Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring MVC - allowing requests from localhost only to specific controller

I have a specific controller (among many other controllers). I would like to allow requests to this controller that are being invoked from localhost only. Whats the best way to do this?

here is the controller:

@Controller
public class LocalProvider {

@RequestMapping(value = "/someURL", method = RequestMethod.POST)
@ResponseBody
public responseDTO doSomethingForLocalRequest(@RequestBody ReqDTO reqDTO ) {

//do something
}

EDIT :

Succesffuly achieved that by adding the following to spring security.xml:

<intercept-url pattern="/someURL/*" access="hasIpAddress('127.0.0.1')" />
like image 772
Urbanleg Avatar asked Apr 23 '14 08:04

Urbanleg


People also ask

Is it mandatory to specify @RequestMapping annotation at Spring controller's class level?

A @RequestMapping on the class level is not required. Without it, all paths are simply absolute, and not relative. This means if you specify the class level annotations, the URL shall be relative, it shall be http://localhost:8080/users/user (URL to Handler mapping) and likewise.

How does Spring MVC handle multiple requests?

In Spring, every request is executed in a separate thread. For example, when two users want to log in at the same time, the JVM creates two threads: one thread for the first user and another one for the second user. And these threads work with the singleton bean separately.

How do you fix a CORS problem in a Spring boot?

Enable CORS in Controller Method We need to set the origins for RESTful web service by using @CrossOrigin annotation for the controller method. This @CrossOrigin annotation supports specific REST API, and not for the entire application.

How do I set access control allow origin in Java Spring boot?

Try adding this to your application: @SpringBootApplication @RestController public class ChrisboltonServiceApplication { @Bean public WebMvcConfigurer corsConfigurer() { return new WebMvcConfigurerAdapter() { @Override public void addCorsMappings(CorsRegistry registry) { registry. addMapping("/**").


2 Answers

spring-security provides @PreAuthorize annotation that can be used on type or method so an alternative to <intercept-url> can be @PreAuthorize("hasIpAddress('127.0.0.1')")

like image 64
ezer Avatar answered Oct 27 '22 01:10

ezer


I would create a custom annotation @LocalhostOnly and a MVC interceptor that would check if handler method is annotated with @LocalhostOnly and in that case check if remote ip address fetched from the HttpServletRequest.getRemoteAddr() is indeed localhost.

If you're using spring security then, as NimChimpsky suggested, it might be better plug in remote ip check into that. You could define a custom permission evaluator that checks remote ip address.

You could also use servlet filter and do the localhost check there for a specific URL (e.g. /someURL**).

Lastly, be aware that if you'll be running the application behind a reverse proxy at some point, all the requests will look like they arrived from localhost (that is, if reverse proxy is installed at the same host). In that case you'll need to pick up the ip address from X-Forwarded-For header.

EDIT

Spring security actually has ip checking expression hasIpAddress('127.0.0.1') so NimChimpsky's answer is probably the best way to go.

like image 43
Krešimir Nesek Avatar answered Oct 26 '22 23:10

Krešimir Nesek