how to do ip access control

[liang]

Hi there,

I wonder to know if it is possible to use acegi security to control which ip address can access my system? I am very new to acegi, and I spend a lot of time to look up every acegi filters but couldn't find a suitable one to do the job. Any idea will be appreciated.

Regards,
Liang

[karldmoore]

I think you'll have to write this code yourself. It should be very straight forward though to extend on the existing filters. You could for instance overide AuthenticationProcessingFilter.attemptAuthenticati on, check if the IP address is invalid. If it is, throw an AuthenticationException. If not super.attemptAuthentication.

I'm sure there are lots of other ways of doing it, this is just one example.

[liang]

Thank you karldmoore, I followed your instruction, and it worked.

[Luke Taylor]

The remote address is also contained in the authentication details object which is set in the authentication request token by AuthenticationProcessingFilter:

http://acegisecurity.org/multiprojec...ilter.html#120

So you can access it at any point during the authentication process (e.g. in your authentication provider).

[karldmoore]

Its a fair point! To be honest I've used both approaches. When the user had IP restrictions, there was a check in DaoAuthenticationProvider.additionalAuthentication Check (if memory serves). We had another product which had general IP restrictions, that was done in the filter. Both worked fine, not sure if either is better or worse.

[Luke Taylor]

I guess it depends on the context. For example, if users are required to login from particular terminals and the terminal infromation is loaded with the rest of the user data, then it probably makes more sense to do it in the provider.

[karldmoore]

Agreed. That was the case in the previous example, user specific settings vs. system configuration. We went with provider for user specific and filter for system configuration.