===== [V7] FAQ: How to setup IP filter to restrict access to AhsayCBS system and user web console? ===== Article ID: 5354
Reviewed: 2018-09-27

Product Version:
AhsayCBS: 7.3.0.0 to 7.x
OS: All platforms ATTENTION 1st January, 2022: v7 officially End-of-Life [details] ===== Description ===== This article contains instructions on how to set up IP filter to restrict access to your AhsayCBS system and user web console. ===== Contents ===== To setup an IP filter to restrict access to your AhsayCBS system and user web console, you can do so by logging into the AhsayCBS system web console:
  1. Select System Settings > Advanced > Runtime Options > IP Allowed


  2. Click on the existing IP Allowed range to edit the existing filter, or click Create to create a new IP Allowed range.

  3. Enter the From and To IP addresses, then click OK

  4. Click Save.
Once the IP filter is configured and saved, the following error will be displayed, when a system or backup user attempts to login to the AhsayCBS system or user web console from an IP address outside of the allowed range:



Note:
This will restrict access to both the AhsayCBS system and user web console.


To restrict access to the AhsayCBS system web console (to pages with URL containing */system) only:

  1. Browse to the following path on the AhsayCBS server:

    %CBS_Installation_Home%/webapps/cbs/WEB-INF

  2. Edit the web.xml file with a text editor.

    Important: Make a copy of the web.xml file as backup, before making any change to the web.xml file. Incorrectly editing the file may lead to server failure.

  3. Add your filter after the encodingFilter filter as shown below:

    web.xml
        …
        …
                <filter>
                            <filter-name>encodingFilter</filter-name>
                            <filter-class>com.ahsay.obs.www.EncodingFilter</filter-class>
                            <init-param>
                                        <param-name>encoding</param-name>
                                        <param-value>UTF8</param-value>
                            </init-param>
                            <init-param>
                                        <param-name>forceEncoding</param-name>
                                        <param-value>true</param-value>
                            </init-param>
                </filter>
                <filter-mapping>
                            <filter-name>encodingFilter</filter-name>
                            <url-pattern>/*</url-pattern>
                </filter-mapping>
                *** Add your filter here ***
                <filter>
                            <filter-name>ApiAccess</filter-name>
                            <filter-class>com.ahsay.obs.www.IPFilter</filter-class>
                            <init-param>
  4. The following is a sample filter to allow only the host IP (e.g. localhost) to access all system page with url pattern */system, for example:

    System Settings > Basic
    https://backup_server/cbs/system/ShowConfiguration.do

    Monitoring > Dashboard
    https://backup_server/cbs/system/ShowSystem.do

    web.xml
        …
        …
                <filter>
                            <filter-name>encodingFilter</filter-name>
                            <filter-class>com.ahsay.obs.www.EncodingFilter</filter-class>
                            <init-param>
                                        <param-name>encoding</param-name>
                                        <param-value>UTF8</param-value>
                            </init-param>
                            <init-param>
                                        <param-name>forceEncoding</param-name>
                                        <param-value>true</param-value>
                            </init-param>
                </filter>
                <filter-mapping>
                            <filter-name>encodingFilter</filter-name>
                            <url-pattern>/*</url-pattern>
                </filter-mapping>
                <filter>
                            <filter-name>SystemAccess</filter-name>
                            <filter-class>com.ahsay.obs.www.IPFilter</filter-class>
                            <init-param>
                                        <param-name>Range1</param-name>
                                        <param-value>localhost</param-value>
                            </init-param>
                </filter>
                <filter-mapping>
                            <filter-name>SystemAccess</filter-name>
                            <url-pattern>/system/*</url-pattern>
                </filter-mapping>
                <filter>
                             <filter-name>ApiAccess</filter-name>
                            <filter-class>com.ahsay.obs.www.IPFilter</filter-class>
                            <init-param>
  5. You can setup multiple IP range, for example:

