From 331654f294bdcce95bcc1962d64f27b16f968f4e Mon Sep 17 00:00:00 2001
From: Matthew Swift <matthew.swift@forgerock.com>
Date: Fri, 14 Oct 2011 08:52:01 +0000
Subject: [PATCH] OPENDJ-308: Implement access log filtering and configurable message format
---
opendj-sdk/opends/src/admin/messages/AccessLogFilteringCriteriaCfgDefn.properties | 35 +-----
opendj-sdk/opends/src/admin/defn/org/opends/server/admin/std/AccessLogFilteringCriteriaConfiguration.xml | 147 +++++++---------------------
opendj-sdk/opends/src/server/org/opends/server/loggers/AbstractTextAccessLogPublisher.java | 86 ++++++++++++----
opendj-sdk/opends/resource/schema/02-config.ldif | 16 +-
4 files changed, 117 insertions(+), 167 deletions(-)
diff --git a/opendj-sdk/opends/resource/schema/02-config.ldif b/opendj-sdk/opends/resource/schema/02-config.ldif
index 3f7a575..8c849b4 100644
--- a/opendj-sdk/opends/resource/schema/02-config.ldif
+++ b/opendj-sdk/opends/resource/schema/02-config.ldif
@@ -2677,19 +2677,19 @@
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'OpenDJ Directory Server' )
attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.32
- NAME 'ds-cfg-client-address-equal-to'
+ NAME 'ds-cfg-connection-client-address-equal-to'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'OpenDJ Directory Server' )
attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.33
- NAME 'ds-cfg-client-address-not-equal-to'
+ NAME 'ds-cfg-connection-client-address-not-equal-to'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'OpenDJ Directory Server' )
attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.34
- NAME 'ds-cfg-client-protocol-equal-to'
+ NAME 'ds-cfg-connection-protocol-equal-to'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'OpenDJ Directory Server' )
attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.35
- NAME 'ds-cfg-client-port-equal-to'
+ NAME 'ds-cfg-connection-port-equal-to'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
X-ORIGIN 'OpenDJ Directory Server' )
attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.36
@@ -4541,10 +4541,10 @@
STRUCTURAL
MUST ( cn )
MAY ( ds-cfg-log-record-type $
- ds-cfg-client-address-equal-to $
- ds-cfg-client-address-not-equal-to $
- ds-cfg-client-protocol-equal-to $
- ds-cfg-client-port-equal-to $
+ ds-cfg-connection-client-address-equal-to $
+ ds-cfg-connection-client-address-not-equal-to $
+ ds-cfg-connection-protocol-equal-to $
+ ds-cfg-connection-port-equal-to $
ds-cfg-user-dn-equal-to $
ds-cfg-user-dn-not-equal-to $
ds-cfg-user-is-member-of $
diff --git a/opendj-sdk/opends/src/admin/defn/org/opends/server/admin/std/AccessLogFilteringCriteriaConfiguration.xml b/opendj-sdk/opends/src/admin/defn/org/opends/server/admin/std/AccessLogFilteringCriteriaConfiguration.xml
index 12a4239..340ab93 100644
--- a/opendj-sdk/opends/src/admin/defn/org/opends/server/admin/std/AccessLogFilteringCriteriaConfiguration.xml
+++ b/opendj-sdk/opends/src/admin/defn/org/opends/server/admin/std/AccessLogFilteringCriteriaConfiguration.xml
@@ -46,11 +46,7 @@
Filters log records based on their type.
</adm:synopsis>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- The log record type will be ignored during filtering.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:enumeration>
@@ -98,7 +94,7 @@
</ldap:attribute>
</adm:profile>
</adm:property>
- <adm:property name="client-address-equal-to" multi-valued="true">
+ <adm:property name="connection-client-address-equal-to" multi-valued="true">
<adm:synopsis>
Filters log records associated with connections which match at least one
of the specified client host names or address masks.
@@ -108,22 +104,18 @@
domain name, an IP address, or a subnetwork with subnetwork mask.
</adm:description>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on client address equality.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:ip-address-mask />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
- <ldap:name>ds-cfg-client-address-equal-to</ldap:name>
+ <ldap:name>ds-cfg-connection-client-address-equal-to</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
- <adm:property name="client-address-not-equal-to" multi-valued="true">
+ <adm:property name="connection-client-address-not-equal-to" multi-valued="true">
<adm:synopsis>
Filters log records associated with connections which do not match any
of the specified client host names or address masks.
@@ -133,70 +125,59 @@
domain name, an IP address, or a subnetwork with subnetwork mask.
