我有一个包含AdminController类的ASP.NET MVC项目,它给我提供以下这些URL:
我想配置服务器/应用程序,以便只能从192.168.0.0/24网络(即我们的局域网)访问包含/Admin的URI。
我想限制此控制器仅可从某些IP地址访问。
在WebForms中,/admin/是一个可以在IIS中限制的物理文件夹...但是在MVC中,当然没有物理文件夹。这是否可以使用web.config或属性实现,还是我需要拦截HTTP请求来实现此目的?
在ASP.NET MVC Beta中,通过IP地址限制访问特定控制器。
73
- Dylan Beattie
1
一个类似的问题已经有你要找的答案了...https://dev59.com/AnE95IYBdhLWcg3wXs2R#6108168 - Nathan Hartley
5个回答
114
我知道这是一个老问题,但今天我需要实现它并考虑在这里发布。
使用这里的IPList类(http://www.codeproject.com/KB/IP/ipnumbers.aspx)
筛选器属性FilterIPAttribute.cs:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Http;
using System.Security.Principal;
using System.Configuration;
namespace Miscellaneous.Attributes.Controller
{
/// <summary>
/// Filter by IP address
/// </summary>
public class FilterIPAttribute : AuthorizeAttribute
{
#region Allowed
/// <summary>
/// Comma seperated string of allowable IPs. Example "10.2.5.41,192.168.0.22"
/// </summary>
/// <value></value>
public string AllowedSingleIPs { get; set; }
/// <summary>
/// Comma seperated string of allowable IPs with masks. Example "10.2.0.0;255.255.0.0,10.3.0.0;255.255.0.0"
/// </summary>
/// <value>The masked I ps.</value>
public string AllowedMaskedIPs { get; set; }
/// <summary>
/// Gets or sets the configuration key for allowed single IPs
/// </summary>
/// <value>The configuration key single I ps.</value>
public string ConfigurationKeyAllowedSingleIPs { get; set; }
/// <summary>
/// Gets or sets the configuration key allowed mmasked IPs
/// </summary>
/// <value>The configuration key masked I ps.</value>
public string ConfigurationKeyAllowedMaskedIPs { get; set; }
/// <summary>
/// List of allowed IPs
/// </summary>
IPList allowedIPListToCheck = new IPList();
#endregion
#region Denied
/// <summary>
/// Comma seperated string of denied IPs. Example "10.2.5.41,192.168.0.22"
/// </summary>
/// <value></value>
public string DeniedSingleIPs { get; set; }
/// <summary>
/// Comma seperated string of denied IPs with masks. Example "10.2.0.0;255.255.0.0,10.3.0.0;255.255.0.0"
/// </summary>
/// <value>The masked I ps.</value>
public string DeniedMaskedIPs { get; set; }
/// <summary>
/// Gets or sets the configuration key for denied single IPs
/// </summary>
/// <value>The configuration key single I ps.</value>
public string ConfigurationKeyDeniedSingleIPs { get; set; }
/// <summary>
/// Gets or sets the configuration key for denied masked IPs
/// </summary>
/// <value>The configuration key masked I ps.</value>
public string ConfigurationKeyDeniedMaskedIPs { get; set; }
/// <summary>
/// List of denied IPs
/// </summary>
IPList deniedIPListToCheck = new IPList();
#endregion
/// <summary>
/// Determines whether access to the core framework is authorized.
/// </summary>
/// <param name="actionContext">The HTTP context, which encapsulates all HTTP-specific information about an individual HTTP request.</param>
/// <returns>
/// true if access is authorized; otherwise, false.
/// </returns>
/// <exception cref="T:System.ArgumentNullException">The <paramref name="httpContext"/> parameter is null.</exception>
protected override bool IsAuthorized(HttpActionContext actionContext)
{
if (actionContext == null)
throw new ArgumentNullException("actionContext");
string userIpAddress = ((HttpContextWrapper)actionContext.Request.Properties["MS_HttpContext"]).Request.UserHostName;
try
{
// Check that the IP is allowed to access
bool ipAllowed = CheckAllowedIPs(userIpAddress);
// Check that the IP is not denied to access
bool ipDenied = CheckDeniedIPs(userIpAddress);
// Only allowed if allowed and not denied
bool finallyAllowed = ipAllowed && !ipDenied;
return finallyAllowed;
}
catch (Exception e)
{
// Log the exception, probably something wrong with the configuration
}
return true; // if there was an exception, then we return true
}
/// <summary>
/// Checks the allowed IPs.
