[GeoNetwork-devel] MonitorSecurityFilter whiteList

Hi,

It doesn't appear that the MonitorSecurityFilter accepts CIDR format for IP ranges, and thus won't test whether the remote host is within a given subnet.

For example, I get the following error messages when I specify a CIDR address:

  ERROR [jeeves.monitor] - 192.168.1.0/24 is not a valid host. MonitorSecurityFilter's configuration in web.xml is not valid

The Java code using commons-net from Apache would be something like this:

  SubnetInfo subnet = new SubnetUtils("192.168.1.0/24").getInfo();
  subnet.isInRange("192.168.0.1");# => false
  subnet.isInRange("192.168.1.1");# => true
  subnet.isInRange("192.168.1.99");# => true

Thanks,
-Darren
--
Darren Hardy
drh@anonymised.com
GIS Software Engineer
Digital Library Systems & Services
Stanford University Libraries
--
java.net.UnknownHostException: 192.168.1.0/24
        at java.net.InetAddress.getAllByName0(InetAddress.java:1184)
        at java.net.InetAddress.getAllByName(InetAddress.java:1110)
        at java.net.InetAddress.getAllByName(InetAddress.java:1046)
        at org.fao.geonet.monitor.MonitorSecurityFilter.isInWhileList(MonitorSecurityFilter.java:74)
        at org.fao.geonet.monitor.MonitorSecurityFilter.doFilter(MonitorSecurityFilter.java:37)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.fao.geonet.monitor.webapp.MetricsRegistryInitializerFilter.doFilter(MetricsRegistryInitializerFilter.java:31)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
        at java.lang.Thread.run(Thread.java:662)

I have looked into this now. The filter uses InetAddress to resolve the address. It has to be a hostname or IP address. can you remove the /24?

···

On Wed, May 8, 2013 at 12:42 AM, Darren Hardy <drh@anonymised.com> wrote:

Hi,

It doesn’t appear that the MonitorSecurityFilter accepts CIDR format for IP ranges, and thus won’t test whether the remote host is within a given subnet.

For example, I get the following error messages when I specify a CIDR address:

ERROR [jeeves.monitor] - 192.168.1.0/24 is not a valid host. MonitorSecurityFilter’s configuration in web.xml is not valid

The Java code using commons-net from Apache would be something like this:

SubnetInfo subnet = new SubnetUtils(“192.168.1.0/24”).getInfo();
subnet.isInRange(“192.168.0.1”);# => false
subnet.isInRange(“192.168.1.1”);# => true
subnet.isInRange(“192.168.1.99”);# => true

Thanks,
-Darren

Darren Hardy
drh@anonymised.com
GIS Software Engineer
Digital Library Systems & Services
Stanford University Libraries

java.net.UnknownHostException: 192.168.1.0/24
at java.net.InetAddress.getAllByName0(InetAddress.java:1184)
at java.net.InetAddress.getAllByName(InetAddress.java:1110)
at java.net.InetAddress.getAllByName(InetAddress.java:1046)
at org.fao.geonet.monitor.MonitorSecurityFilter.isInWhileList(MonitorSecurityFilter.java:74)
at org.fao.geonet.monitor.MonitorSecurityFilter.doFilter(MonitorSecurityFilter.java:37)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.fao.geonet.monitor.webapp.MetricsRegistryInitializerFilter.doFilter(MetricsRegistryInitializerFilter.java:31)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:662)


Learn Graph Databases - Download FREE O’Reilly Book
“Graph Databases” is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

Yes, I can remove the CIDR format and expand the subnet into individual IP address as a workaround.

Sounds like this is a feature request -- to handle CIDR subnets in MonitorSecurityFilter -- as this is a common deployment for firewall protection.

Thanks,
-Darren

--
Darren Hardy
drh@anonymised.com
GIS Software Engineer
Digital Library Systems & Services
Stanford University Libraries

On May 8, 2013, at 7:13 AM, Jesse Eichar <jesse.eichar@anonymised.com> wrote:

I have looked into this now. The filter uses InetAddress to resolve the address. It has to be a hostname or IP address. can you remove the /24?

