IntraWeb 16.0.1 introduced a new property in ServerController.SecurityOptions, named AccessListControl. See below:
The default value is alDisabled. Other possible values are alBlock and alGrant. This property controls how IntraWeb will filter incoming requests based on the IP address of the user. When alBlock is used, IntraWeb will block all incoming requests from users in its internal access control list. On the other hand, when alGrant is used, all incoming requests are blocked except the ones coming from known IP addressess containined in the access control list. This is a convenient and simple way to implement an allowlist/blocklist mechanism with very little coding.
This is how you can add IP addresses to the internal access list:
The unit is IWIpAccessTable, the class is TIWIpAccessTableBW and the class property Instance gives access to the global instance of that class. You can use the methods AddIp() and RemoveIp() to add or remove addresses to/from the list. You can use both IPv4 or IPv6.
Also notice that the TIWIpAccessTable class is based on a lock-free data structure and you can add and remove items to this list while the application executes, with no penalties and no need for any locking mechanism.
By default, the TIWIpAccessTableBW structure allocates 2k entries, so you can add up to 2048 elements to this list. If you need more, you can set the capacity during application startup, like this:
Whenever a request is denied (either coming from an IP in the list – when set to alBlock – of from an IP not in the list – when set to alGrant) the response will be a status message 403 – Forbidden.
This is an easy and simple way of dealing with IP address access control that can greatly simplify the development of secure web applications.
Enjoy!