/// </summary>
/// <param name="userIpAddress">The user ip address.</param>
/// <returns></returns>
private bool CheckAllowedIPs(string userIpAddress)
{
// Populate the IPList with the Single IPs
if (!string.IsNullOrEmpty(AllowedSingleIPs))
{
SplitAndAddSingleIPs(AllowedSingleIPs, allowedIPListToCheck);
}
// Populate the IPList with the Masked IPs
if (!string.IsNullOrEmpty(AllowedMaskedIPs))
{
SplitAndAddMaskedIPs(AllowedMaskedIPs, allowedIPListToCheck);
}
// Check if there are more settings from the configuration (Web.config)
if (!string.IsNullOrEmpty(ConfigurationKeyAllowedSingleIPs))
{
string configurationAllowedAdminSingleIPs = ConfigurationManager.AppSettings[ConfigurationKeyAllowedSingleIPs];
if (!string.IsNullOrEmpty(configurationAllowedAdminSingleIPs))
{
SplitAndAddSingleIPs(configurationAllowedAdminSingleIPs, allowedIPListToCheck);
}
}
if (!string.IsNullOrEmpty(ConfigurationKeyAllowedMaskedIPs))
{
string configurationAllowedAdminMaskedIPs = ConfigurationManager.AppSettings[ConfigurationKeyAllowedMaskedIPs];
if (!string.IsNullOrEmpty(configurationAllowedAdminMaskedIPs))
{
SplitAndAddMaskedIPs(configurationAllowedAdminMaskedIPs, allowedIPListToCheck);
}
}
return allowedIPListToCheck.CheckNumber(userIpAddress);
}
/// <summary>
/// Checks the denied IPs.
/// </summary>
/// <param name="userIpAddress">The user ip address.</param>
/// <returns></returns>
private bool CheckDeniedIPs(string userIpAddress)
{
// Populate the IPList with the Single IPs
if (!string.IsNullOrEmpty(DeniedSingleIPs))
{
SplitAndAddSingleIPs(DeniedSingleIPs, deniedIPListToCheck);
}
// Populate the IPList with the Masked IPs
if (!string.IsNullOrEmpty(DeniedMaskedIPs))
{
SplitAndAddMaskedIPs(DeniedMaskedIPs, deniedIPListToCheck);
}
// Check if there are more settings from the configuration (Web.config)
if (!string.IsNullOrEmpty(ConfigurationKeyDeniedSingleIPs))
{
string configurationDeniedAdminSingleIPs = ConfigurationManager.AppSettings[ConfigurationKeyDeniedSingleIPs];
if (!string.IsNullOrEmpty(configurationDeniedAdminSingleIPs))
{
SplitAndAddSingleIPs(configurationDeniedAdminSingleIPs, deniedIPListToCheck);
}
}
if (!string.IsNullOrEmpty(ConfigurationKeyDeniedMaskedIPs))
{
string configurationDeniedAdminMaskedIPs = ConfigurationManager.AppSettings[ConfigurationKeyDeniedMaskedIPs];
if (!string.IsNullOrEmpty(configurationDeniedAdminMaskedIPs))
{
SplitAndAddMaskedIPs(configurationDeniedAdminMaskedIPs, deniedIPListToCheck);
}
}
return deniedIPListToCheck.CheckNumber(userIpAddress);
}
/// <summary>
/// Splits the incoming ip string of the format "IP,IP" example "10.2.0.0,10.3.0.0" and adds the result to the IPList
/// </summary>
/// <param name="ips">The ips.</param>
/// <param name="list">The list.</param>
private void SplitAndAddSingleIPs(string ips,IPList list)
{
var splitSingleIPs = ips.Split(',');
foreach (string ip in splitSingleIPs)
list.Add(ip);
}
/// <summary>
/// Splits the incoming ip string of the format "IP;MASK,IP;MASK" example "10.2.0.0;255.255.0.0,10.3.0.0;255.255.0.0" and adds the result to the IPList
