Menu
In the pursuit of finding an answer to this question, I've been playing around with the ways to filter request based on the Ip Address. I have the following method:
@RequestMapping(value = "/payment", method = POST)
@PreAuthorize("hasIpAddress('XXX.XXX.X.XX')")
public String pay(PaymentDto paymentDto){
System.out.println("Payment received");
return "OK";
}
However, at execution, this throws me an error of:
{"errorMessage":"Internal Server Error","errorId":"26b1a1ba-3ae8-4497-9f1c-7370ea5116ff","errorDetails":{"message":"Failed to evaluate expression 'hasIpAddress('XXX.XXX.X.XX')'","exception":"java.lang.IllegalArgumentException","errors":null}}
What is going on?
This is Java error:
org.springframework.expression.spel.SpelEvaluationException: EL1004E:(pos 0): Method call: Method hasIpAddress(java.lang.String) cannot be found on org.springframework.security.access.expression.method.MethodSecurityExpressionRoot type
at org.springframework.expression.spel.ast.MethodReference.findAccessorForMethod(MethodReference.java:211) ~[spring-expression-4.2.3.RELEASE.jar!/:4.2.3.RELEASE]
at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:125) ~[spring-expression-4.2.3.RELEASE.jar!/:4.2.3.RELEASE]
at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:85) ~[spring-expression-4.2.3.RELEASE.jar!/:4.2.3.RELEASE]
at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:131) ~[spring-expression-4.2.3.RELEASE.jar!/:4.2.3.RELEASE]
710
The @PreAuthorize annotation checks the given expression before entering the method, whereas the @PostAuthorize annotation verifies it after the execution of the method and could alter the result.
The @PreAuthorize authorizes on the basis of role or the argument which is passed to the method. The @PostAuthorize checks for authrorisation after method execution. The @PostAuthorize authorizes on the basis of logged in roles, return object by method and passed argument to the method.
Method-level security is implemented by placing the @PreAuthorize annotation on controller methods (actually one of a set of annotations available, but the most commonly used). This annotation contains a Spring Expression Language (SpEL) snippet that is assessed to determine if the request should be authenticated.
hasPermission() expressions are delegated to an instance of PermissionEvaluator. It is intended to bridge the expression system and Spring Security's ACL system, allowing you to specify authorization constraints on domain objects, based on abstract permissions.
Doc, hasIpAddress is Web Security Expression and not available for @PreAuthorize. You can use like this
<http use-expressions="true">
<intercept-url pattern="/admin*"
access="hasRole('admin') and hasIpAddress('xxx.xx.xx.xxx')"/>
...
</http>
or
http
.authorizeRequests()
.antMatchers("/tokens").access(
"hasIpAddress('xxx.x.xx.xx'))
But not as
@PreAuthorize("hasIpAddress('XXX.XXX.X.XX')")
public String pay(PaymentDto paymentDto){
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
