OF-1007: Add blacklist support

This complements the existing whitelist with blacklist functionality for client-to-server connections.

OF-1007: Add blacklist support
This complements the existing whitelist with blacklist functionality for client-to-server connections.
16e84b64 · Guus der Kinderen · c8ab27b0 · 16e84b64 · 16e84b64 · 16e84b64
Commit 16e84b64 authored Dec 16, 2015 by Guus der Kinderen
16 changed files
--- a/src/i18n/openfire_i18n_cs_CZ.properties
+++ b/src/i18n/openfire_i18n_cs_CZ.properties
@@ -2444,6 +2444,13 @@ user.properties.isadmin=User has administrative privileges.
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 # Client Connections Settings page

--- a/src/i18n/openfire_i18n_de.properties
+++ b/src/i18n/openfire_i18n_de.properties
@@ -2407,6 +2407,12 @@ user.properties.isadmin=User has administrative privileges.
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 # Client Connections Settings page

--- a/src/i18n/openfire_i18n_en.properties
+++ b/src/i18n/openfire_i18n_en.properties
@@ -1399,9 +1399,15 @@ reg.settings.only_registered_login=Only registered users may login.
 reg.settings.allowed_ips=Restrict Login
 reg.settings.allowed_ips_info=Use the form below to define the IP addresses or IP address ranges \
        that are allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
-        that clients will be able to connect from any IP address.
+        that clients will be able to connect from any IP address (unless a blacklist is in place).
-reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
+reg.settings.ips_all=Restrict ALL (including anonymous) logins to these IP's:
-reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.ips_anonymous=Restrict anonymous logins to these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 # Server db Page

--- a/src/i18n/openfire_i18n_es.properties
+++ b/src/i18n/openfire_i18n_es.properties
@@ -2465,6 +2465,12 @@ user.properties.isadmin=El usuario tiene privilegios de administrador.
 reg.settings.ips_all=Restringir TODOS los ingresos de estas IPs:
 reg.settings.ips_anonymous=Restringir ingresos anonimos de estas IPs:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Aceptar certificados auto-firmados. Server dialback sobre TLS esta habilitado.
 # Client Connections Settings page

--- a/src/i18n/openfire_i18n_fr.properties
+++ b/src/i18n/openfire_i18n_fr.properties
@@ -2020,6 +2020,12 @@ user.properties.isadmin=User has administrative privileges.
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 # Client Connections Settings page

--- a/src/i18n/openfire_i18n_ja_JP.properties
+++ b/src/i18n/openfire_i18n_ja_JP.properties
@@ -2391,6 +2391,12 @@ user.properties.isadmin=User has administrative privileges.
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 # Client Connections Settings page

--- a/src/i18n/openfire_i18n_nl.properties
+++ b/src/i18n/openfire_i18n_nl.properties
@@ -2409,6 +2409,12 @@ user.properties.isadmin=User has administrative privileges.
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 # Client Connections Settings page

--- a/src/i18n/openfire_i18n_pl_PL.properties
+++ b/src/i18n/openfire_i18n_pl_PL.properties
@@ -2378,6 +2378,12 @@ user.properties.isadmin=User has administrative privileges.
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 # Client Connections Settings page

--- a/src/i18n/openfire_i18n_pt_BR.properties
+++ b/src/i18n/openfire_i18n_pt_BR.properties
@@ -2411,6 +2411,12 @@ user.properties.isadmin=User has administrative privileges.
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 # Client Connections Settings page

--- a/src/i18n/openfire_i18n_pt_PT.properties
+++ b/src/i18n/openfire_i18n_pt_PT.properties
@@ -1381,6 +1381,12 @@ reg.settings.allowed_ips_info=Utilize o formul\u00e1rio abaixo para definir ende
        que os clientes est\u00e3o habilitados a ligar com qualquer IP.
 reg.settings.ips_all=Restringir TODAS (incluindo as anonimas) tentativas de acesso destes IP's:
 reg.settings.ips_anonymous=Restringir tentativas de acesso anonimas destes IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 # Server db Page