/// </summary>
/// <param name="ips">The ips.</param>
/// <param name="list">The list.</param>
private void SplitAndAddMaskedIPs(string ips, IPList list)
{
var splitMaskedIPs = ips.Split(',');
foreach (string maskedIp in splitMaskedIPs)
{
var ipAndMask = maskedIp.Split(';');
list.Add(ipAndMask[0], ipAndMask[1]); // IP;MASK
}
}
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
}
}
}
示例用法:
1. 直接在代码中指定IP地址
[FilterIP(
AllowedSingleIPs="10.2.5.55,192.168.2.2",
AllowedMaskedIPs="10.2.0.0;255.255.0.0,192.168.2.0;255.255.255.0"
)]
public class HomeController {
// Some code here
}
2. 或者,从 Web.config 中加载配置
[FilterIP(
ConfigurationKeyAllowedSingleIPs="AllowedAdminSingleIPs",
ConfigurationKeyAllowedMaskedIPs="AllowedAdminMaskedIPs",
ConfigurationKeyDeniedSingleIPs="DeniedAdminSingleIPs",
ConfigurationKeyDeniedMaskedIPs="DeniedAdminMaskedIPs"
)]
public class HomeController {
// Some code here
}
<configuration>
<appSettings>
<add key="AllowedAdminSingleIPs" value="localhost,127.0.0.1"/> <!-- Example "10.2.80.21,192.168.2.2" -->
<add key="AllowedAdminMaskedIPs" value="10.2.0.0;255.255.0.0"/> <!-- Example "10.2.0.0;255.255.0.0,192.168.2.0;255.255.255.0" -->
<add key="DeniedAdminSingleIPs" value=""/> <!-- Example "10.2.80.21,192.168.2.2" -->
<add key="DeniedAdminMaskedIPs" value=""/> <!-- Example "10.2.0.0;255.255.0.0,192.168.2.0;255.255.255.0" -->
</appSettings>
</configuration>
- sabbour
12
11太棒了,我已经将您的内容移植到ASP.NET Web API 上:https://gist.github.com/2028849。(只有IIS托管,因为它仍需要HttpContext.Current。我不确定如何从HttpRequestMessage中获取源客户端IP。) - Richard Dingwall
1@MystereMan - 如何扩展以支持IPv6地址? - Xaisoft
3我已更新答案,使其可以再次使用。它在我这里无法工作(MVC5)。请注意,AuthorizeAttribute现在来自System.Web.Http命名空间,而不是System.Web.Mvc命名空间。因此,AuthorizeCore函数已更改为IsAuthorized。 - Christiaan Maks
这个更新后的答案不适用于MVC4(仅适用于MVC5),但幸运的是之前的版本仍然被保存。 - George McKibbin
显示剩余7条评论
9
您应该在控制器中的请求对象中访问UserHostAddress以进行限制。建议您扩展AuthorizeAttribute并在其中添加您的IP地址限制,以便您可以简单地装饰任何需要此保护的方法或控制器。
- tvanfosson
5
这是一个有用的IP类,可以帮助过滤:http://www.codeproject.com/KB/IP/ipnumbers.aspx - Oskar Austegard
@tvanfosson 这种按 IP 限制的安全性有多高?我想知道的是,是否容易让某个人伪造 IP 来绕过这个安全特性。 - Despertar
@Despertar 由于响应将被发送回请求所在的IP地址,如果拥有该IP地址的机器受到您的控制和保护,那么我认为它可以很好地工作。当与本地(不可路由)地址一起使用时,它可能甚至更安全。我不太可能使用它来保护对我无法控制的系统中的敏感数据的访问。在这些情况下,我可能会根据需要与用户名/密码或API密钥一起使用它。 - tvanfosson
我应该使用web.config来允许或排除IP地址,使用此链接(https://www.stokia.com/support/misc/web-config-ip-address-restriction.aspx),这里(http://stackoverflow.com/a/29368702/2218697)是我的问题,你有什么想法吗? - Shaiju T
@storm 在这种情况下,Web配置文件可能不会有所帮助,因为即使Web配置文件允许访问,授权属性也会限制访问。理想情况下,您只需共享公共页面即可。看起来您在设置方面出了一些问题,并且正在共享结帐页面的URL。您是否正确设置了Facebook元标记,特别是og:url?https://developers.facebook.com/docs/sharing/best-practices - tvanfosson
3
我在MVC4中遇到了一个问题,需要解决IPv6和IP范围的处理。此外,我需要使用白名单和黑名单进行授权,但在IP不在名单之内时也需要使用普通的授权流程。
这是我从@sabbour和@Richard Szalay(如何检查输入IP是否属于特定IP范围)的杰出帖子中汲取经验后得出的解决方案,现在我将其发布在这里,为可能需要的人提供帮助。
public class MagniAuthorizeAttribute : FilterAttribute, IAuthorizationFilter
{
#region Allowed
public bool IsPublic { get; set; }
/// <summary>
/// Comma seperated string of allowable IPs. Example "10.2.5.41,192.168.0.22"
