Spring MVC - allowing requests from localhost only to specific controller

Question

I have a specific controller (among many other controllers). I would like to allow requests to this controller that are being invoked from localhost only. Whats the best way to do this?

here is the controller:

@Controller
public class LocalProvider {

@RequestMapping(value = "/someURL", method = RequestMethod.POST)
@ResponseBody
public responseDTO doSomethingForLocalRequest(@RequestBody ReqDTO reqDTO ) {

//do something
}

EDIT :

Succesffuly achieved that by adding the following to spring security.xml:

<intercept-url pattern="/someURL/*" access="hasIpAddress('127.0.0.1')" />

Answer 1

spring-security provides @PreAuthorize annotation that can be used on type or method so an alternative to <intercept-url> can be @PreAuthorize("hasIpAddress('127.0.0.1')")

Answer 2

I would create a custom annotation @LocalhostOnly and a MVC interceptor that would check if handler method is annotated with @LocalhostOnly and in that case check if remote ip address fetched from the HttpServletRequest.getRemoteAddr() is indeed localhost.

If you're using spring security then, as NimChimpsky suggested, it might be better plug in remote ip check into that. You could define a custom permission evaluator that checks remote ip address.

You could also use servlet filter and do the localhost check there for a specific URL (e.g. /someURL**).

Lastly, be aware that if you'll be running the application behind a reverse proxy at some point, all the requests will look like they arrived from localhost (that is, if reverse proxy is installed at the same host). In that case you'll need to pick up the ip address from X-Forwarded-For header.

EDIT

Spring security actually has ip checking expression hasIpAddress('127.0.0.1') so NimChimpsky's answer is probably the best way to go.