</adm:description>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on client address inequality.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:ip-address-mask />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
- <ldap:name>ds-cfg-client-address-not-equal-to</ldap:name>
+ <ldap:name>ds-cfg-connection-client-address-not-equal-to</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
- <adm:property name="client-protocol-equal-to" multi-valued="true">
+ <adm:property name="connection-protocol-equal-to" multi-valued="true">
<adm:synopsis>
Filters log records associated with connections which match any
of the specified protocols.
</adm:synopsis>
+ <adm:description>
+ Typical values include "ldap", "ldaps", or "jmx".
+ </adm:description>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on the protocol.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
- <adm:enumeration>
- <adm:value name="ldap">
- <adm:synopsis>LDAP clients</adm:synopsis>
- </adm:value>
- <adm:value name="ldaps">
- <adm:synopsis>LDAPS clients</adm:synopsis>
- </adm:value>
- <adm:value name="jmx">
- <adm:synopsis>JMX clients</adm:synopsis>
- </adm:value>
- </adm:enumeration>
+ <adm:string>
+ <adm:pattern>
+ <adm:regex>[a-zA-Z0-9]+</adm:regex>
+ <adm:usage>NAME</adm:usage>
+ <adm:synopsis>
+ The protocol name as reported in the access log.
+ </adm:synopsis>
+ </adm:pattern>
+ </adm:string>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
- <ldap:name>ds-cfg-client-protocol-equal-to</ldap:name>
+ <ldap:name>ds-cfg-connection-protocol-equal-to</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
- <adm:property name="client-port-equal-to" multi-valued="true">
+ <adm:property name="connection-port-equal-to" multi-valued="true">
<adm:synopsis>
Filters log records associated with connections to any of the specified
listener port numbers.
</adm:synopsis>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on the port.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:integer lower-limit="1" upper-limit="65535" />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
- <ldap:name>ds-cfg-client-port-equal-to</ldap:name>
+ <ldap:name>ds-cfg-connection-port-equal-to</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
@@ -213,11 +194,7 @@
uid=bj*,ou=people,dc=example,dc=com).
</adm:description>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on user DN equality.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:string />
@@ -241,11 +218,7 @@
uid=bj*,ou=people,dc=example,dc=com).
</adm:description>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on user DN inequality.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:string />
@@ -262,11 +235,7 @@
one of the specified groups.
</adm:synopsis>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on group membership.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:dn />
@@ -283,11 +252,7 @@
of the specified groups.
</adm:synopsis>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on group non-membership.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:dn />
@@ -311,11 +276,7 @@
uid=bj*,ou=people,dc=example,dc=com).
</adm:description>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on target DN equality.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:string />
@@ -339,11 +300,7 @@
uid=bj*,ou=people,dc=example,dc=com).
</adm:description>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on target DN inequality.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:string />
@@ -365,11 +322,7 @@
is only applied to response log messages.
</adm:description>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on result code equality.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:integer />
@@ -391,11 +344,7 @@
is only applied to response log messages.
</adm:description>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on result code inequality.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:integer />
@@ -417,11 +366,7 @@
is only applied to response log messages.
</adm:description>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on the etime.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:integer>
@@ -445,11 +390,7 @@
is only applied to response log messages.
</adm:description>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on the etime.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:integer>
@@ -473,11 +414,7 @@
is only applied to response log messages.
</adm:description>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on the number of search results returned.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:integer>
@@ -501,11 +438,7 @@
is only applied to response log messages.
</adm:description>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on the number of search results returned.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:integer>
@@ -529,11 +462,7 @@
is only applied to response log messages.
</adm:description>
<adm:default-behavior>
- <adm:alias>
- <adm:synopsis>
- Do not filter based on whether or not a search was indexed.
- </adm:synopsis>
- </adm:alias>
+ <adm:undefined/>
</adm:default-behavior>
<adm:syntax>
<adm:boolean/>
diff --git a/opendj-sdk/opends/src/admin/messages/AccessLogFilteringCriteriaCfgDefn.properties b/opendj-sdk/opends/src/admin/messages/AccessLogFilteringCriteriaCfgDefn.properties
index f1e22cd..4e5e311 100644
--- a/opendj-sdk/opends/src/admin/messages/AccessLogFilteringCriteriaCfgDefn.properties
+++ b/opendj-sdk/opends/src/admin/messages/AccessLogFilteringCriteriaCfgDefn.properties
@@ -1,21 +1,15 @@
user-friendly-name=Access Log Filtering Criteria
user-friendly-plural-name=Access Log Filtering Criteria
synopsis=A set of rules which together determine whether a log record should be logged or not.
-property.client-address-equal-to.synopsis=Filters log records associated with connections which match at least one of the specified client host names or address masks.
-property.client-address-equal-to.description=Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
-property.client-address-equal-to.default-behavior.alias.synopsis=Do not filter based on client address equality.