/// </summary>
/// <value></value>
public string AllowedSingleIPs { get; set; }
/// <summary>
/// Comma seperated string of allowable IPs with masks. Example "10.2.0.0;255.255.0.0,10.3.0.0;255.255.0.0"
/// </summary>
/// <value>The masked I ps.</value>
public string AllowedIPRanges { get; set; }
/// <summary>
/// Gets or sets the configuration key for allowed single IPs
/// </summary>
/// <value>The configuration key single I ps.</value>
public string ConfigurationKeyAllowedSingleIPs { get; set; }
/// <summary>
/// Gets or sets the configuration key allowed mmasked IPs
/// </summary>
/// <value>The configuration key masked I ps.</value>
public string ConfigurationKeyAllowedMaskedIPs { get; set; }
#endregion
#region Denied
/// <summary>
/// Comma seperated string of denied IPs. Example "10.2.5.41,192.168.0.22"
/// </summary>
/// <value></value>
public string DeniedSingleIPs { get; set; }
/// <summary>
/// Comma seperated string of denied IPs with masks. Example "10.2.0.0;255.255.0.0,10.3.0.0;255.255.0.0"
/// </summary>
/// <value>The masked I ps.</value>
public string DeniedIPRanges { get; set; }
/// <summary>
/// Gets or sets the configuration key for denied single IPs
/// </summary>
/// <value>The configuration key single I ps.</value>
public string ConfigurationKeyDeniedSingleIPs { get; set; }
/// <summary>
/// Gets or sets the configuration key for denied masked IPs
/// </summary>
/// <value>The configuration key masked I ps.</value>
public string ConfigurationKeyDeniedMaskedIPs { get; set; }
#endregion
/// <summary>
/// Checks the allowed IPs.
/// </summary>
/// <param name="userIpAddress">The user ip address.</param>
/// <returns></returns>
private bool CheckAllowedIPs(IPAddress userIpAddress)
{
List<IPAddress> allowedIPsToCheck = new List<IPAddress>();
List<IPAddressRange> allowedIPRangesToCheck = new List<IPAddressRange>();
// Populate the IPList with the Single IPs
if (!string.IsNullOrEmpty(AllowedSingleIPs))
{
SplitAndAddSingleIPs(AllowedSingleIPs, allowedIPsToCheck);
}
// Populate the IPList with the Masked IPs
if (!string.IsNullOrEmpty(AllowedIPRanges))
{
SplitAndAddIPRanges(AllowedIPRanges, allowedIPRangesToCheck);
}
// Check if there are more settings from the configuration (Web.config)
if (!string.IsNullOrEmpty(ConfigurationKeyAllowedSingleIPs))
{
string configurationAllowedAdminSingleIPs = ConfigurationManager.AppSettings[ConfigurationKeyAllowedSingleIPs];
if (!string.IsNullOrEmpty(configurationAllowedAdminSingleIPs))
{
SplitAndAddSingleIPs(configurationAllowedAdminSingleIPs, allowedIPsToCheck);
}
}
if (!string.IsNullOrEmpty(ConfigurationKeyAllowedMaskedIPs))
{
string configurationAllowedAdminMaskedIPs = ConfigurationManager.AppSettings[ConfigurationKeyAllowedMaskedIPs];
if (!string.IsNullOrEmpty(configurationAllowedAdminMaskedIPs))
{
SplitAndAddIPRanges(configurationAllowedAdminMaskedIPs, allowedIPRangesToCheck);
}
}
return allowedIPsToCheck.Any(a => a.Equals(userIpAddress)) || allowedIPRangesToCheck.Any(a => a.IsInRange(userIpAddress));
}
/// <summary>
/// Checks the denied IPs.
