Restringir el acceso a un controlador específico de la dirección IP en ASP.NET MVC Beta

tengo un proyecto ASP.NET MVC que contiene una clase AdminController y darme URLs como estas:Restringir el acceso a un controlador específico de la dirección IP en ASP.NET MVC Beta

http://example.com/admin/AddCustomer

http://examle.com/Admin/ListCustomers

quiero configurar el servidor/aplicación para que los URI que contiene /Administrador sólo son accesibles desde la red 192.168.0.0/24 (es decir, nuestra LAN)

Me gustaría restringir este controlador para que solo sea accesible desde ciertas direcciones IP.

En WebForms,/admin/era una carpeta física que podía restringir en IIS ... pero con MVC, por supuesto, no hay una carpeta física. ¿Esto se puede lograr usando web.config o atributos, o tengo que interceptar la solicitud HTTP para lograr esto?

Fuente

2009-01-23 Dylan Beattie

Una pregunta similar tuvo la respuesta que buscas. .. http://stackoverflow.com/a/6108168/80161 –

Sé que esta es una vieja pregunta, pero necesitaba tener esta funcionalidad hoy, así que la implementé y pensé en publicarla aquí.

Utilización de la clase IPList de aquí (http://www.codeproject.com/KB/IP/ipnumbers.aspx)

El filtro de atributo FilterIPAttribute.cs: uso

using System; 
using System.Collections.Generic; 
using System.Linq; 
using System.Web; 
using System.Web.Http; 
using System.Security.Principal; 
using System.Configuration; 

namespace Miscellaneous.Attributes.Controller 
{ 

    /// <summary> 
    /// Filter by IP address 
    /// </summary> 
    public class FilterIPAttribute : AuthorizeAttribute 
    { 

     #region Allowed 
     /// <summary> 
     /// Comma seperated string of allowable IPs. Example "10.2.5.41,192.168.0.22" 
     /// </summary> 
     /// <value></value> 
     public string AllowedSingleIPs { get; set; } 

     /// <summary> 
     /// Comma seperated string of allowable IPs with masks. Example "10.2.0.0;255.255.0.0,10.3.0.0;255.255.0.0" 
     /// </summary> 
     /// <value>The masked I ps.</value> 
     public string AllowedMaskedIPs { get; set; } 

     /// <summary> 
     /// Gets or sets the configuration key for allowed single IPs 
     /// </summary> 
     /// <value>The configuration key single I ps.</value> 
     public string ConfigurationKeyAllowedSingleIPs { get; set; } 

     /// <summary> 
     /// Gets or sets the configuration key allowed mmasked IPs 
     /// </summary> 
     /// <value>The configuration key masked I ps.</value> 
     public string ConfigurationKeyAllowedMaskedIPs { get; set; } 

     /// <summary> 
     /// List of allowed IPs 
     /// </summary> 
     IPList allowedIPListToCheck = new IPList(); 
     #endregion 

     #region Denied 
     /// <summary> 
     /// Comma seperated string of denied IPs. Example "10.2.5.41,192.168.0.22" 
     /// </summary> 
     /// <value></value> 
     public string DeniedSingleIPs { get; set; } 

     /// <summary> 
     /// Comma seperated string of denied IPs with masks. Example "10.2.0.0;255.255.0.0,10.3.0.0;255.255.0.0" 
     /// </summary> 
     /// <value>The masked I ps.</value> 
     public string DeniedMaskedIPs { get; set; } 


     /// <summary> 
     /// Gets or sets the configuration key for denied single IPs 
     /// </summary> 
     /// <value>The configuration key single I ps.</value> 
     public string ConfigurationKeyDeniedSingleIPs { get; set; } 

     /// <summary> 
     /// Gets or sets the configuration key for denied masked IPs 
     /// </summary> 
     /// <value>The configuration key masked I ps.</value> 
     public string ConfigurationKeyDeniedMaskedIPs { get; set; } 

     /// <summary> 
     /// List of denied IPs 
     /// </summary> 
     IPList deniedIPListToCheck = new IPList(); 
     #endregion 


     /// <summary> 
     /// Determines whether access to the core framework is authorized. 
     /// </summary> 
     /// <param name="actionContext">The HTTP context, which encapsulates all HTTP-specific information about an individual HTTP request.</param> 
     /// <returns> 
     /// true if access is authorized; otherwise, false. 
     /// </returns> 
     /// <exception cref="T:System.ArgumentNullException">The <paramref name="httpContext"/> parameter is null.</exception> 
     protected override bool IsAuthorized(HttpActionContext actionContext) 
     { 
      if (actionContext == null) 
       throw new ArgumentNullException("actionContext"); 

      string userIpAddress = ((HttpContextWrapper)actionContext.Request.Properties["MS_HttpContext"]).Request.UserHostName; 

      try 
      { 
       // Check that the IP is allowed to access 
       bool ipAllowed = CheckAllowedIPs(userIpAddress); 

