Hi Marco, we have done this for a client. It checks the requests and from what ip addresses on login. It will then check that this user role is able to login from that IP address. If you create a login action listener you can monitor the requests and where they come from. Here is an example:
public class IPRangeCheckerLoginAction extends UserAction<ISession>
{
private final String userName;
private final String password;
private final IMxRuntimeRequest request;
private final String locale;
private final String currentSessionId;
private ILogNode log = Core.getLogger("IPRangechecker");
public IPRangeCheckerLoginAction(Map<String,? extends Object> params)
{
this.userName = (String)params.get("userName");
this.password = (String)params.get("password");
this.locale = (String)params.get("locale");
this.currentSessionId = (String)params.get("currentSessionId");
this.request = (IMxRuntimeRequest)params.get("request");
}
@Override
public ISession executeAction() throws Exception
{
IContext context = Core.createSystemContext();
String remoteAddress = request.getRemoteAddr();
String forwardedFor = request.getHeader("X-Forwarded-For");
String realIP = request.getHeader("X-Real-IP"); // This is the header which should be used to check the IP address range.
log.info("New login request (X-Real-IP: " + realIP + ", X-Forwarded-For:" + forwardedFor + ", remote address: " + remoteAddress);
if( realIP == null )
realIP = forwardedFor;
if( realIP == null )
realIP = remoteAddress;
IUser user = Core.getUser(context, userName);
if (user == null)
throw new AuthenticationRuntimeException("Login FAILED: unknown user '" + userName + "'.");
else if (user.isWebserviceUser())
throw new AuthenticationRuntimeException("Login FAILED: client login attempt for web service user '" + userName + "'.");
else if (user.isAnonymous())
throw new AuthenticationRuntimeException("Login FAILED: client login attempt for guest user '" + userName + "'.");
else if (user.isActive() == false)
throw new AuthenticationRuntimeException("Login FAILED: user '" + userName + "' is not active.");
else if (user.isBlocked() == true)
throw new AuthenticationRuntimeException("Login FAILED: user '" + userName + "' is blocked.");
else if (user.getUserRoleNames().isEmpty())
throw new AuthenticationRuntimeException("Login FAILED: user '" + userName + "' does not have any user roles.");
if( !validIp(context, realIP, user ) )
throw new AuthenticationRuntimeException("Login FAILED: user '" + userName + "' is not allowed to login from this ip-address(" + realIP + ")");
else if (!Core.authenticate(context, user, password))
throw new AuthenticationRuntimeException("Login FAILED: invalid password for user '" + user.getName() + "'.");
return Core.initializeSession(this.getContext(), user, locale, currentSessionId);
}`
What would be the way to execute this code (i.e. how do you create a login listener)?
Something like this perhaps?
//is client behind something? (proxy server/load balancer)
String ipAddress = request.getHeader("X-FORWARDED-FOR");
if (ipAddress == null) {
ipAddress = request.getRemoteAddr();
}