-property.client-address-not-equal-to.synopsis=Filters log records associated with connections which do not match any of the specified client host names or address masks.
-property.client-address-not-equal-to.description=Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
-property.client-address-not-equal-to.default-behavior.alias.synopsis=Do not filter based on client address inequality.
-property.client-port-equal-to.synopsis=Filters log records associated with connections to any of the specified listener port numbers.
-property.client-port-equal-to.default-behavior.alias.synopsis=Do not filter based on the port.
-property.client-protocol-equal-to.synopsis=Filters log records associated with connections which match any of the specified protocols.
-property.client-protocol-equal-to.default-behavior.alias.synopsis=Do not filter based on the protocol.
-property.client-protocol-equal-to.syntax.enumeration.value.jmx.synopsis=JMX clients
-property.client-protocol-equal-to.syntax.enumeration.value.ldap.synopsis=LDAP clients
-property.client-protocol-equal-to.syntax.enumeration.value.ldaps.synopsis=LDAPS clients
+property.connection-client-address-equal-to.synopsis=Filters log records associated with connections which match at least one of the specified client host names or address masks.
+property.connection-client-address-equal-to.description=Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+property.connection-client-address-not-equal-to.synopsis=Filters log records associated with connections which do not match any of the specified client host names or address masks.
+property.connection-client-address-not-equal-to.description=Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
+property.connection-port-equal-to.synopsis=Filters log records associated with connections to any of the specified listener port numbers.
+property.connection-protocol-equal-to.synopsis=Filters log records associated with connections which match any of the specified protocols.
+property.connection-protocol-equal-to.description=Typical values include "ldap", "ldaps", or "jmx".
+property.connection-protocol-equal-to.syntax.string.pattern.synopsis=The protocol name as reported in the access log.
property.log-record-type.synopsis=Filters log records based on their type.
-property.log-record-type.default-behavior.alias.synopsis=The log record type will be ignored during filtering.
property.log-record-type.syntax.enumeration.value.abandon.synopsis=Abandon operations
property.log-record-type.syntax.enumeration.value.add.synopsis=Add operations
property.log-record-type.syntax.enumeration.value.bind.synopsis=Bind operations
@@ -30,38 +24,25 @@
property.log-record-type.syntax.enumeration.value.unbind.synopsis=Unbind operations
property.request-target-dn-equal-to.synopsis=Filters operation log records associated with operations which target entries matching at least one of the specified DN patterns.
property.request-target-dn-equal-to.description=Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
-property.request-target-dn-equal-to.default-behavior.alias.synopsis=Do not filter based on target DN equality.
property.request-target-dn-not-equal-to.synopsis=Filters operation log records associated with operations which target entries matching none of the specified DN patterns.
property.request-target-dn-not-equal-to.description=Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
-property.request-target-dn-not-equal-to.default-behavior.alias.synopsis=Do not filter based on target DN inequality.
property.response-etime-greater-than.synopsis=Filters operation response log records associated with operations which took longer than the specified number of milli-seconds to complete.
property.response-etime-greater-than.description=It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
-property.response-etime-greater-than.default-behavior.alias.synopsis=Do not filter based on the etime.
property.response-etime-less-than.synopsis=Filters operation response log records associated with operations which took less than the specified number of milli-seconds to complete.
property.response-etime-less-than.description=It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
-property.response-etime-less-than.default-behavior.alias.synopsis=Do not filter based on the etime.
property.response-result-code-equal-to.synopsis=Filters operation response log records associated with operations which include any of the specified result codes.
property.response-result-code-equal-to.description=It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
-property.response-result-code-equal-to.default-behavior.alias.synopsis=Do not filter based on result code equality.
property.response-result-code-not-equal-to.synopsis=Filters operation response log records associated with operations which do not include any of the specified result codes.
property.response-result-code-not-equal-to.description=It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
-property.response-result-code-not-equal-to.default-behavior.alias.synopsis=Do not filter based on result code inequality.
property.search-response-is-indexed.synopsis=Filters search operation response log records associated with searches which were either indexed or unindexed.
property.search-response-is-indexed.description=It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
-property.search-response-is-indexed.default-behavior.alias.synopsis=Do not filter based on whether or not a search was indexed.
property.search-response-nentries-greater-than.synopsis=Filters search operation response log records associated with searches which returned more than the specified number of entries.
property.search-response-nentries-greater-than.description=It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
-property.search-response-nentries-greater-than.default-behavior.alias.synopsis=Do not filter based on the number of search results returned.
property.search-response-nentries-less-than.synopsis=Filters search operation response log records associated with searches which returned less than the specified number of entries.
property.search-response-nentries-less-than.description=It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
-property.search-response-nentries-less-than.default-behavior.alias.synopsis=Do not filter based on the number of search results returned.
property.user-dn-equal-to.synopsis=Filters log records associated with users matching at least one of the specified DN patterns.
property.user-dn-equal-to.description=Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
-property.user-dn-equal-to.default-behavior.alias.synopsis=Do not filter based on user DN equality.
property.user-dn-not-equal-to.synopsis=Filters log records associated with users which do not match any of the specified DN patterns.
property.user-dn-not-equal-to.description=Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
-property.user-dn-not-equal-to.default-behavior.alias.synopsis=Do not filter based on user DN inequality.
property.user-is-member-of.synopsis=Filters log records associated with users which are members of at least one of the specified groups.