       // Check that the IP is not denied to access 
       bool ipDenied = CheckDeniedIPs(userIpAddress);  

       // Only allowed if allowed and not denied 
       bool finallyAllowed = ipAllowed && !ipDenied; 

       return finallyAllowed; 
      } 
      catch (Exception e) 
      { 
       // Log the exception, probably something wrong with the configuration 
      } 

      return true; // if there was an exception, then we return true 
     } 

     /// <summary> 
     /// Checks the allowed IPs. 
     /// </summary> 
     /// <param name="userIpAddress">The user ip address.</param> 
     /// <returns></returns> 
     private bool CheckAllowedIPs(string userIpAddress) 
     { 
      // Populate the IPList with the Single IPs 
      if (!string.IsNullOrEmpty(AllowedSingleIPs)) 
      { 
       SplitAndAddSingleIPs(AllowedSingleIPs, allowedIPListToCheck); 
      } 

      // Populate the IPList with the Masked IPs 
      if (!string.IsNullOrEmpty(AllowedMaskedIPs)) 
      { 
       SplitAndAddMaskedIPs(AllowedMaskedIPs, allowedIPListToCheck); 
      } 

      // Check if there are more settings from the configuration (Web.config) 
      if (!string.IsNullOrEmpty(ConfigurationKeyAllowedSingleIPs)) 
      { 
       string configurationAllowedAdminSingleIPs = ConfigurationManager.AppSettings[ConfigurationKeyAllowedSingleIPs]; 
       if (!string.IsNullOrEmpty(configurationAllowedAdminSingleIPs)) 
       { 
        SplitAndAddSingleIPs(configurationAllowedAdminSingleIPs, allowedIPListToCheck); 
       } 
      } 

      if (!string.IsNullOrEmpty(ConfigurationKeyAllowedMaskedIPs)) 
      { 
       string configurationAllowedAdminMaskedIPs = ConfigurationManager.AppSettings[ConfigurationKeyAllowedMaskedIPs]; 
       if (!string.IsNullOrEmpty(configurationAllowedAdminMaskedIPs)) 
       { 
        SplitAndAddMaskedIPs(configurationAllowedAdminMaskedIPs, allowedIPListToCheck); 
       } 
      } 

      return allowedIPListToCheck.CheckNumber(userIpAddress); 
     } 

     /// <summary> 
     /// Checks the denied IPs. 
     /// </summary> 
     /// <param name="userIpAddress">The user ip address.</param> 
     /// <returns></returns> 
     private bool CheckDeniedIPs(string userIpAddress) 
     { 
      // Populate the IPList with the Single IPs 
      if (!string.IsNullOrEmpty(DeniedSingleIPs)) 
      { 
       SplitAndAddSingleIPs(DeniedSingleIPs, deniedIPListToCheck); 
      } 

      // Populate the IPList with the Masked IPs 
      if (!string.IsNullOrEmpty(DeniedMaskedIPs)) 
      { 
       SplitAndAddMaskedIPs(DeniedMaskedIPs, deniedIPListToCheck); 
      } 

      // Check if there are more settings from the configuration (Web.config) 
      if (!string.IsNullOrEmpty(ConfigurationKeyDeniedSingleIPs)) 
      { 
       string configurationDeniedAdminSingleIPs = ConfigurationManager.AppSettings[ConfigurationKeyDeniedSingleIPs]; 
       if (!string.IsNullOrEmpty(configurationDeniedAdminSingleIPs)) 
       { 
        SplitAndAddSingleIPs(configurationDeniedAdminSingleIPs, deniedIPListToCheck); 
       } 
      } 

      if (!string.IsNullOrEmpty(ConfigurationKeyDeniedMaskedIPs)) 
      { 
       string configurationDeniedAdminMaskedIPs = ConfigurationManager.AppSettings[ConfigurationKeyDeniedMaskedIPs]; 
       if (!string.IsNullOrEmpty(configurationDeniedAdminMaskedIPs)) 
       { 
        SplitAndAddMaskedIPs(configurationDeniedAdminMaskedIPs, deniedIPListToCheck); 
       } 
      } 

      return deniedIPListToCheck.CheckNumber(userIpAddress); 
     } 

     /// <summary> 
     /// Splits the incoming ip string of the format "IP,IP" example "10.2.0.0,10.3.0.0" and adds the result to the IPList 
     /// </summary> 
     /// <param name="ips">The ips.</param> 
     /// <param name="list">The list.</param> 
     private void SplitAndAddSingleIPs(string ips,IPList list) 
     { 
      var splitSingleIPs = ips.Split(','); 
      foreach (string ip in splitSingleIPs) 
       list.Add(ip); 
     } 