--- a/src/i18n/openfire_i18n_ru_RU.properties
+++ b/src/i18n/openfire_i18n_ru_RU.properties
@@ -821,6 +821,12 @@ reg.settings.inband_account_info=\ \u0412\u043D\u0443\u0442\u0440\u0435\u043D\u0
 reg.settings.info=\u0418\u0441\u043F\u043E\u043B\u044C\u0437\u0443\u0439\u0442\u0435 \u0444\u043E\u0440\u043C\u044B \u043D\u0438\u0436\u0435, \u0447\u0442\u043E\u0431\u044B \u0438\u0437\u043C\u0435\u043D\u044F\u0442\u044C \u0440\u0430\u0437\u043B\u0438\u0447\u043D\u044B\u0435 \u0430\u0441\u043F\u0435\u043A\u0442\u044B \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u0438 \u043F\u043E\u043B\u044C\u0437\u043E\u0432\u0430\u0442\u0435\u043B\u0435\u0439 \u0438 \u0432\u0445\u043E\u0434\u0430.
 reg.settings.ips_all=\u041E\u0433\u0440\u0430\u043D\u0438\u0447\u0438\u0442\u044C \u0434\u043E\u0441\u0442\u0443\u043F \u043A\u043E \u0432\u0441\u0435\u043C (\u0432 \u0442\u043E\u043C \u0447\u0438\u0441\u043B\u0435 \u0430\u043D\u043E\u043D\u0438\u043C\u043D\u044B\u043C) \u043B\u043E\u0433\u0438\u043D\u0430\u043C \u044D\u0442\u0438\u0445 IP's\:
 reg.settings.ips_anonymous=\u041E\u0433\u0440\u0430\u043D\u0438\u0447\u0438\u0442\u044C \u0430\u043D\u043E\u043D\u0438\u043C\u043D\u044B\u0435 \u043B\u043E\u0433\u0438\u043D\u044B \u044D\u0442\u0438\u0445 IP's\:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 reg.settings.not_auto_create=\u041F\u043E\u043B\u044C\u0437\u043E\u0432\u0430\u0442\u0435\u043B\u0438 \u043D\u0435 \u043C\u043E\u0433\u0443\u0442 \u0430\u0432\u0442\u043E\u043C\u0430\u0442\u0438\u0447\u0435\u0441\u043A\u0438 \u0441\u043E\u0437\u0434\u0430\u0432\u0430\u0442\u044C \u043D\u043E\u0432\u044B\u0435 \u0443\u0447\u0435\u0442\u043D\u044B\u0435 \u0437\u0430\u043F\u0438\u0441\u0438.
 reg.settings.only_registered_login=\u0422\u043E\u043B\u044C\u043A\u043E \u0437\u0430\u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0438\u0440\u043E\u0432\u0430\u043D\u043D\u044B\u0435 \u043F\u043E\u043B\u044C\u0437\u043E\u0432\u0430\u0442\u0435\u043B\u0438 \u043C\u043E\u0433\u0443\u0442 \u0432\u043E\u0439\u0442\u0438.
 reg.settings.title=\u041D\u0430\u0441\u0442\u0440\u043E\u0439\u043A\u0430 \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u0438

--- a/src/i18n/openfire_i18n_sk.properties
+++ b/src/i18n/openfire_i18n_sk.properties
@@ -2247,6 +2247,12 @@ security.audit.viewer.view_url=Nasledovn\u00fd URL odkazuje na prehliada\u010d z
 security.audit.viewer.view_url.url=URL
 reg.settings.ips_all=Obmedzi\u0165 V\u0160ETKY (vr\u00e1tane anonymn\u00fdch) prihl\u00e1sen\u00ed na tieto IP adresy:
 reg.settings.ips_anonymous=Obmedzi\u0165 anonymn\u00e9 prihl\u00e1senia na tieto IP adresy:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Akceptova\u0165 certifik\u00e1ty podp\u00edsan\u00e9 sebou sam\u00fd. Sp\u00e4tn\u00e9 volanie servera prostredn\u00edctvom TLS je teraz dostupn\u00e9.
 # Client Connections Settings page