-property.user-is-member-of.default-behavior.alias.synopsis=Do not filter based on group membership.
property.user-is-not-member-of.synopsis=Filters log records associated with users which are not members of any of the specified groups.
-property.user-is-not-member-of.default-behavior.alias.synopsis=Do not filter based on group non-membership.
diff --git a/opendj-sdk/opends/src/server/org/opends/server/loggers/AbstractTextAccessLogPublisher.java b/opendj-sdk/opends/src/server/org/opends/server/loggers/AbstractTextAccessLogPublisher.java
index 07f528d..2bc2ec5 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/loggers/AbstractTextAccessLogPublisher.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/loggers/AbstractTextAccessLogPublisher.java
@@ -77,6 +77,8 @@
private final EnumSet<OperationType> logOperationRecords;
private final AddressMask[] clientAddressEqualTo;
private final AddressMask[] clientAddressNotEqualTo;
+ private final int[] clientPorts;
+ private final String[] clientProtocols;
private final PatternDN[] userDNEqualTo;
private final PatternDN[] userDNNotEqualTo;
private final PatternDN[] targetDNEqualTo;
@@ -160,13 +162,32 @@
}
}
- clientAddressEqualTo = cfg.getClientAddressEqualTo().toArray(
+ // The list of ports is likely to be small and a simple array lookup will
+ // be more efficient, avoiding auto-boxing conversions as well.
+ clientPorts = new int[cfg.getConnectionPortEqualTo().size()];
+ int i = 0;
+ for (Integer port : cfg.getConnectionPortEqualTo())
+ {
+ clientPorts[i++] = port;
+ }
+
+ clientProtocols = new String[cfg.getConnectionProtocolEqualTo().size()];
+ i = 0;
+ for (String protocol : cfg.getConnectionProtocolEqualTo())
+ {
+ clientProtocols[i++] = toLowerCase(protocol);
+ }
+
+ clientAddressEqualTo = cfg.getConnectionClientAddressEqualTo().toArray(
new AddressMask[0]);
- clientAddressNotEqualTo = cfg.getClientAddressNotEqualTo().toArray(
- new AddressMask[0]);
+ clientAddressNotEqualTo = cfg.getConnectionClientAddressNotEqualTo()
+ .toArray(new AddressMask[0]);
+
+
+
userDNEqualTo = new PatternDN[cfg.getUserDNEqualTo().size()];
- int i = 0;
+ i = 0;
for (final String s : cfg.getUserDNEqualTo())
{
userDNEqualTo[i++] = PatternDN.decode(s);
@@ -307,6 +328,44 @@
private boolean filterClientConnection(final ClientConnection connection)
{
+ // Check protocol.
+ if (clientProtocols.length > 0)
+ {
+ boolean found = false;
+ final String protocol = toLowerCase(connection.getProtocol());
+ for (String p : clientProtocols)
+ {
+ if (protocol.equals(p))
+ {
+ found = true;
+ break;
+ }
+ }
+ if (!found)
+ {
+ return false;
+ }
+ }
+
+ // Check server port.
+ if (clientPorts.length > 0)
+ {
+ boolean found = false;
+ final int port = connection.getServerPort();
+ for (int p : clientPorts)
+ {
+ if (port == p)
+ {
+ found = true;
+ break;
+ }
+ }
+ if (!found)
+ {
+ return false;
+ }
+ }
+
// Check client address.
final InetAddress ipAddr = connection.getRemoteAddress();
if (clientAddressNotEqualTo.length > 0)
@@ -324,25 +383,6 @@
}
}
- // Check server port.
- if (!cfg.getClientPortEqualTo().isEmpty())
- {
- if (!cfg.getClientPortEqualTo().contains(connection.getServerPort()))
- {
- return false;
- }
- }
-
- // Check protocol.
- if (!cfg.getClientProtocolEqualTo().isEmpty())
- {
- if (!cfg.getClientProtocolEqualTo().contains(
- toLowerCase(connection.getProtocol())))
- {
- return false;
- }
- }
-
return true;
}
--
Gitblit v1.10.0