/// </summary>
/// <param name="userIpAddress">The user ip address.</param>
/// <returns></returns>
private bool CheckDeniedIPs(IPAddress userIpAddress)
{
List<IPAddress> deniedIPsToCheck = new List<IPAddress>();
List<IPAddressRange> deniedIPRangesToCheck = new List<IPAddressRange>();
// Populate the IPList with the Single IPs
if (!string.IsNullOrEmpty(DeniedSingleIPs))
{
SplitAndAddSingleIPs(DeniedSingleIPs, deniedIPsToCheck);
}
// Populate the IPList with the Masked IPs
if (!string.IsNullOrEmpty(DeniedIPRanges))
{
SplitAndAddIPRanges(DeniedIPRanges, deniedIPRangesToCheck);
}
// Check if there are more settings from the configuration (Web.config)
if (!string.IsNullOrEmpty(ConfigurationKeyDeniedSingleIPs))
{
string configurationDeniedAdminSingleIPs = ConfigurationManager.AppSettings[ConfigurationKeyDeniedSingleIPs];
if (!string.IsNullOrEmpty(configurationDeniedAdminSingleIPs))
{
SplitAndAddSingleIPs(configurationDeniedAdminSingleIPs, deniedIPsToCheck);
}
}
if (!string.IsNullOrEmpty(ConfigurationKeyDeniedMaskedIPs))
{
string configurationDeniedAdminMaskedIPs = ConfigurationManager.AppSettings[ConfigurationKeyDeniedMaskedIPs];
if (!string.IsNullOrEmpty(configurationDeniedAdminMaskedIPs))
{
SplitAndAddIPRanges(configurationDeniedAdminMaskedIPs, deniedIPRangesToCheck);
}
}
return deniedIPsToCheck.Any(a => a.Equals(userIpAddress)) || deniedIPRangesToCheck.Any(a => a.IsInRange(userIpAddress));
}
/// <summary>
/// Splits the incoming ip string of the format "IP,IP" example "10.2.0.0,10.3.0.0" and adds the result to the IPAddress list
/// </summary>
/// <param name="ips">The ips.</param>
/// <param name="list">The list.</param>
private void SplitAndAddSingleIPs(string ips, List<IPAddress> list)
{
var splitSingleIPs = ips.Split(',');
IPAddress ip;
foreach (string ipString in splitSingleIPs)
{
if(IPAddress.TryParse(ipString, out ip))
list.Add(ip);
}
}
/// <summary>
/// Splits the incoming ip ranges string of the format "IP-IP,IP-IP" example "10.2.0.0-10.2.255.255,10.3.0.0-10.3.255.255" and adds the result to the IPAddressRange list
/// </summary>
/// <param name="ips">The ips.</param>
/// <param name="list">The list.</param>
private void SplitAndAddIPRanges(string ips, List<IPAddressRange> list)
{
var splitMaskedIPs = ips.Split(',');
IPAddress lowerIp;
IPAddress upperIp;
foreach (string maskedIp in splitMaskedIPs)
{
var ipRange = maskedIp.Split('-');
if (IPAddress.TryParse(ipRange[0], out lowerIp) && IPAddress.TryParse(ipRange[1], out upperIp))
list.Add(new IPAddressRange(lowerIp, upperIp));
}
}
protected void HandleUnauthorizedRequest(AuthorizationContext context)
{
context.Result = new RedirectToRouteResult(new RouteValueDictionary { { "Controller", "Home" },
{ "Action", "Login" },
{ "OriginalURL", context.HttpContext.Request.Url.AbsoluteUri } });
}
protected bool AuthorizeCore(AuthorizationContext context)
{
try
{
string userIPString = context.HttpContext.Request.UserHostName;
IPAddress userIPAddress = IPAddress.Parse(userIPString);
// Check that the IP is allowed to access
bool? ipAllowed = CheckAllowedIPs(userIPAddress) ? true : (bool?)null;
// Check that the IP is not denied to access
ipAllowed = CheckDeniedIPs(userIPAddress) ? false : ipAllowed;
if (ipAllowed.HasValue)
{
return ipAllowed.Value;
}
var serverSession = context.HttpContext.Session;
UserSession session = null;
