mySobek Home   |   Help
Skip Navigation Links.
MISSING BANNER
Technical Help >> Architecture >> Software Architecture >> IP address

IP Restriction Implementation

General Concept

It may be desirable to restrict access to certain digital resources by using a range of IP addresses. This feature allows up to fifteen different ranges of IP addresses to be defined and blocked individually. For this application, an IP restriction range is defined as the collection of individual IP addresses or contiguous IP addresses which should be allowed access to the digital resource. Access from outside this IP range is denied unless the user has been granted access to the material through their login.

When a user performs a browse or search some results may be currently inaccessible from their IP address. In those cases, the restricted item is include in their list of results, but a note is included that access is restricted to that item. ( brief view | table view | thumnbail view ) If a user tries to view an item for which they are currently restricted, the restricted message appears in the place of any downloads or page images. The message displayed can be customized for each IP restriction range by the system administrator. ( view example )

This form allows a system administrator to manage the basic information about an IP restriction range and manage the list of IP addresses associated with the range.

Adding an entirely new restrictive range (or removing an existing range) can only be done directly in the database. If a new range must be added, please see your database administrator. A total of sixteen different ranges of IP addresses can be supported by this application.

For questions about the administration of this feature, view the related administration help page.

Database

As seen below, the database portion for this implementation is quite simple. One table contains the information about the different IP restrictive ranges defined and another table holds each of the individual IP address or list of contiguous IP addresses.

Each item has an IP Restriction Mask field which refers to the different IP restrictive ranges. An entry of zero indicates there is no restriction. To indicate a restriction, each restriction is indicated in the mask by setting the appropriate bit.

Figure 1: Database IP Restriction Implementation

Web Application

Whenever the web application starts (or the application state is invalidated) the list of IP ranges and IP addresses is loaded into the IP_Restriction_Ranges class which consists of a collection of IP_Restriction_Range class which has a series of hashtables for quick IP address lookup. The purpose of both of these classes is to perform a quick lookup against the IP restrictive ranges by any user's IP address.

When a new session is established the first time a user connects to the application, this lookup is performed and the user's membership is stored in their session state on the web server as an additional bitwise mask. For any subsequent requests, this user/session mask is checked.

Bit-wise Restriction Mask

Both the user's current IP membership mask (which includes which IP ranges the session belongs to) and the individual item mask are stored as two-byte integers in the database and the web application.

The highest bit is reserved to indicate if an item is private, and should only be access by internal users. Because of this, the mask system allows for fifteen distinct IP restriction ranges. Since the mask is stored in a two-byte integer, any private item will have an negative mask.

  • If the first bit (the ones bit) is set, then the item is restricted to the first restriction range or the user's IP address belongs to the first IP restriction range.

  • If the second bit (the twos bit) is set, then the item is restricted to the second restriction range or the user's IP address belongs to the second IP restriction range.

  • If the third bit (the fours bit) is set, then the item is restricted to the third restriction range or the user's IP address belongs to the third IP restriction range.

  • If the fourth bit (the eights bit) is set, then the item is restricted to the fourth restriction range or the user's IP address belongs to the fourth IP restriction range.

  • etc...

Access Validation ( Bit-wise AND )

Before displaying an item in a search/browse list or in the item viewer, a bitwise check is performed against the item's restriction mask and the user's restriction membership. If the item's restriction mask is greater than zero then a bitwise AND is performed to determine if the user has access. If the bitwise AND is greater than one, than the user's IP address belongs to an IP restriction range set for the individual item and the item can be displayed without any special restriction notice.

For example, if an item belongs to IP restriction ranges one and three, the bitwise mask will be:

0000 0000 0000 0101

Likewise, if a user/session's IP address is a member of the second and third restriction ranges, the membership mask will be:

0000 0000 0000 0110

To determine if this user has access to this item, a bitwise AND is performed:

0000 0000 0000 0101
0000 0000 0000 0110
-------------------
0000 0000 0000 0100

Because the sum of the bitwise AND is greater than zero (because the third bit is set in both operands) this user can freely access this item.

Access Validation by User Group

In addition to validation by IP address, a user group can be granted access and tied to a restriction range. While not yet formalized in the database, the does exist in the web application. The only current group is the group of all UF-affiliated users, which is defined as users who have authenticated through Gatorlink previously and have a valid UFID. Any member of this group is granted access to items restricted to the first IP restriction range ("UF Campus IP Range").