/
IPRangePredicate

IPRangePredicate

Owned by Scott Cantor
Last updated: Apr 04, 2025
1 min read

The org.opensaml.profile.logic.IPRangePredicate class in OpenSAML provides a simple condition you can create and use for performing checks between a client’s IP address and one more or CIDR network ranges supplied to test against.

Example

Given a script of some kind (an MFA rule in the example), you can inject the predicate to perform a test as part of some kind of business logic. The example demonstrates the common technique of using a map bean to allow both the condition and the actual servlet request to be accessed so that the client’s address can also be logged.

<util:map id="my.CustomObjects"> <entry key="condition"> <bean class="org.opensaml.profile.logic.IPRangePredicate" p:httpServletRequestSupplier-ref="shibboleth.HttpServletRequestSupplier" p:ranges="#{ {'10.0.0.0/8', '192.168.3.0/24', '192.168.18.0/24} }" /> </entry> <entry key="request" value-ref="shibboleth.HttpServletRequestSupplier" /> </util:map> <!-- Example script to see if second factor is required. Currently just returns the DuoOIDC flow --> <bean id="checkSecondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript" p:customObject-ref="my.CustomObjects"> <constructor-arg> <value> <![CDATA[ // set logging logger = Java.type("org.slf4j.LoggerFactory").getLogger("org.example.mfa.script"); // default to secondfactor var nextFlow = "authn/SecondFactor"; // check if client is internal if (custom["condition"].test(input)) { logger.info("request excluded from MFA, address {} in internal IP range", custom["request"].get().getRemoteAddr()); nextFlow = null; } nextFlow; // pass control to second factor or end with the first ]]> </value> </constructor-arg> </bean>

 

Related content