     /// <summary> 
     /// Splits the incoming ip string of the format "IP;MASK,IP;MASK" example "10.2.0.0;255.255.0.0,10.3.0.0;255.255.0.0" and adds the result to the IPList 
     /// </summary> 
     /// <param name="ips">The ips.</param> 
     /// <param name="list">The list.</param> 
     private void SplitAndAddMaskedIPs(string ips, IPList list) 
     { 
      var splitMaskedIPs = ips.Split(','); 
      foreach (string maskedIp in splitMaskedIPs) 
      { 
       var ipAndMask = maskedIp.Split(';'); 
       list.Add(ipAndMask[0], ipAndMask[1]); // IP;MASK 
      } 
     } 

     public override void OnAuthorization(AuthorizationContext filterContext) 
     { 
      base.OnAuthorization(filterContext); 
     } 
    } 
}

Ejemplo:

1. Directamente especificando los IPs en el código

[FilterIP(
     AllowedSingleIPs="10.2.5.55,192.168.2.2", 
     AllowedMaskedIPs="10.2.0.0;255.255.0.0,192.168.2.0;255.255.255.0" 
    )] 
    public class HomeController { 
     // Some code here 
    }

2. O, Carga de la configuración desde el Web.config

[FilterIP(
     ConfigurationKeyAllowedSingleIPs="AllowedAdminSingleIPs", 
     ConfigurationKeyAllowedMaskedIPs="AllowedAdminMaskedIPs", 
     ConfigurationKeyDeniedSingleIPs="DeniedAdminSingleIPs", 
     ConfigurationKeyDeniedMaskedIPs="DeniedAdminMaskedIPs" 
    )] 
    public class HomeController { 
     // Some code here 
    } 


<configuration> 
<appSettings> 
    <add key="AllowedAdminSingleIPs" value="localhost,127.0.0.1"/> <!-- Example "10.2.80.21,192.168.2.2" --> 
    <add key="AllowedAdminMaskedIPs" value="10.2.0.0;255.255.0.0"/> <!-- Example "10.2.0.0;255.255.0.0,192.168.2.0;255.255.255.0" --> 
    <add key="DeniedAdminSingleIPs" value=""/> <!-- Example "10.2.80.21,192.168.2.2" --> 
    <add key="DeniedAdminMaskedIPs" value=""/> <!-- Example "10.2.0.0;255.255.0.0,192.168.2.0;255.255.255.0" --> 
</appSettings> 
</configuration>

Fuente

2011-01-05 14:22:22 sabbour

+10

Brillantes aplausos. También he portado su API web ASP.NET aquí: https://gist.github.com/2028849. (IIS alojado solo porque todavía requiere HttpContext.Current. No estoy seguro de cómo obtener la IP del cliente de origen de HttpRequestMessage.) –

Esto no parece funcionar con las direcciones IPv6, lo cual es un problema porque en muchas configuraciones la dirección IP de localhost vuelve como :: 1 –

Sé que esto es antiguo, pero ¿tengo que agregar algo en alguna parte para que esto funcione ?, agrego la anotación a los controladores que quiero bajo protección de IP, como en el uso de ejemplo, y no hace nada. Cualquier IP aún puede ejecutar los métodos –

Debe tener acceso al UserHostAddress en el objeto Solicitud en su controlador para hacer la restricción. Sugiero que desee extender el AuthorizeAttribute y agregar sus restricciones de dirección IP en él para que simplemente pueda decorar cualquier método o controlador que necesite esta protección.