//usersession in server session
if (serverSession[Settings.HttpContextUserSession] != null)
{
session = (UserSession)serverSession[Settings.HttpContextUserSession];
Trace.TraceInformation($"[{MethodBase.GetCurrentMethod().Name}] UserId:" + session.UserId + ". ClientId: " + session.ClientId);
return true;
}
//usersession in database from cookie
session = UserSession.GetSession(context.HttpContext.Request.Cookies.Get("sessionId").Value);
if (session != null)
{
Trace.TraceInformation($"[{MethodBase.GetCurrentMethod().Name}] Session found for cookie {context.HttpContext.Request.Cookies.Get("sessionId").Value}");
serverSession[Settings.HttpContextUserSession] = session;
Trace.TraceInformation($"[{MethodBase.GetCurrentMethod().Name}] UserId:" + session.UserId + ". ClientId: " + session.ClientId);
return true;
}
else
{
Trace.TraceInformation($"[{MethodBase.GetCurrentMethod().Name}] No session found for cookie {serverSession["cookie"]}");
return false;
}
}
catch (Exception ex)
{
Trace.TraceError($"[{MethodBase.GetCurrentMethod().Name}] exception: {ex.Message} - trace {ex.StackTrace}");
return false;
}
}
public void OnAuthorization(AuthorizationContext actionContext)
{
if (IsPublic == false && AuthorizeCore(actionContext) == false)
{
HandleUnauthorizedRequest(actionContext);
}
}
}
- Jorge Rodrigues dos Santos
3
我使用的最简单方法
第一步:
在配置表(如果有)或任何其他表上添加一行,并将您可访问的IP地址插入到此表中。
第二步:
将此操作筛选器添加到您的startup.cs。
public class IpAuthAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
base.OnActionExecuting(filterContext);
string ip = System.Web.HttpContext.Current.Request.UserHostAddress;
string ips = "";
using (var db = new DataBase())
{
ips = db.Configs.SingleOrDefault().IP;
}
if (!ips.Contains(ip))
{
filterContext.Result = new RedirectToRouteResult(new System.Web.Routing.RouteValueDictionary(new
{
controller = "Account",
action = "OutOfRange"
}));
}
}
}
然后在您的控制器上想要执行的每个操作上使用它。
[IpAuth]
public ActionResult Index()
{
return View();
}
- HO3EiN
3
我发现Sabbour的解决方案非常好,但是为了更符合我的需求,我需要进行两个更改:
Allow access if the allowed list is empty. This way you can allow any IP by simply changing the config (e.g. for test deployments) or allow all IPs except explicitly denied ones. To do this I extended IPList to include a Count property and check it as part of CheckAllowedIPs:
return _allowedIpListToCheck.Count == 0 || _allowedIpListToCheck.CheckNumber(userIpAddress);Override HandleUnauthorizedRequest to always return 403. The AuthorizeAtrribute returns 401 by default:
public override void OnAuthorization(AuthorizationContext actionContext) { if (AuthorizeCore((HttpContextBase)actionContext.HttpContext)) return; HandleUnauthorizedRequest(actionContext); } protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) { filterContext.Result = new HttpStatusCodeResult(403, "IP Access Denied"); }
这是FilterIpAttribute类的完整变体:
public class FilterIpAttribute:AuthorizeAttribute
{
#region Allowed
/// <summary>
/// Comma seperated string of allowable IPs. Example "10.2.5.41,192.168.0.22"
/// </summary>
/// <value></value>
public string AllowedSingleIPs { get; set; }
/// <summary>
/// Comma seperated string of allowable IPs with masks. Example "10.2.0.0;255.255.0.0,10.3.0.0;255.255.0.0"
/// </summary>
/// <value>The masked I ps.</value>
public string AllowedMaskedIPs { get; set; }
/// <summary>
/// Gets or sets the configuration key for allowed single IPs