    web.xml
        …
        …
                <filter>
                            <filter-name>encodingFilter</filter-name>
                            <filter-class>com.ahsay.obs.www.EncodingFilter</filter-class>
                            <init-param>
                                        <param-name>encoding</param-name>
                                        <param-value>UTF8</param-value>
                            </init-param>
                            <init-param>
                                        <param-name>forceEncoding</param-name>
                                        <param-value>true</param-value>
                            </init-param>
                </filter>
                <filter-mapping>
                            <filter-name>encodingFilter</filter-name>
                            <url-pattern>/*</url-pattern>
                </filter-mapping>
                <filter>
                            <filter-name>SystemAccess</filter-name>
                            <filter-class>com.ahsay.obs.www.IPFilter</filter-class>
                            <init-param>
                                        <param-name>Range1</param-name>
                                        <param-value>localhost</param-value>
                            </init-param>
                            <init-param>
                                        <param-name>Range2</param-name>
                                        <param-value>0.0.0.0-192.168.25.125</param-value>
                            </init-param>
                </filter>
                <filter-mapping>
                            <filter-name>SystemAccess</filter-name>
                            <url-pattern>/system/*</url-pattern>
                </filter-mapping>
                <filter>
                             <filter-name>ApiAccess</filter-name>
                            <filter-class>com.ahsay.obs.www.IPFilter</filter-class>
                            <init-param>
  6. Save the changes then restart the AhsayCBS service.
When a user attempts to access the AhsayCBS system web console, to any page with url pattern */system from an IP outside of the allowed range, the following error will be displayed:



Note:
This will only restrict access to the AhsayCBS system web console, to pages with URL containing */system. Access to other pages after login, such as Backup / Restore > Users, Groups & Policies will still be accessible.

This will not restrict access to the AhsayCBS user web console.


To restrict access to both the AhsayCBS system and user web console, including the login page (e.g. restrict all access, hiding the web console instead of displaying an error after a login attempt):

  1. Browse to the following path on the AhsayCBS server:

    %CBS_Installation_Home%/webapps/cbs/WEB-INF

  2. Edit the web.xml file with a text editor.

    Important: Make a copy of the web.xml file as backup, before making any change to the web.xml file. Incorrectly editing the file may lead to server failure.

  3. Add your filter after the encodingFilter filter as shown below:

    web.xml
        …
        …
                <filter>
                            <filter-name>encodingFilter</filter-name>
                            <filter-class>com.ahsay.obs.www.EncodingFilter</filter-class>
                            <init-param>
                                        <param-name>encoding</param-name>
                                        <param-value>UTF8</param-value>
                            </init-param>
                            <init-param>
                                        <param-name>forceEncoding</param-name>
                                        <param-value>true</param-value>
                            </init-param>
                </filter>
                <filter-mapping>
                            <filter-name>encodingFilter</filter-name>
                            <url-pattern>/*</url-pattern>
                </filter-mapping>
                *** Add your filter here ***
                <filter>
                            <filter-name>ApiAccess</filter-name>
                            <filter-class>com.ahsay.obs.www.IPFilter</filter-class>
                            <init-param>
  4. The following is a sample filter to allow only the host IP (e.g. localhost) to access the system and user web console:

    web.xml
        …
        …
                <filter>
                            <filter-name>encodingFilter</filter-name>
                            <filter-class>com.ahsay.obs.www.EncodingFilter</filter-class>
                            <init-param>
                                        <param-name>encoding</param-name>
                                        <param-value>UTF8</param-value>
                            </init-param>
                            <init-param>
                                        <param-name>forceEncoding</param-name>
                                        <param-value>true</param-value>
                            </init-param>
                </filter>
                <filter-mapping>
                            <filter-name>encodingFilter</filter-name>
                            <url-pattern>/*</url-pattern>
                </filter-mapping>
                <filter>
                            <filter-name>AllAccess</filter-name>
                            <filter-class>com.ahsay.obs.www.IPFilter</filter-class>
                            <init-param>
                                        <param-name>Range1</param-name>
                                        <param-value>localhost</param-value>
                            </init-param>
                </filter>
                <filter-mapping>
                            <filter-name>AllAccess</filter-name>
                            <url-pattern>/*</url-pattern>
                </filter-mapping>
                <filter>
                             <filter-name>ApiAccess</filter-name>
                            <filter-class>com.ahsay.obs.www.IPFilter</filter-class>
                            <init-param>
  5. Save the changes then restart the AhsayCBS service.
When a user attempts to access the AhsayCBS system or user web console from an IP outside of the allowed range, the following error will be displayed:



Note:
This will only restrict access to the AhsayCBS system web console, to pages with URL containing */system. Access to other pages after login, such as Backup / Restore > Users, Groups & Policies will still be accessible.

This will restrict access to both the AhsayCBS system and user web console. ===== Keywords ===== ip, addy, address, ipaddress, filter, filtering, restrict, restriction, limit, limiting, console, access, accessing, obm, ahsayobm, acb, ahsayacb, ahsaycbs, cbs