Fuente

2009-01-23 17:05:17 tvanfosson

Aquí hay una práctica clase IP que puede ayudar con el filtrado: http://www.codeproject.com/KB/IP/ipnumbers.aspx –

@tvanfosson Cuán seguro ¿esto es restringir por IP? Lo que me gustaría saber es si es fácil para alguien burlar una IP para eludir esta característica de seguridad. – Despertar

@Despertar Dado que la respuesta se enviará de vuelta a la dirección IP desde la que se realiza la solicitud, si la máquina que posee la dirección IP está bajo su control y segura, entonces creo que funciona bastante bien. Probablemente sea aún más seguro cuando se usa junto con direcciones locales (no enrutables). Sería menos probable que use esto para asegurar el acceso a datos confidenciales a un sistema fuera de mi control. En esos casos, probablemente lo use junto con un nombre de usuario/contraseña o una clave API, según corresponda. – tvanfosson

necesitaba una solución para este problema en MVC4 que pudiera manejar IPv6 y rangos de IP. Además, necesitaba usar listas blancas y negras para la autorización, pero también usé un proceso de autorización regular cuando el IP no era ninguno de los dos.

Esta es la solución que encontré después de tomar mucho de @sabbour y @Richard Szalay (How to check a input IP fall in a specific IP range) publicaciones increíbles, así que lo vuelvo a publicar aquí para quien pueda ayudar.

public class MagniAuthorizeAttribute : FilterAttribute, IAuthorizationFilter 
{ 

    #region Allowed 

    public bool IsPublic { get; set; } 
    /// <summary> 
    /// Comma seperated string of allowable IPs. Example "10.2.5.41,192.168.0.22" 
    /// </summary> 
    /// <value></value>   
    public string AllowedSingleIPs { get; set; } 

    /// <summary> 
    /// Comma seperated string of allowable IPs with masks. Example "10.2.0.0;255.255.0.0,10.3.0.0;255.255.0.0" 
    /// </summary> 
    /// <value>The masked I ps.</value> 
    public string AllowedIPRanges { get; set; } 

    /// <summary> 
    /// Gets or sets the configuration key for allowed single IPs 
    /// </summary> 
    /// <value>The configuration key single I ps.</value> 
    public string ConfigurationKeyAllowedSingleIPs { get; set; } 

    /// <summary> 
    /// Gets or sets the configuration key allowed mmasked IPs 
    /// </summary> 
    /// <value>The configuration key masked I ps.</value> 
    public string ConfigurationKeyAllowedMaskedIPs { get; set; } 

    #endregion 

    #region Denied 
    /// <summary> 
    /// Comma seperated string of denied IPs. Example "10.2.5.41,192.168.0.22" 
    /// </summary> 
    /// <value></value> 
    public string DeniedSingleIPs { get; set; } 

    /// <summary> 
    /// Comma seperated string of denied IPs with masks. Example "10.2.0.0;255.255.0.0,10.3.0.0;255.255.0.0" 
    /// </summary> 
    /// <value>The masked I ps.</value> 
    public string DeniedIPRanges { get; set; } 


    /// <summary> 
    /// Gets or sets the configuration key for denied single IPs 
    /// </summary> 
    /// <value>The configuration key single I ps.</value> 
    public string ConfigurationKeyDeniedSingleIPs { get; set; } 

    /// <summary> 
    /// Gets or sets the configuration key for denied masked IPs 
    /// </summary> 
    /// <value>The configuration key masked I ps.</value> 
    public string ConfigurationKeyDeniedMaskedIPs { get; set; } 

    #endregion 


    /// <summary> 
    /// Checks the allowed IPs. 
    /// </summary> 
    /// <param name="userIpAddress">The user ip address.</param> 
    /// <returns></returns> 
    private bool CheckAllowedIPs(IPAddress userIpAddress) 
    { 
     List<IPAddress> allowedIPsToCheck = new List<IPAddress>(); 
     List<IPAddressRange> allowedIPRangesToCheck = new List<IPAddressRange>(); 

     // Populate the IPList with the Single IPs 
     if (!string.IsNullOrEmpty(AllowedSingleIPs)) 
     { 
      SplitAndAddSingleIPs(AllowedSingleIPs, allowedIPsToCheck); 
     } 

     // Populate the IPList with the Masked IPs 
     if (!string.IsNullOrEmpty(AllowedIPRanges)) 
     { 
      SplitAndAddIPRanges(AllowedIPRanges, allowedIPRangesToCheck); 
     } 