--- a/src/i18n/openfire_i18n_zh_CN.properties
+++ b/src/i18n/openfire_i18n_zh_CN.properties
@@ -2303,6 +2303,12 @@ user.create.isadmin=\u662F\u5426\u4E3A\u7BA1\u7406\u5458?
 user.create.admin_info=\u6388\u4E88 Openfire \u7BA1\u7406\u6743\u9650
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 # Client Connections Settings page

--- a/src/java/org/jivesoftware/openfire/session/ConnectionSettings.java
+++ b/src/java/org/jivesoftware/openfire/session/ConnectionSettings.java
@@ -19,6 +19,7 @@ public final class ConnectionSettings {
        public static final String COMPRESSION_SETTINGS = "xmpp.client.compression.policy";
        public static final String LOGIN_ALLOWED = "xmpp.client.login.allowed";
+        public static final String LOGIN_BLOCKED = "xmpp.client.login.blocked";
        public static final String LOGIN_ANONYM_ALLOWED = "xmpp.client.login.allowedAnonym";
        public static final String MAX_THREADS = "xmpp.client.processing.threads";

--- a/src/java/org/jivesoftware/openfire/session/LocalClientSession.java
+++ b/src/java/org/jivesoftware/openfire/session/LocalClientSession.java
@@ -62,14 +62,21 @@ public class LocalClientSession extends LocalSession implements ClientSession {
    private static final String FLASH_NAMESPACE = "http://www.jabber.com/streams/flash";
    /**
-     * Keep the list of IP address that are allowed to connect to the server. If the list is
+     * Keep the list of IP address that are allowed to connect to the server.
-     * empty then anyone is allowed to connect to the server.<p>
     *
-     * Note: value = IP address or IP range
+     * If the list is  empty then anyone is allowed to connect to the server, unless the IP is on the blacklist (which
+     * always takes precedence over the whitelist).
+     *
+     * Note: the values in this list can be hostnames, IP addresses or IP ranges (with wildcards).
     */
    private static Set<String> allowedIPs = new HashSet<>();
    private static Set<String> allowedAnonymIPs = new HashSet<>();
+    /**
+     * Similar to {@link #allowedIPs}, but used for blacklisting rather than whitelisting.
+     */
+    private static Set<String> blockedIPs = new HashSet<>();
    private boolean messageCarbonsEnabled;
    /**
@@ -125,6 +132,12 @@ public class LocalClientSession extends LocalSession implements ClientSession {
            String address = tokens.nextToken().trim();
            allowedAnonymIPs.add(address);
        }
+        String blocked = JiveGlobals.getProperty(ConnectionSettings.Client.LOGIN_BLOCKED, "");
+        tokens = new StringTokenizer(blocked, ", ");
+        while (tokens.hasMoreTokens()) {
+            String address = tokens.nextToken().trim();
+            blockedIPs.add( address );
+        }
    }
    /**
@@ -133,6 +146,8 @@ public class LocalClientSession extends LocalSession implements ClientSession {
     * subject to {@link #getAllowedAnonymIPs()}. This list is used for both anonymous and
     * non-anonymous users.
     *
+     * Note that the blacklist in {@link #getBlacklistedIPs()} should take precedence!
+     *
     * @return the list of IP address that are allowed to connect to the server.
     * @deprecated Use #getWhitelistedIPs instead.
     */
@@ -152,6 +167,8 @@ public class LocalClientSession extends LocalSession implements ClientSession {
     * allowed to connect to the server except for anonymous users that are subject to
     * {@link #getWhitelistedAnonymousIPs()}. This list is used for both anonymous and non-anonymous users.
     *
+     * Note that the blacklist in {@link #getBlacklistedIPs()} should take precedence!
+     *
     * @return the collection of IP address that are allowed to connect to the server. Never null, possibly empty.
     */
    public static Set<String> getWhitelistedIPs() { return allowedIPs; }
@@ -160,6 +177,8 @@ public class LocalClientSession extends LocalSession implements ClientSession {
     * Returns the list of IP address that are allowed to connect to the server for anonymous
     * users. If the list is empty then anonymous will be only restricted by {@link #getAllowedIPs()}.
     *
+     * Note that the blacklist in {@link #getBlacklistedIPs()} should take precedence!
+     *
     * @return the list of IP address that are allowed to connect to the server.
     * @deprecated Use #getWhitelistedAnonymousIPs instead.
     */
@@ -177,12 +196,23 @@ public class LocalClientSession extends LocalSession implements ClientSession {
     * Returns the list of IP address that are allowed to connect to the server for anonymous users. If the list is
     * empty then anonymous will be only restricted by {@link #getWhitelistedIPs()}.
     *
+     * Note that the blacklist in {@link #getBlacklistedIPs()} should take precedence!
+     *
     * @return the collection of IP address that are allowed to connect to the server. Never null, possibly empty.
     */
    public static Set<String> getWhitelistedAnonymousIPs() {
        return allowedAnonymIPs;
    }
+    /**
+     * Returns the list of IP address that are disallowed to connect to the server. If the list is empty then anyone is
+     * allowed to connect to the server, subject to whitelisting. This list is used for both anonymous and
+     * non-anonymous users.
+     *
+     * @return the collection of IP address that are not allowed to connect to the server. Never null, possibly empty.
+     */
+    public static Set<String> getBlacklistedIPs() { return blockedIPs; }
    /**
     * Returns a newly created session between the server and a client. The session will
     * be created and returned only if correct name/prefix (i.e. 'stream' or 'flash')
@@ -213,26 +243,23 @@ public class LocalClientSession extends LocalSession implements ClientSession {
                    "admin.error.bad-namespace"));
        }
-        if (!allowedIPs.isEmpty()) {
+        if (!isAllowed(connection))
+        {
+            // Client cannot connect from this IP address so end the stream and TCP connection.
            String hostAddress = "Unknown";
-            // The server is using a whitelist so check that the IP address of the client
-            // is authorized to connect to the server
            try {
-               hostAddress = connection.getHostAddress();
+                hostAddress = connection.getHostAddress();
            } catch (UnknownHostException e) {
                // Do nothing
            }
-            if (!isAllowed(connection)) {
-                // Client cannot connect from this IP address so end the stream and
+            Log.debug("LocalClientSession: Closed connection to client attempting to connect from: " + hostAddress);
-                // TCP connection
+            // Include the not-authorized error in the response
-                Log.debug("LocalClientSession: Closed connection to client attempting to connect from: " + hostAddress);
+            StreamError error = new StreamError(StreamError.Condition.not_authorized);
-                // Include the not-authorized error in the response
+            connection.deliverRawText(error.toXML());
-                StreamError error = new StreamError(StreamError.Condition.not_authorized);
+            // Close the underlying connection
-                connection.deliverRawText(error.toXML());
+            connection.close();
-                // Close the underlying connection
+            return null;
-                connection.close();
-                return null;
-            }
        }
        // Default language is English ("en").
@@ -358,37 +385,46 @@ public class LocalClientSession extends LocalSession implements ClientSession {
        return session;
    }
-    public static boolean isAllowed(Connection connection) {
+    public static boolean isAllowed( Connection connection )
-        if (!allowedIPs.isEmpty()) {
+    {
-            // The server is using a whitelist so check that the IP address of the client
+        try
-            // is authorized to connect to the server
+        {
-            boolean forbidAccess = false;
+            final String hostAddress = connection.getHostAddress();
-            try {
+            final byte[] address = connection.getAddress();
-                if (!allowedIPs.contains(connection.getHostAddress())) {
-                    forbidAccess = !isAddressInRange( connection.getAddress(), allowedIPs );
+            // Blacklist takes precedence over whitelist.
-                }
+            if ( blockedIPs.contains( hostAddress ) || isAddressInRange( address, blockedIPs ) ) {
-            } catch (UnknownHostException e) {
+                return false;
-                forbidAccess = true;
            }
-            return !forbidAccess;
+            // When there's a whitelist (not empty), you must be on it to be allowed.
+            return allowedIPs.isEmpty() || allowedIPs.contains( hostAddress ) || isAddressInRange( address, allowedIPs );