/// </summary>
/// <value>The configuration key single I ps.</value>
public string ConfigurationKeyAllowedSingleIPs { get; set; }
/// <summary>
/// Gets or sets the configuration key allowed mmasked IPs
/// </summary>
/// <value>The configuration key masked I ps.</value>
public string ConfigurationKeyAllowedMaskedIPs { get; set; }
/// <summary>
/// List of allowed IPs
/// </summary>
readonly IpList _allowedIpListToCheck = new IpList();
#endregion
#region Denied
/// <summary>
/// Comma seperated string of denied IPs. Example "10.2.5.41,192.168.0.22"
/// </summary>
/// <value></value>
public string DeniedSingleIPs { get; set; }
/// <summary>
/// Comma seperated string of denied IPs with masks. Example "10.2.0.0;255.255.0.0,10.3.0.0;255.255.0.0"
/// </summary>
/// <value>The masked I ps.</value>
public string DeniedMaskedIPs { get; set; }
/// <summary>
/// Gets or sets the configuration key for denied single IPs
/// </summary>
/// <value>The configuration key single I ps.</value>
public string ConfigurationKeyDeniedSingleIPs { get; set; }
/// <summary>
/// Gets or sets the configuration key for denied masked IPs
/// </summary>
/// <value>The configuration key masked I ps.</value>
public string ConfigurationKeyDeniedMaskedIPs { get; set; }
/// <summary>
/// List of denied IPs
/// </summary>
readonly IpList _deniedIpListToCheck = new IpList();
#endregion
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
throw new ArgumentNullException("httpContext");
string userIpAddress = httpContext.Request.UserIp();
try
{
// Check that the IP is allowed to access
bool ipAllowed = CheckAllowedIPs(userIpAddress);
// Check that the IP is not denied to access
bool ipDenied = CheckDeniedIPs(userIpAddress);
//Only allowed if allowed and not denied
bool finallyAllowed = ipAllowed && !ipDenied;
return finallyAllowed;
}
catch (Exception e)
{
// Log the exception, probably something wrong with the configuration
}
return true; // if there was an exception, then we return true
}
/// <summary>
/// Checks the allowed IPs.
/// </summary>
/// <param name="userIpAddress">The user ip address.</param>
/// <returns></returns>
private bool CheckAllowedIPs(string userIpAddress)
{
// Populate the IPList with the Single IPs
if (!string.IsNullOrEmpty(AllowedSingleIPs))
{
SplitAndAddSingleIPs(AllowedSingleIPs, _allowedIpListToCheck);
}
// Populate the IPList with the Masked IPs
if (!string.IsNullOrEmpty(AllowedMaskedIPs))
{
SplitAndAddMaskedIPs(AllowedMaskedIPs, _allowedIpListToCheck);
}
// Check if there are more settings from the configuration (Web.config)
if (!string.IsNullOrEmpty(ConfigurationKeyAllowedSingleIPs))
{
string configurationAllowedAdminSingleIPs = ConfigurationManager.AppSettings[ConfigurationKeyAllowedSingleIPs];
if (!string.IsNullOrEmpty(configurationAllowedAdminSingleIPs))
{
SplitAndAddSingleIPs(configurationAllowedAdminSingleIPs, _allowedIpListToCheck);
}
}
if (!string.IsNullOrEmpty(ConfigurationKeyAllowedMaskedIPs))
{
string configurationAllowedAdminMaskedIPs = ConfigurationManager.AppSettings[ConfigurationKeyAllowedMaskedIPs];
if (!string.IsNullOrEmpty(configurationAllowedAdminMaskedIPs))
{
SplitAndAddMaskedIPs(configurationAllowedAdminMaskedIPs, _allowedIpListToCheck);
}
}
return _allowedIpListToCheck.Count == 0 || _allowedIpListToCheck.CheckNumber(userIpAddress);
}
/// <summary>
/// Checks the denied IPs.