     // Check if there are more settings from the configuration (Web.config) 
     if (!string.IsNullOrEmpty(ConfigurationKeyAllowedSingleIPs)) 
     { 
      string configurationAllowedAdminSingleIPs = ConfigurationManager.AppSettings[ConfigurationKeyAllowedSingleIPs]; 
      if (!string.IsNullOrEmpty(configurationAllowedAdminSingleIPs)) 
      { 
       SplitAndAddSingleIPs(configurationAllowedAdminSingleIPs, allowedIPsToCheck); 
      } 
     } 

     if (!string.IsNullOrEmpty(ConfigurationKeyAllowedMaskedIPs)) 
     { 
      string configurationAllowedAdminMaskedIPs = ConfigurationManager.AppSettings[ConfigurationKeyAllowedMaskedIPs]; 
      if (!string.IsNullOrEmpty(configurationAllowedAdminMaskedIPs)) 
      { 
       SplitAndAddIPRanges(configurationAllowedAdminMaskedIPs, allowedIPRangesToCheck); 
      } 
     } 

     return allowedIPsToCheck.Any(a => a.Equals(userIpAddress)) || allowedIPRangesToCheck.Any(a => a.IsInRange(userIpAddress)); 
    } 

    /// <summary> 
    /// Checks the denied IPs. 
    /// </summary> 
    /// <param name="userIpAddress">The user ip address.</param> 
    /// <returns></returns> 
    private bool CheckDeniedIPs(IPAddress userIpAddress) 
    { 
     List<IPAddress> deniedIPsToCheck = new List<IPAddress>(); 
     List<IPAddressRange> deniedIPRangesToCheck = new List<IPAddressRange>(); 

     // Populate the IPList with the Single IPs 
     if (!string.IsNullOrEmpty(DeniedSingleIPs)) 
     { 
      SplitAndAddSingleIPs(DeniedSingleIPs, deniedIPsToCheck); 
     } 

     // Populate the IPList with the Masked IPs 
     if (!string.IsNullOrEmpty(DeniedIPRanges)) 
     { 
      SplitAndAddIPRanges(DeniedIPRanges, deniedIPRangesToCheck); 
     } 

     // Check if there are more settings from the configuration (Web.config) 
     if (!string.IsNullOrEmpty(ConfigurationKeyDeniedSingleIPs)) 
     { 
      string configurationDeniedAdminSingleIPs = ConfigurationManager.AppSettings[ConfigurationKeyDeniedSingleIPs]; 
      if (!string.IsNullOrEmpty(configurationDeniedAdminSingleIPs)) 
      { 
       SplitAndAddSingleIPs(configurationDeniedAdminSingleIPs, deniedIPsToCheck); 
      } 
     } 

     if (!string.IsNullOrEmpty(ConfigurationKeyDeniedMaskedIPs)) 
     { 
      string configurationDeniedAdminMaskedIPs = ConfigurationManager.AppSettings[ConfigurationKeyDeniedMaskedIPs]; 
      if (!string.IsNullOrEmpty(configurationDeniedAdminMaskedIPs)) 
      { 
       SplitAndAddIPRanges(configurationDeniedAdminMaskedIPs, deniedIPRangesToCheck); 
      } 
     } 

     return deniedIPsToCheck.Any(a => a.Equals(userIpAddress)) || deniedIPRangesToCheck.Any(a => a.IsInRange(userIpAddress)); 
    } 

    /// <summary> 
    /// Splits the incoming ip string of the format "IP,IP" example "10.2.0.0,10.3.0.0" and adds the result to the IPAddress list 
    /// </summary> 
    /// <param name="ips">The ips.</param> 
    /// <param name="list">The list.</param> 
    private void SplitAndAddSingleIPs(string ips, List<IPAddress> list) 
    { 
     var splitSingleIPs = ips.Split(','); 
     IPAddress ip; 

     foreach (string ipString in splitSingleIPs) 
     { 
      if(IPAddress.TryParse(ipString, out ip)) 
       list.Add(ip); 
     } 
    } 

    /// <summary> 
    /// Splits the incoming ip ranges string of the format "IP-IP,IP-IP" example "10.2.0.0-10.2.255.255,10.3.0.0-10.3.255.255" and adds the result to the IPAddressRange list 
    /// </summary> 
    /// <param name="ips">The ips.</param> 
    /// <param name="list">The list.</param> 
    private void SplitAndAddIPRanges(string ips, List<IPAddressRange> list) 
    { 
     var splitMaskedIPs = ips.Split(','); 
     IPAddress lowerIp; 
     IPAddress upperIp; 
     foreach (string maskedIp in splitMaskedIPs) 
     { 
      var ipRange = maskedIp.Split('-'); 
      if (IPAddress.TryParse(ipRange[0], out lowerIp) && IPAddress.TryParse(ipRange[1], out upperIp)) 
       list.Add(new IPAddressRange(lowerIp, upperIp)); 
     } 
    } 

    protected void HandleUnauthorizedRequest(AuthorizationContext context) 
    { 
     context.Result = new RedirectToRouteResult(new RouteValueDictionary { { "Controller", "Home" }, 
                        { "Action", "Login" }, 
                        { "OriginalURL", context.HttpContext.Request.Url.AbsoluteUri } }); 
    } 

    protected bool AuthorizeCore(AuthorizationContext context) 
    { 
     try 
     { 
      string userIPString = context.HttpContext.Request.UserHostName; 
      IPAddress userIPAddress = IPAddress.Parse(userIPString); 

