DataPower

For IP Whitelisting of specific IPs as we don't have IP range so that's why using Multi Protocol Gateway -> Processing Policy -> XSLT . Tried many ways of code but getting error of 500 so need some suggestions on this . Attaching the code and output screenshot.

XSLT code - 

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
    
    <!-- Template to match the root element of the incoming request -->
    <xsl:template match="/">
        
        <!-- Try to extract client-ip from headers or fallback to X-Forwarded-For if client-ip is missing -->
        <xsl:variable name="client-ip" select="//headers/header[@name='client-ip']"/>
        <xsl:variable name="x-forwarded-ip" select="//headers/header[@name='X-Forwarded-For']"/>
        
        <!-- Check if client-ip exists, if not use X-Forwarded-For -->
        <xsl:variable name="final-ip">
            <xsl:choose>
                <xsl:when test="$client-ip"> 
                    <xsl:value-of select="$client-ip"/>
                </xsl:when>
                <xsl:when test="$x-forwarded-ip">
                    <xsl:value-of select="$x-forwarded-ip"/>
                </xsl:when>
                <xsl:otherwise>
                    <xsl:text>No Client IP Found</xsl:text>
                </xsl:otherwise>
            </xsl:choose>
        </xsl:variable>
        
        <!-- Check if the final-ip is in the whitelist -->
        <xsl:choose>
            
            <!-- If client-ip matches the first whitelisted IP -->
            <xsl:when test="$final-ip = '192.168.1.100'">
                <response>
                    <xsl:text>Access Granted for IP: </xsl:text>
                    <xsl:value-of select="$final-ip"/>
                </response>
            </xsl:when>
            
            <!-- If client-ip matches the second whitelisted IP -->
            <xsl:when test="$final-ip = '203.0.113.10'">
                <response>
                    <xsl:text>Access Granted for IP: </xsl:text>
                    <xsl:value-of select="$final-ip"/>
                </response>
            </xsl:when>
            
            <!-- If client-ip does not match any whitelisted IP -->
            <xsl:otherwise>
                <response>
                    <xsl:text>Access Denied: IP </xsl:text>
                    <xsl:value-of select="$final-ip"/>
                    <xsl:text> is not authorized.</xsl:text>
                </response>
            </xsl:otherwise>
            
        </xsl:choose>
        
    </xsl:template>
    
</xsl:stylesheet>

Prashant,

First, I'd highly advise putting those IPs in an external document rather than hard-code each one, unless either you're just using the above as an example or you do, in fact, only have two or three IPs to test.

Have you tried using DataPower's "ip-addr-match()" function?  See https://www.ibm.com/docs/en/datapower-gateway/10.5.x?topic=functions-dpip-addr-match.  You can either use a single IP or a CIDR range on that.

------------------------------
Joseph Morgan
CEO - Independent
Dallas TX

Original Message:
Sent: Tue February 18, 2025 05:12 AM
From: Prashant Patel
Subject: IP Whitelisting in Datapower using XSLT via Processing Policy

For IP Whitelisting of specific IPs as we don't have IP range so that's why using Multi Protocol Gateway -> Processing Policy -> XSLT . Tried many ways of code but getting error of 500 so need some suggestions on this . Attaching the code and output screenshot.

XSLT code - 

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
    
    <!-- Template to match the root element of the incoming request -->
    <xsl:template match="/">
        
        <!-- Try to extract client-ip from headers or fallback to X-Forwarded-For if client-ip is missing -->
        <xsl:variable name="client-ip" select="//headers/header[@name='client-ip']"/>
        <xsl:variable name="x-forwarded-ip" select="//headers/header[@name='X-Forwarded-For']"/>
        
        <!-- Check if client-ip exists, if not use X-Forwarded-For -->
        <xsl:variable name="final-ip">
            <xsl:choose>
                <xsl:when test="$client-ip"> 
                    <xsl:value-of select="$client-ip"/>
                </xsl:when>
                <xsl:when test="$x-forwarded-ip">
                    <xsl:value-of select="$x-forwarded-ip"/>
                </xsl:when>
                <xsl:otherwise>
                    <xsl:text>No Client IP Found</xsl:text>
                </xsl:otherwise>
            </xsl:choose>
        </xsl:variable>
        
        <!-- Check if the final-ip is in the whitelist -->
        <xsl:choose>
            
            <!-- If client-ip matches the first whitelisted IP -->
            <xsl:when test="$final-ip = '192.168.1.100'">
                <response>
                    <xsl:text>Access Granted for IP: </xsl:text>
                    <xsl:value-of select="$final-ip"/>
                </response>
            </xsl:when>
            
            <!-- If client-ip matches the second whitelisted IP -->
            <xsl:when test="$final-ip = '203.0.113.10'">
                <response>
                    <xsl:text>Access Granted for IP: </xsl:text>
                    <xsl:value-of select="$final-ip"/>
                </response>
            </xsl:when>
            
            <!-- If client-ip does not match any whitelisted IP -->
            <xsl:otherwise>
                <response>
                    <xsl:text>Access Denied: IP </xsl:text>
                    <xsl:value-of select="$final-ip"/>
                    <xsl:text> is not authorized.</xsl:text>
                </response>
            </xsl:otherwise>
            
        </xsl:choose>
        
    </xsl:template>
    
</xsl:stylesheet>

------------------------------
Prashant Patel
------------------------------