FtpServer
  1. FtpServer
  2. FTPSERVER-428

Allow positive ACL instead of just blacklists

    Details

      Description

      There are tons of situations where it is desirable to allow only specified source addresses (and ranges) rather than allowing all except for those specified (i.e. blacklisted). To require administrators to use a black list when the situation really demands a white list is to encourage security lapses.

        Activity

        Blaine Simpson created issue -
        Hide
        Niklas Gustavsson added a comment -

        This is already supported using the <ipfilter type="allow">CIDR address ranges</ipfilter> element.

        Show
        Niklas Gustavsson added a comment - This is already supported using the <ipfilter type="allow">CIDR address ranges</ipfilter> element.
        Niklas Gustavsson made changes -
        Field Original Value New Value
        Status Open [ 1 ] Closed [ 6 ]
        Assignee Niklas Gustavsson [ niklas ]
        Resolution Invalid [ 6 ]
        Hide
        Blaine Simpson added a comment -

        It is <ip-filter> not <ipfilter>. Wouldn't be a big deal if there were any documentation anywhere to look it up.
        Have to build JavaDocs on our own since the project doesn't post it, but still impossible to figure out element naming from that.
        Online configuration docs were very incomplete to begin with and are now obsolete too

        New IP filtering implementation pretty amateur. Every access refusal results in an NPE at
        org.apache.ftpserver.impl.IODataConnectionFactory.<init>(IODataConnectionFactory.java:81)
        So instead of logging useful information about access violations, instead we get a code stack trace.

        Show
        Blaine Simpson added a comment - It is <ip-filter> not <ipfilter>. Wouldn't be a big deal if there were any documentation anywhere to look it up. Have to build JavaDocs on our own since the project doesn't post it, but still impossible to figure out element naming from that. Online configuration docs were very incomplete to begin with and are now obsolete too New IP filtering implementation pretty amateur. Every access refusal results in an NPE at org.apache.ftpserver.impl.IODataConnectionFactory.<init>(IODataConnectionFactory.java:81) So instead of logging useful information about access violations, instead we get a code stack trace.
        Hide
        Niklas Gustavsson added a comment -

        You might find the people are more willing to help you if you are nice and helpful towards them. For example, avoid using degrading words and offer ways (patches) to solve your problems rather than expecting someone else to do the work for for you.

        Show
        Niklas Gustavsson added a comment - You might find the people are more willing to help you if you are nice and helpful towards them. For example, avoid using degrading words and offer ways (patches) to solve your problems rather than expecting someone else to do the work for for you.
        Hide
        Blaine Simpson added a comment -

        I know that. I realize that I am on my own here and provided the details and comments for the benefit of other prospective and current users, as I see I will receive no help here. I submitted two bugs and received two wrong answers. I have provided open source support for 20 years. The support here is not worth the cost-- free.

        Show
        Blaine Simpson added a comment - I know that. I realize that I am on my own here and provided the details and comments for the benefit of other prospective and current users, as I see I will receive no help here. I submitted two bugs and received two wrong answers. I have provided open source support for 20 years. The support here is not worth the cost-- free.
        Hide
        Emmanuel Lecharny added a comment -

        Fine. Be on your own, and please stop bothering those who actually write the code.

        Or try to be smart, and provide patches. We value that, especially when it comes to improve the documentation.

        Show
        Emmanuel Lecharny added a comment - Fine. Be on your own, and please stop bothering those who actually write the code. Or try to be smart, and provide patches. We value that, especially when it comes to improve the documentation.

          People

          • Assignee:
            Niklas Gustavsson
            Reporter:
            Blaine Simpson
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development