      // Check that the IP is allowed to access 
      bool? ipAllowed = CheckAllowedIPs(userIPAddress) ? true : (bool?)null; 

      // Check that the IP is not denied to access 
      ipAllowed = CheckDeniedIPs(userIPAddress) ? false : ipAllowed; 

      if (ipAllowed.HasValue) 
      { 
       return ipAllowed.Value; 
      } 

      var serverSession = context.HttpContext.Session; 

      UserSession session = null; 

      //usersession in server session 
      if (serverSession[Settings.HttpContextUserSession] != null) 
      { 
       session = (UserSession)serverSession[Settings.HttpContextUserSession]; 
       Trace.TraceInformation($"[{MethodBase.GetCurrentMethod().Name}] UserId:" + session.UserId + ". ClientId: " + session.ClientId); 
       return true; 
      } 

      //usersession in database from cookie 
      session = UserSession.GetSession(context.HttpContext.Request.Cookies.Get("sessionId").Value); 
      if (session != null) 
      { 
       Trace.TraceInformation($"[{MethodBase.GetCurrentMethod().Name}] Session found for cookie {context.HttpContext.Request.Cookies.Get("sessionId").Value}"); 
       serverSession[Settings.HttpContextUserSession] = session; 
       Trace.TraceInformation($"[{MethodBase.GetCurrentMethod().Name}] UserId:" + session.UserId + ". ClientId: " + session.ClientId); 

       return true; 
      } 
      else 
      { 
       Trace.TraceInformation($"[{MethodBase.GetCurrentMethod().Name}] No session found for cookie {serverSession["cookie"]}"); 
       return false; 
      } 

     } 
     catch (Exception ex) 
     { 
      Trace.TraceError($"[{MethodBase.GetCurrentMethod().Name}] exception: {ex.Message} - trace {ex.StackTrace}"); 
      return false; 
     } 
    } 

    public void OnAuthorization(AuthorizationContext actionContext) 
    { 
     if (IsPublic == false && AuthorizeCore(actionContext) == false) 
     { 
      HandleUnauthorizedRequest(actionContext); 
     } 
    } 
}

Fuente

2016-08-20 18:49:17

He encontrado la solución de Sabbour excelente, pero necesita hacer dos cambios para ser más útil para mis propósitos:

permitir el acceso si la lista está vacía permitido. De esta forma, puede permitir cualquier IP simplemente cambiando la configuración (p.para implementaciones de prueba) o permitir todas las direcciones IP, excepto las denegadas explícitamente. Para ello me ampliado IPList a incluir una propiedad Count y comprobar que funciona como parte de CheckAllowedIPs: HandleUnauthorizedRequest
```
return _allowedIpListToCheck.Count == 0 || _allowedIpListToCheck.CheckNumber(userIpAddress); 
```

Anular para volver siempre 403. El AuthorizeAtrribute devuelve 401 por defecto:

public override void OnAuthorization(AuthorizationContext actionContext) 
{ 
    if (AuthorizeCore((HttpContextBase)actionContext.HttpContext)) 
     return; 
    HandleUnauthorizedRequest(actionContext); 
} 

protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) 
{ 
     filterContext.Result = new HttpStatusCodeResult(403, "IP Access Denied"); 
}

Aquí es la variación total de la clase FilterIpAttribute:

public class FilterIpAttribute:AuthorizeAttribute 
{ 

    #region Allowed 
    /// <summary> 
    /// Comma seperated string of allowable IPs. Example "10.2.5.41,192.168.0.22" 
    /// </summary> 
    /// <value></value> 
    public string AllowedSingleIPs { get; set; } 

    /// <summary> 
    /// Comma seperated string of allowable IPs with masks. Example "10.2.0.0;255.255.0.0,10.3.0.0;255.255.0.0" 
    /// </summary> 
    /// <value>The masked I ps.</value> 
    public string AllowedMaskedIPs { get; set; } 

    /// <summary> 
    /// Gets or sets the configuration key for allowed single IPs 
    /// </summary> 
    /// <value>The configuration key single I ps.</value> 
    public string ConfigurationKeyAllowedSingleIPs { get; set; } 

    /// <summary> 
    /// Gets or sets the configuration key allowed mmasked IPs 
    /// </summary> 
    /// <value>The configuration key masked I ps.</value> 
    public string ConfigurationKeyAllowedMaskedIPs { get; set; } 

    /// <summary> 
    /// List of allowed IPs 
    /// </summary> 
    readonly IpList _allowedIpListToCheck = new IpList(); 
    #endregion 

    #region Denied 
    /// <summary> 
    /// Comma seperated string of denied IPs. Example "10.2.5.41,192.168.0.22" 
    /// </summary> 
    /// <value></value> 
    public string DeniedSingleIPs { get; set; } 

    /// <summary> 
    /// Comma seperated string of denied IPs with masks. Example "10.2.0.0;255.255.0.0,10.3.0.0;255.255.0.0" 
    /// </summary> 
    /// <value>The masked I ps.</value> 
    public string DeniedMaskedIPs { get; set; } 


    /// <summary> 
    /// Gets or sets the configuration key for denied single IPs 
    /// </summary> 
    /// <value>The configuration key single I ps.</value> 
    public string ConfigurationKeyDeniedSingleIPs { get; set; } 

    /// <summary> 
    /// Gets or sets the configuration key for denied masked IPs 
    /// </summary> 
    /// <value>The configuration key masked I ps.</value> 
    public string ConfigurationKeyDeniedMaskedIPs { get; set; } 

    /// <summary> 
    /// List of denied IPs 
    /// </summary> 
    readonly IpList _deniedIpListToCheck = new IpList(); 
    #endregion 

    protected override bool AuthorizeCore(HttpContextBase httpContext) 
    { 
     if (httpContext == null) 
      throw new ArgumentNullException("httpContext"); 

     string userIpAddress = httpContext.Request.UserIp(); 

     try 
     { 
      // Check that the IP is allowed to access 
      bool ipAllowed = CheckAllowedIPs(userIpAddress); 

      // Check that the IP is not denied to access 
      bool ipDenied = CheckDeniedIPs(userIpAddress); 

      //Only allowed if allowed and not denied 

      bool finallyAllowed = ipAllowed && !ipDenied; 


      return finallyAllowed; 
     } 
     catch (Exception e) 
     { 
      // Log the exception, probably something wrong with the configuration 
     } 

     return true; // if there was an exception, then we return true 
    } 

    /// <summary> 
    /// Checks the allowed IPs. 
    /// </summary> 
    /// <param name="userIpAddress">The user ip address.</param> 
    /// <returns></returns> 
    private bool CheckAllowedIPs(string userIpAddress) 
    { 
     // Populate the IPList with the Single IPs 
     if (!string.IsNullOrEmpty(AllowedSingleIPs)) 
     { 
      SplitAndAddSingleIPs(AllowedSingleIPs, _allowedIpListToCheck); 
     } 

     // Populate the IPList with the Masked IPs 
     if (!string.IsNullOrEmpty(AllowedMaskedIPs)) 
     { 
      SplitAndAddMaskedIPs(AllowedMaskedIPs, _allowedIpListToCheck); 
     } 

     // Check if there are more settings from the configuration (Web.config) 
     if (!string.IsNullOrEmpty(ConfigurationKeyAllowedSingleIPs)) 
     { 
      string configurationAllowedAdminSingleIPs = ConfigurationManager.AppSettings[ConfigurationKeyAllowedSingleIPs]; 
      if (!string.IsNullOrEmpty(configurationAllowedAdminSingleIPs)) 
      { 
       SplitAndAddSingleIPs(configurationAllowedAdminSingleIPs, _allowedIpListToCheck); 
      } 
     } 

     if (!string.IsNullOrEmpty(ConfigurationKeyAllowedMaskedIPs)) 
     { 
      string configurationAllowedAdminMaskedIPs = ConfigurationManager.AppSettings[ConfigurationKeyAllowedMaskedIPs]; 
      if (!string.IsNullOrEmpty(configurationAllowedAdminMaskedIPs)) 
      { 
       SplitAndAddMaskedIPs(configurationAllowedAdminMaskedIPs, _allowedIpListToCheck); 
      } 
     } 

     return _allowedIpListToCheck.Count == 0 || _allowedIpListToCheck.CheckNumber(userIpAddress); 
    } 

    /// <summary> 
    /// Checks the denied IPs. 
    /// </summary> 
    /// <param name="userIpAddress">The user ip address.</param> 
    /// <returns></returns> 
    private bool CheckDeniedIPs(string userIpAddress) 
    { 
     // Populate the IPList with the Single IPs 
     if (!string.IsNullOrEmpty(DeniedSingleIPs)) 
     { 
      SplitAndAddSingleIPs(DeniedSingleIPs, _deniedIpListToCheck); 
     } 

     // Populate the IPList with the Masked IPs 
     if (!string.IsNullOrEmpty(DeniedMaskedIPs)) 
     { 
      SplitAndAddMaskedIPs(DeniedMaskedIPs, _deniedIpListToCheck); 
     } 

     // Check if there are more settings from the configuration (Web.config) 
     if (!string.IsNullOrEmpty(ConfigurationKeyDeniedSingleIPs)) 
     { 
      string configurationDeniedAdminSingleIPs = ConfigurationManager.AppSettings[ConfigurationKeyDeniedSingleIPs]; 
      if (!string.IsNullOrEmpty(configurationDeniedAdminSingleIPs)) 
      { 
       SplitAndAddSingleIPs(configurationDeniedAdminSingleIPs, _deniedIpListToCheck); 
      } 
     } 

     if (!string.IsNullOrEmpty(ConfigurationKeyDeniedMaskedIPs)) 
     { 
      string configurationDeniedAdminMaskedIPs = ConfigurationManager.AppSettings[ConfigurationKeyDeniedMaskedIPs]; 
      if (!string.IsNullOrEmpty(configurationDeniedAdminMaskedIPs)) 
      { 
       SplitAndAddMaskedIPs(configurationDeniedAdminMaskedIPs, _deniedIpListToCheck); 
      } 
     } 

     return _deniedIpListToCheck.CheckNumber(userIpAddress); 
    } 

    /// <summary> 
    /// Splits the incoming ip string of the format "IP,IP" example "10.2.0.0,10.3.0.0" and adds the result to the IPList 
    /// </summary> 
    /// <param name="ips">The ips.</param> 
    /// <param name="list">The list.</param> 
    private void SplitAndAddSingleIPs(string ips, IpList list) 
    { 
     var splitSingleIPs = ips.Split(','); 
     foreach (string ip in splitSingleIPs) 
      list.Add(ip); 
    } 

    /// <summary> 
    /// Splits the incoming ip string of the format "IP;MASK,IP;MASK" example "10.2.0.0;255.255.0.0,10.3.0.0;255.255.0.0" and adds the result to the IPList 
    /// </summary> 
    /// <param name="ips">The ips.</param> 
    /// <param name="list">The list.</param> 
    private void SplitAndAddMaskedIPs(string ips, IpList list) 
    { 
     var splitMaskedIPs = ips.Split(','); 
     foreach (string maskedIp in splitMaskedIPs) 
     { 
      var ipAndMask = maskedIp.Split(';'); 
      list.Add(ipAndMask[0], ipAndMask[1]); // IP;MASK 
     } 
    } 

    public override void OnAuthorization(AuthorizationContext actionContext) 
    { 
     if (AuthorizeCore((HttpContextBase)actionContext.HttpContext)) 
      return; 
     HandleUnauthorizedRequest(actionContext); 
    } 

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) 
    { 
      filterContext.Result = new HttpStatusCodeResult(403, "IP Access Denied"); 
    } 
}

un método de extensión para obtener la IP del usuario según lo sugerido por osa en github

public static class HttpUtils { 

    public static string UserIp(this HttpRequestBase request) 
    { 
     var ip = request["HTTP_X_FORWARDED_FOR"]; 

     if (!string.IsNullOrWhiteSpace(ip)) 
     { 
      ip = ip.Split(',').Last().Trim(); 
     } 

     if (string.IsNullOrWhiteSpace(ip)) 
     { 
      ip = request.UserHostAddress; 
     } 

     return ip; 
    } 
}

Y finalmente la modificación IPList (fuente completo es here):

internal class IpArrayList 
{ 
    //[...] 
    public int Count 
    { 
     get { return _ipNumList.Count; } 
    } 

} 

public class IpList 
{ 
     //[...] 
    public int Count 
    { 
     get { return _usedList.Count; } 
    } 
}

Fuente

2017-10-04 12:51:21 bgx

Restringir el acceso a un controlador específico de la dirección IP en ASP.NET MVC Beta

Respuesta

Cuestiones relacionadas