On Wed, May 8, 2013 at 12:42 AM, Darren Hardy <drh@anonymised.com> wrote:
Hi,

It doesn't appear that the MonitorSecurityFilter accepts CIDR format for IP ranges, and thus won't test whether the remote host is within a given subnet.

For example, I get the following error messages when I specify a CIDR address:

  ERROR [jeeves.monitor] - 192.168.1.0/24 is not a valid host. MonitorSecurityFilter's configuration in web.xml is not valid

The Java code using commons-net from Apache would be something like this:

  SubnetInfo subnet = new SubnetUtils("192.168.1.0/24").getInfo();
  subnet.isInRange("192.168.0.1");# => false
  subnet.isInRange("192.168.1.1");# => true
  subnet.isInRange("192.168.1.99");# => true

Thanks,
-Darren
--
Darren Hardy
drh@anonymised.com
GIS Software Engineer
Digital Library Systems & Services
Stanford University Libraries
--
java.net.UnknownHostException: 192.168.1.0/24
        at java.net.InetAddress.getAllByName0(InetAddress.java:1184)
        at java.net.InetAddress.getAllByName(InetAddress.java:1110)
        at java.net.InetAddress.getAllByName(InetAddress.java:1046)
        at org.fao.geonet.monitor.MonitorSecurityFilter.isInWhileList(MonitorSecurityFilter.java:74)
        at org.fao.geonet.monitor.MonitorSecurityFilter.doFilter(MonitorSecurityFilter.java:37)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.fao.geonet.monitor.webapp.MetricsRegistryInitializerFilter.doFilter(MetricsRegistryInitializerFilter.java:31)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
        at java.lang.Thread.run(Thread.java:662)

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

Indeed it does sound like a feature request. I can try to find time to do this.

···

On Tue, May 14, 2013 at 6:21 PM, Darren Hardy <drh@anonymised.com…> wrote:

Yes, I can remove the CIDR format and expand the subnet into individual IP address as a workaround.

Sounds like this is a feature request – to handle CIDR subnets in MonitorSecurityFilter – as this is a common deployment for firewall protection.

Thanks,
-Darren


Darren Hardy
drh@anonymised.com
GIS Software Engineer
Digital Library Systems & Services
Stanford University Libraries

On May 8, 2013, at 7:13 AM, Jesse Eichar <jesse.eichar@anonymised.com> wrote:

I have looked into this now. The filter uses InetAddress to resolve the address. It has to be a hostname or IP address. can you remove the /24?

On Wed, May 8, 2013 at 12:42 AM, Darren Hardy <drh@anonymised.com> wrote:
Hi,

It doesn’t appear that the MonitorSecurityFilter accepts CIDR format for IP ranges, and thus won’t test whether the remote host is within a given subnet.

For example, I get the following error messages when I specify a CIDR address:

ERROR [jeeves.monitor] - 192.168.1.0/24 is not a valid host. MonitorSecurityFilter’s configuration in web.xml is not valid

The Java code using commons-net from Apache would be something like this:

SubnetInfo subnet = new SubnetUtils(“192.168.1.0/24”).getInfo();
subnet.isInRange(“192.168.0.1”);# => false
subnet.isInRange(“192.168.1.1”);# => true
subnet.isInRange(“192.168.1.99”);# => true

Thanks,
-Darren

Darren Hardy
drh@anonymised.com
GIS Software Engineer
Digital Library Systems & Services
Stanford University Libraries

java.net.UnknownHostException: 192.168.1.0/24
at java.net.InetAddress.getAllByName0(InetAddress.java:1184)
at java.net.InetAddress.getAllByName(InetAddress.java:1110)
at java.net.InetAddress.getAllByName(InetAddress.java:1046)
at org.fao.geonet.monitor.MonitorSecurityFilter.isInWhileList(MonitorSecurityFilter.java:74)
at org.fao.geonet.monitor.MonitorSecurityFilter.doFilter(MonitorSecurityFilter.java:37)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.fao.geonet.monitor.webapp.MetricsRegistryInitializerFilter.doFilter(MetricsRegistryInitializerFilter.java:31)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:662)


Learn Graph Databases - Download FREE O’Reilly Book
“Graph Databases” is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork


AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork