IP Range Validation

Content Type: Module
Categories: Authentication

Overview

On top of the ip configuration in the cloud, this allows you to userroles to login from outside certain ip ranges. This could allow your anonymous users to use the application via the internet, but requires your employees to be in the office if they want to login

Documentation

Version 1.4 - IP Range validation

Configure for each userrole the ip range from which it is allowed to login to the application. 

The module supports both IPv4 and IPv6, and you can specify the ranges from which certain userroles are allowed to login.

Setup

Add the microflow 'ASU_StartIPCheck' or Java Action 'ReplaceLoginAction' to your after startup event. This action will initialize the model and override the standard platform login action. During startup the action will validate the rules, and make sure that you have a rule setup for each UserRole (with access from all IP-ranges). If there are no rules specified for your UserRole that role will not be allowed to sign in.

Also add the page 'IPRangeConfiguration_Overview' to your navigation (or your own alternative grid to edit the records).

Configuration

Each UserRole must be specified at least once in your configuration, this can either be done through a combination of rules or a single rule including all your roles. Each rule can be setup for IPv4 or IPv6, and requires a range or single ip-address to allow access.

Behavior

When a user signs-in using the index.html or the login.html the platform will execute the 'login' action which has been overwritten by the module. All actions and behavior of the module are the same, it will only allow unblocked, active users in and multiple attempts with an incorrect password will block the user as through normal platform behavior.
After a valid user is found the module will lookup any IP-Rule that applies to all the user roles the user has. The module will provide access if any of the roles allows it.
Example:
Person tries to login with a user with roles: manager & employee from IP address: 192.168.1.12
Rule: 1 - Manager, IP range 192.168.1-10
Rule: 2 - Employee, IP range 192.168.11-20

Result, the user is allowed to sign in because Rule 2 allows him to access the application.



Troubleshooting

The log includes Debug and Trace messages that show exactly which IP adresses are received and how the rules are being interpeted. If you are running outside the Mendix cloud make sure you've setup IP forwarding, otherwise you might always receive the IP-address of the firewall, loadbalancer or webserver.

Releases

Version: 1.5.0
Framework Version: 9.0.5
Release Notes: Upgrade to 9.0.5
Version: 1.4.1
Framework Version: 8.16.0
Release Notes: Fix for IPv6 Compatibility Upgrade to 8.16
Version: 1.4.0
Framework Version: 8.1.1
Release Notes: Bug fixes for checking matching rules Changed model to only allow single matched rule Improved debug logging Pre-generated rules for all matching roles Allowing single ip address Minor UI improvements
Version: 1.3.0
Framework Version: 8.1.1
Release Notes: Upgraded to version Mx8.1.1 Compatible with latest atlas UI layouts
Version: 1.2.0
Framework Version: 7.23.3
Release Notes: Upgraded to 7.23.3 Updated the Atlas UI package to support the latest project layouts