+        }
+        catch ( UnknownHostException e )
+        {
+            return false;
        }
-        return true;
    }
-    public static boolean isAllowedAnonymous(Connection connection) {
+    public static boolean isAllowedAnonymous( Connection connection )
-        if (!allowedAnonymIPs.isEmpty()) {
+    {
-            boolean forbidAccess = false;
+        try
-            try {
+        {
-                if (!allowedAnonymIPs.contains(connection.getHostAddress())) {
+            final String hostAddress = connection.getHostAddress();
-                    forbidAccess = !isAddressInRange( connection.getAddress(), allowedAnonymIPs );
+            final byte[] address = connection.getAddress();
-                }
-            }
+            // Blacklist takes precedence over whitelist.
-            catch (UnknownHostException e){
+            if ( blockedIPs.contains( hostAddress ) || isAddressInRange( address, blockedIPs ) ) {
-                forbidAccess = true;
+                return false;
            }
-            return !forbidAccess;
+            // When there's a whitelist (not empty), you must be on it to be allowed.
+            return allowedAnonymIPs.isEmpty() || allowedAnonymIPs.contains( hostAddress ) || isAddressInRange( address, allowedAnonymIPs );
+        }
+        catch ( UnknownHostException e )
+        {
+            return false;
        }
-        return true;
    }
    // TODO Add IPv6 support
@@ -415,10 +451,12 @@ public class LocalClientSession extends LocalSession implements ClientSession {
    }
    /**
-     * Sets the list of IP address that are allowed to connect to the server. If the list is empty then anyone is
+     * Sets the list of IP address that are allowed to connect to the server. If the list is empty then anyone not on
-     * allowed to connect to the server except for anonymous users that are subject to
+     * {@link #getBlacklistedIPs()} is  allowed to connect to the server except for anonymous users that are subject to
     * {@link #getWhitelistedAnonymousIPs()}. This list is used for both anonymous and non-anonymous users.
     *
+     * Note that blacklisting takes precedence over whitelisting: if an address is matched by both, access is denied.
+     *
     * @param allowed the list of IP address that are allowed to connect to the server. Can be empty, but not null.
     */
    public static void setWhitelistedIPs(Set<String> allowed) {
@@ -457,7 +495,7 @@ public class LocalClientSession extends LocalSession implements ClientSession {
    /**
     * Sets the list of IP address that are allowed to connect to the server for anonymous users. If the list is empty
-     * then anonymous will be only restricted by {@link #getWhitelistedIPs()}.
+     * then anonymous will be only restricted by {@link #getBlacklistedIPs()} and {@link #getWhitelistedIPs()}.
     *
     * @param allowed the list of IP address that are allowed to connect to the server. Can be empty, but not null.
     */
@@ -481,7 +519,34 @@ public class LocalClientSession extends LocalSession implements ClientSession {
            }
            JiveGlobals.setProperty(ConnectionSettings.Client.LOGIN_ANONYM_ALLOWED, buf.toString());
        }
+    }
+    /**
+     * Sets the list of IP address that are not allowed to connect to the server. This list is used for both anonymous
+     * and non-anonymous users, and always takes precedence over a whitelist.
+     *
+     * @param blocked the list of IP address that are not allowed to connect to the server. Can be empty, but not null.
+     */
+    public static void setBlacklistedIPs(Set<String> blocked) {
+        if (blocked == null) {
+            throw new NullPointerException();
+        }
+        blockedIPs = blocked;
+        if (blockedIPs.isEmpty()) {
+            JiveGlobals.deleteProperty(ConnectionSettings.Client.LOGIN_BLOCKED);
+        }
+        else {
+            // Iterate through the elements in the map.
+            StringBuilder buf = new StringBuilder();
+            Iterator<String> iter = blocked.iterator();
+            if (iter.hasNext()) {
+                buf.append(iter.next());
+            }
+            while (iter.hasNext()) {
+                buf.append(", ").append(iter.next());
+            }
+            JiveGlobals.setProperty(ConnectionSettings.Client.LOGIN_BLOCKED, buf.toString());
+        }
    }
    /**

