openwayback icon indicating copy to clipboard operation
openwayback copied to clipboard

Published 20 hours ago verified publisher icon iipc

Issue with IP authentication in Version 2.4.0

Open aquast opened this issue 5 years ago • 3 comments

Due to issue #398 we updated to version 2.4.0 Unfortunately version 2.4.0 doesn't support IP authentification which was supported by version 2.3.2. wayback.xml looks like:

<property name="authentication"> <bean class="org.archive.wayback.authenticationcontrol.IPMatchesBooleanOperator"> <property name="allowedRanges"> <list> <value>IP-Range</value> </list> </property> </bean> </property>

wayback throws nullpointerexception:

Okt 16, 2019 4:39:03 PM org.archive.wayback.webapp.AccessPoint logError WARNING: Runtime Error java.lang.NullPointerException at org.archive.wayback.authenticationcontrol.IPMatchesBooleanOperator.getClientIPFromForwardedForHeader(IPMatchesBooleanOperator.java:102) at org.archive.wayback.authenticationcontrol.IPMatchesBooleanOperator.isTrue(IPMatchesBooleanOperator.java:126) at org.archive.wayback.authenticationcontrol.IPMatchesBooleanOperator.isTrue(IPMatchesBooleanOperator.java:39) at org.archive.wayback.webapp.AccessPoint.handleRequest(AccessPoint.java:288) at org.archive.wayback.util.webapp.RequestMapper.handleRequest(RequestMapper.java:198) at org.archive.wayback.util.webapp.RequestFilter.doFilter(RequestFilter.java:146) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1521) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1478) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)

aquast avatar Oct 16 '19 14:10 aquast

Hi @aquast , 2.4.0 should still support IPMatchesBooleanOperator.

After seeing your issue, I downloaded a 2.4.0 release and was able to put what you pasted into the wayback.xml standardaccesspoint bean, and it gave me a basic HTTP auth popup in the web app.

I also tried using IPMatchesBooleanOperator inside an AccessControlSettingOperation bean with a StaticMapExclusionFilterFactory which also worked for me:

    <property name="authentication">
      <bean class="org.archive.wayback.authenticationcontrol.AccessControlSettingOperation">
        <property name="operator">
          <bean class="org.archive.wayback.util.operator.NotBooleanOperator">
            <property name="operand">
              <bean class="org.archive.wayback.authenticationcontrol.IPMatchesBooleanOperator">
                <property name="allowedRanges">
                  <list>
                    <value>IPRANGE</value>
                  </list>
                </property>
              </bean>
            </property>
          </bean>
        </property>
        <property name="factory">
            <bean id="some-test" class="org.archive.wayback.accesscontrol.staticmap.StaticMapExclusionFilterFactory">
                <property name="file" value="/tmp/exclude.txt" />
                <property name="checkInterval" value="600" />
            </bean>
        </property>
      </bean>
    </property>

Are you using the same authentication configuration as you were with OpenWayback 2.3.2?

ldko avatar Oct 16 '19 21:10 ldko

Hi @ldko , thanks You for your fast feedback. Integrating the factory solves the nullpointerexception indeed. Without the factory integration null pointer exception is still there. Unfortunately the factory also prevents authentication property to restrict access to the IP Range defined in allowedRanges.

  <bean class="org.archive.wayback.authenticationcontrol.AccessControlSettingOperation">
    <property name="operator">
      <bean class="org.archive.wayback.util.operator.NotBooleanOperator">
        <property name="operand">
          <bean class="org.archive.wayback.authenticationcontrol.IPMatchesBooleanOperator">
            <property name="allowedRanges">
              <list>
                <value>10.10.0.2</value>
                <!-- <value>10.1.2.19</value> -->
              </list>
            </property>
          </bean>
        </property>
      </bean>
    </property>
    <property name="factory">
        <bean id="some-test" class="org.archive.wayback.accesscontrol.staticmap.StaticMapExclusionFilterFactory">
            <property name="file" value="/tmp/exclude.txt" />
            <property name="checkInterval" value="600" />
        </bean>
    </property>
  </bean>
</property> <

I wonder if there has to be something defined at <property name="file" value="/tmp/exclude.txt" />

aquast avatar Oct 17 '19 11:10 aquast

Regarding the <property name="file" value="/tmp/exclude.txt" />, the purpose of using StaticMapExclusionFilterFactory is to then have a file you create at the file path provided, in this case "/tmp/exclude.txt", that has a URL per line that you want to block access to. In what you have above, it should be that any URL listed in a file at /tmp/exclude.txt will have access restricted to any request not coming from 10.10.0.2. Access to a URL that is not in /tmp/exclude.txt will be allowed to anyone.

I am not sure why you are getting that NullPointerException. Perhaps you could increase logging levels via WEB-INF/classes/logging.properties to see if you get more details? Have you made other changes to the wayback.xml or other config files? We may need to see more of your wayback.xml.

I am using the default wayback.xml that is in the 2.4.0 release with the addition of this inside the standardaccesspoint:

    <property name="requestAuth" value="false" />

    <property name="authentication">
     <bean class="org.archive.wayback.authenticationcontrol.IPMatchesBooleanOperator">
      <property name="allowedRanges">
       <list>
        <value>555.55.0.0/16</value>
       </list>
      </property>
     </bean>
    </property>

If I then try to access a URL in OpenWayback, I get an Authentication Control Exception page (not a login popup this time because of the requestAuth property) in the browser, and I see in the log file a

WARNING: Runtime Error
org.archive.wayback.exception.AuthenticationControlException: Unauthorized

ldko avatar Oct 17 '19 18:10 ldko