GUACAMOLE-1809: Replace library used for IP address matching

Newer versions of Spring Security lack support of Java 8.
2025-09-09 22:51:22 +00:00 · 2023-06-11 13:31:52 +02:00
parent 846c507ba7
commit 0530450748
5 changed files with 487 additions and 13 deletions
--- a/extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/RequestValidationService.java
+++ b/extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/RequestValidationService.java
@@ -20,13 +20,13 @@
 package org.apache.guacamole.auth.json;

 import com.google.inject.Inject;
+import inet.ipaddr.IPAddressString;
 import java.util.ArrayList;
 import java.util.Collection;
 import javax.servlet.http.HttpServletRequest;
 import org.apache.guacamole.GuacamoleException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.security.web.util.matcher.IpAddressMatcher;

 /**
 * Service for testing the validity of received HTTP requests.
@@ -45,6 +45,17 @@ public class RequestValidationService {
    @Inject
    private ConfigurationService confService;

+    /**
+     * Constructor that enables passing of an instance of
+     * ConfigurationService. (Only used for unit testing)
+     *
+     * @param confService
+     *     The (mock) instance of ConfigurationService
+     */
+    private RequestValidationService(ConfigurationService confService) {
+        this.confService = confService;
+    }
+
    /**
     * Returns whether the given request can be used for authentication, taking
     * into account restrictions specified within guacamole.properties.
@@ -77,16 +88,11 @@ public class RequestValidationService {
            return true;
        }

-        // Build matchers for each trusted network
-        Collection<IpAddressMatcher> matchers = new ArrayList<>(trustedNetworks.size());
-        for (String network : trustedNetworks)
-            matchers.add(new IpAddressMatcher(network));
-
-        // Otherwise ensure at least one subnet matches
-        for (IpAddressMatcher matcher : matchers) {
+        // Otherwise ensure that the remote address is part of a trusted network
+        for (String network : trustedNetworks) {

            // Request is allowed if any subnet matches
-            if (matcher.matches(request)) {
+            if (new IPAddressString(network).contains(new IPAddressString(request.getRemoteAddr()))) {
                logger.debug("Authentication request from \"{}\" is ALLOWED (matched subnet).", request.getRemoteAddr());
                return true;
            }