--- a/src/web/reg-settings.jsp
+++ b/src/web/reg-settings.jsp
@@ -48,6 +48,7 @@
    boolean anonLogin = ParamUtils.getBooleanParameter(request, "anonLogin");
    String allowedIPs = request.getParameter("allowedIPs");
    String allowedAnonymIPs = request.getParameter("allowedAnonymIPs");
+    String blockedIPs = request.getParameter("blockedIPs");
    // Get an IQRegisterHandler:
    IQRegisterHandler regHandler = XMPPServer.getInstance().getIQRegisterHandler();
    IQAuthHandler authHandler = XMPPServer.getInstance().getIQAuthHandler();
@@ -66,7 +67,7 @@
        while (tokens.hasMoreTokens()) {
            String address = tokens.nextToken().trim();
            if (pattern.matcher(address).matches()) {
-                allowedSet.add(address);
+                allowedSet.add( address );
            }
        }
@@ -76,14 +77,24 @@
        while (tokens1.hasMoreTokens()) {
            String address = tokens1.nextToken().trim();
            if (pattern.matcher(address).matches()) {
-                allowedAnonymousSet.add(address);
+                allowedAnonymousSet.add( address );
+            }
+        }
+        Set<String> blockedSet = new HashSet<String>();
+        StringTokenizer tokens2 = new StringTokenizer(blockedIPs, ", ");
+        while (tokens2.hasMoreTokens()) {
+            String address = tokens2.nextToken().trim();
+            if (pattern.matcher(address).matches()) {
+                blockedSet.add( address );
            }
        }
        LocalClientSession.setWhitelistedIPs( allowedSet );
        LocalClientSession.setWhitelistedAnonymousIPs( allowedAnonymousSet );
+        LocalClientSession.setBlacklistedIPs( blockedSet );
        // Log the event
-        webManager.logEvent("edited registration settings", "inband enabled = "+inbandEnabled+"\ncan change password = "+canChangePassword+"\nanon login = "+anonLogin+"\nallowed ips = "+allowedIPs);
+        webManager.logEvent("edited registration settings", "inband enabled = "+inbandEnabled+"\ncan change password = "+canChangePassword+"\nanon login = "+anonLogin+"\nallowed ips = "+allowedIPs+"\nblocked ips = "+blockedIPs);
    }
    // Reset the value of page vars:
@@ -110,6 +121,17 @@
        buf1.append(", ").append(iter1.next());
    }
    allowedAnonymIPs = buf1.toString();
+    StringBuilder buf2 = new StringBuilder();
+    Iterator<String> iter2 = org.jivesoftware.openfire.session.LocalClientSession.getBlacklistedIPs().iterator();
+    if (iter2.hasNext()) {
+        buf2.append(iter2.next());
+    }
+    while (iter2.hasNext()) {
+        buf2.append(", ").append(iter2.next());
+    }
+    blockedIPs = buf2.toString();
 %>
 <p>
@@ -231,6 +253,20 @@
 	<br>
 	<h4><fmt:message key="reg.settings.allowed_ips" /></h4>
+    <p>
+        <fmt:message key="reg.settings.allowed_ips_blocked_info" />
+    </p>
+    <table cellpadding="3" cellspacing="0" border="0" width="100%">
+        <tbody>
+        <tr>
+            <td valign='top'><b><fmt:message key="reg.settings.ips_blocked" /></b></td>
+            <td>
+                <textarea name="blockedIPs" cols="40" rows="3" wrap="virtual"><%= ((blockedIPs != null) ? blockedIPs : "") %></textarea>
+            </td>
+        </tr>
+        </tbody>
+    </table>
 	<p>
    <fmt:message key="reg.settings.allowed_ips_info" />
    </p>