A lot of resources and stackoverflow questions that I've viewed provide answers to using .xml
files:
IP filter using Spring Security
http://websystique.com/spring-security/spring-security-4-method-security-using-preauthorize-postauthorize-secured-el/
http://docs.spring.io/spring-security/site/docs/3.0.x/reference/appendix-namespace.html#nsa-gms
All that I would like to know is if it's possible to whitelist an IP address range using Spring Security without using XML configs?
Below is a simple method in my controller:
@RequestMapping(value = "/makeit", method = RequestMethod.GET)
@ResponseBody
//@PreAuthorize("hasIpAddress('192.168.0.0/16')")
public String requestData() {
return "youve made it";
}
I've created a separate class for the security config but it doesn't have much, I just created it for the EnableGlobalMethodSecurity
annotation - so that I can use the @PreAuthorize
annotation (from an answer here: @PreAuthorize annotation not working spring security).
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http
.authorizeRequests()
.anyRequest().access("hasIpAddress('0.0.0.0/0')");
/*http
.authorizeRequests()
.anyRequest().hasIpAddress("0.0.0.0/0");*/
/*http
.authorizeRequests()
.antMatchers("/**").hasIpAddress("0.0.0.0/0");*/
/*http
.authorizeRequests()
.antMatchers("/**").access("hasIpAddress('0.0.0.0/0')");*/
/*http
.authorizeRequests()
.anyRequest().access("hasIpAddress('0.0.0.0/0')");*/
}
}
However, when I tried, it responded with (through POSTMAN):
{
"timestamp": 1486743507520,
"status": 401,
"error": "Unauthorized",
"message": "Full authentication is required to access this resource",
"path": "/makeit"
}
Additional facts:
My IP address is in this range. And I'm using Spring release 1.3.1 (Spring Security is 4.0.3, I believe).
We can use hasIpAddress() to allow only users with a given IP address to access a specific resource. In this configuration, only users with the IP address “11.11. 11.11” will be able to access the ”/foos” resource.
For example, to whitelist an IP address (to create IP whitelist), you first need to determine which devices or users are allowed access. Once you have a list of approved IP addresses, web applications, or users, you can add them to your whitelist using the network settings on your computer, router or firewall.
So with the help of @Dur, we were able to troubleshoot the issue. The issue isn't with Spring Boot (everything works fine above) but the issue is that when a user goes to the Spring App locally (localhost:8080), localhost uses an IPv6 address and the above code allows access for an IPv4 address.
You either need to change your SpringSecurityConfig file by changing the IPv4 address to a IPv6 (or whatever Tomcat defaults to) OR you can change how you access the app (by going to 127.0.0.1:8080).
Note - this is only for local testing. You'll need to test and obtain the IP addresses of the users/services that will be accessing your app.
In short, you can whitelist an IP range by using the above code without an AuthenticationManagerBuilder.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With