationcontrol.IPMatchesBooleanOperator.isTrue(IPMatchesBooleanOperator.java:126)
at org.archive.wayback.authenticationcontrol.IPMatchesBooleanOperator.isTrue(IPMatchesBooleanOperator.java:39)
at org.archive.wayback.webapp.AccessPoint.handleRequest(AccessPoint.java:288)
at org.archive.wayback.util.webapp.RequestMapper.handleRequest(RequestMapper.java:198)
at org.archive.wayback.util.webapp.RequestFilter.doFilter(RequestFilter.java:146)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1521)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1478)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
@ldko
Copy link
Member

ldko commented Oct 16, 2019

Hi @aquast , 2.4.0 should still support IPMatchesBooleanOperator.

After seeing your issue, I downloaded a 2.4.0 release and was able to put what you pasted into the wayback.xml standardaccesspoint bean, and it gave me a basic HTTP auth popup in the web app.

I also tried using IPMatchesBooleanOperator inside an AccessControlSettingOperation bean with a StaticMapExclusionFilterFactory which also worked for me:

    <property name="authentication">
      <bean class="org.archive.wayback.authenticationcontrol.AccessControlSettingOperation">
        <property name="operator">
          <bean class="org.archive.wayback.util.operator.NotBooleanOperator">
            <property name="operand">
              <bean class="org.archive.wayback.authenticationcontrol.IPMatchesBooleanOperator">
                <property name="allowedRanges">
                  <list>
                    <value>IPRANGE</value>
                  </list>
                </property>
              </bean>
            </property>
          </bean>
        </property>
        <property name="factory">
            <bean id="some-test" class="org.archive.wayback.accesscontrol.staticmap.StaticMapExclusionFilterFactory">
                <property name="file" value="/tmp/exclude.txt" />
                <property name="checkInterval" value="600" />
            </bean>
        </property>
      </bean>
    </property>

Are you using the same authentication configuration as you were with OpenWayback 2.3.2?

@aquast
Copy link
Author

aquast commented Oct 17, 2019
edited
Loading

Hi @ldko ,
thanks You for your fast feedback. Integrating the factory solves the nullpointerexception indeed. Without the factory integration null pointer exception is still there. Unfortunately the factory also prevents authentication property to restrict access to the IP Range defined in allowedRanges.

  <bean class="org.archive.wayback.authenticationcontrol.AccessControlSettingOperation">
    <property name="operator">
      <bean class="org.archive.wayback.util.operator.NotBooleanOperator">
        <property name="operand">
          <bean class="org.archive.wayback.authenticationcontrol.IPMatchesBooleanOperator">
            <property name="allowedRanges">
              <list>
                <value>10.10.0.2</value>
                <!-- <value>10.1.2.19</value> -->
              </list>
            </property>
          </bean>
        </property>
      </bean>
    </property>
    <property name="factory">
        <bean id="some-test" class="org.archive.wayback.accesscontrol.staticmap.StaticMapExclusionFilterFactory">
            <property name="file" value="/tmp/exclude.txt" />
            <property name="checkInterval" value="600" />
        </bean>
    </property>
  </bean>
</property> <

I wonder if there has to be something defined at <property name="file" value="/tmp/exclude.txt" />

@ldko
Copy link
Member

ldko commented Oct 17, 2019
edited
Loading

Regarding the <property name="file" value="/tmp/exclude.txt" />, the purpose of using StaticMapExclusionFilterFactory is to then have a file you create at the file path provided, in this case "/tmp/exclude.txt", that has a URL per line that you want to block access to. In what you have above, it should be that any URL listed in a file at /tmp/exclude.txt will have access restricted to any request not coming from 10.10.0.2. Access to a URL that is not in /tmp/exclude.txt will be allowed to anyone.

I am not sure why you are getting that NullPointerException. Perhaps you could increase logging levels via WEB-INF/classes/logging.properties to see if you get more details? Have you made other changes to the wayback.xml or other config files? We may need to see more of your wayback.xml.

I am using the default wayback.xml that is in the 2.4.0 release with the addition of this inside the standardaccesspoint:

    <property name="requestAuth" value="false" />

    <property name="authentication">
     <bean class="org.archive.wayback.authenticationcontrol.IPMatchesBooleanOperator">
      <property name="allowedRanges">
       <list>
        <value>555.55.0.0/16</value>
       </list>
      </property>
     </bean>
    </property>

If I then try to access a URL in OpenWayback, I get an Authentication Control Exception page (not a login popup this time because of the requestAuth property) in the browser, and I see in the log file a

WARNING: Runtime Error
org.archive.wayback.exception.AuthenticationControlException: Unauthorized

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aquast @ldko