/// </summary>
/// <param name="userIpAddress">The user ip address.</param>
/// <returns></returns>
private bool CheckDeniedIPs(string userIpAddress)
{
// Populate the IPList with the Single IPs
if (!string.IsNullOrEmpty(DeniedSingleIPs))
{
SplitAndAddSingleIPs(DeniedSingleIPs, _deniedIpListToCheck);
}
// Populate the IPList with the Masked IPs
if (!string.IsNullOrEmpty(DeniedMaskedIPs))
{
SplitAndAddMaskedIPs(DeniedMaskedIPs, _deniedIpListToCheck);
}
// Check if there are more settings from the configuration (Web.config)
if (!string.IsNullOrEmpty(ConfigurationKeyDeniedSingleIPs))
{
string configurationDeniedAdminSingleIPs = ConfigurationManager.AppSettings[ConfigurationKeyDeniedSingleIPs];
if (!string.IsNullOrEmpty(configurationDeniedAdminSingleIPs))
{
SplitAndAddSingleIPs(configurationDeniedAdminSingleIPs, _deniedIpListToCheck);
}
}
if (!string.IsNullOrEmpty(ConfigurationKeyDeniedMaskedIPs))
{
string configurationDeniedAdminMaskedIPs = ConfigurationManager.AppSettings[ConfigurationKeyDeniedMaskedIPs];
if (!string.IsNullOrEmpty(configurationDeniedAdminMaskedIPs))
{
SplitAndAddMaskedIPs(configurationDeniedAdminMaskedIPs, _deniedIpListToCheck);
}
}
return _deniedIpListToCheck.CheckNumber(userIpAddress);
}
/// <summary>
/// Splits the incoming ip string of the format "IP,IP" example "10.2.0.0,10.3.0.0" and adds the result to the IPList
/// </summary>
/// <param name="ips">The ips.</param>
/// <param name="list">The list.</param>
private void SplitAndAddSingleIPs(string ips, IpList list)
{
var splitSingleIPs = ips.Split(',');
foreach (string ip in splitSingleIPs)
list.Add(ip);
}
/// <summary>
/// Splits the incoming ip string of the format "IP;MASK,IP;MASK" example "10.2.0.0;255.255.0.0,10.3.0.0;255.255.0.0" and adds the result to the IPList
/// </summary>
/// <param name="ips">The ips.</param>
/// <param name="list">The list.</param>
private void SplitAndAddMaskedIPs(string ips, IpList list)
{
var splitMaskedIPs = ips.Split(',');
foreach (string maskedIp in splitMaskedIPs)
{
var ipAndMask = maskedIp.Split(';');
list.Add(ipAndMask[0], ipAndMask[1]); // IP;MASK
}
}
public override void OnAuthorization(AuthorizationContext actionContext)
{
if (AuthorizeCore((HttpContextBase)actionContext.HttpContext))
return;
HandleUnauthorizedRequest(actionContext);
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.Result = new HttpStatusCodeResult(403, "IP Access Denied");
}
}
根据osa在 github 上的建议,这是一个获取用户IP的扩展方法。
public static class HttpUtils {
public static string UserIp(this HttpRequestBase request)
{
var ip = request["HTTP_X_FORWARDED_FOR"];
if (!string.IsNullOrWhiteSpace(ip))
{
ip = ip.Split(',').Last().Trim();
}
if (string.IsNullOrWhiteSpace(ip))
{
ip = request.UserHostAddress;
}
return ip;
}
}
最后是IP列表修改(完整源代码在这里):
internal class IpArrayList
{
//[...]
public int Count
{
get { return _ipNumList.Count; }
}
}
public class IpList
{
//[...]
public int Count
{
get { return _usedList.Count; }
}
}
- bgx
网页内容由stack overflow 提供, 点击上面的可以查看英文原文,
原文链接
原文链接