Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security - whitelist IP range

A lot of resources and stackoverflow questions that I've viewed provide answers to using .xml files:

  • IP filter using Spring Security

  • http://websystique.com/spring-security/spring-security-4-method-security-using-preauthorize-postauthorize-secured-el/

  • http://docs.spring.io/spring-security/site/docs/3.0.x/reference/appendix-namespace.html#nsa-gms

All that I would like to know is if it's possible to whitelist an IP address range using Spring Security without using XML configs?

Below is a simple method in my controller:

@RequestMapping(value = "/makeit", method = RequestMethod.GET)
@ResponseBody
//@PreAuthorize("hasIpAddress('192.168.0.0/16')")
public String requestData() {

    return "youve made it";
}

I've created a separate class for the security config but it doesn't have much, I just created it for the EnableGlobalMethodSecurity annotation - so that I can use the @PreAuthorize annotation (from an answer here: @PreAuthorize annotation not working spring security).

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http
            .authorizeRequests()
                .anyRequest().access("hasIpAddress('0.0.0.0/0')");

        /*http
            .authorizeRequests()
                .anyRequest().hasIpAddress("0.0.0.0/0");*/

        /*http
            .authorizeRequests()
                .antMatchers("/**").hasIpAddress("0.0.0.0/0");*/

        /*http
            .authorizeRequests()
                .antMatchers("/**").access("hasIpAddress('0.0.0.0/0')");*/

        /*http
            .authorizeRequests()
                .anyRequest().access("hasIpAddress('0.0.0.0/0')");*/

    }
}

However, when I tried, it responded with (through POSTMAN):

{
  "timestamp": 1486743507520,
  "status": 401,
  "error": "Unauthorized",
  "message": "Full authentication is required to access this resource",
  "path": "/makeit"
}

Additional facts:

My IP address is in this range. And I'm using Spring release 1.3.1 (Spring Security is 4.0.3, I believe).

like image 737
rj2700 Avatar asked Feb 10 '17 17:02

rj2700


People also ask

How do I whitelist an IP address in spring boot?

We can use hasIpAddress() to allow only users with a given IP address to access a specific resource. In this configuration, only users with the IP address “11.11. 11.11” will be able to access the ”/foos” resource.

How is IP whitelist implemented?

For example, to whitelist an IP address (to create IP whitelist), you first need to determine which devices or users are allowed access. Once you have a list of approved IP addresses, web applications, or users, you can add them to your whitelist using the network settings on your computer, router or firewall.


1 Answers

So with the help of @Dur, we were able to troubleshoot the issue. The issue isn't with Spring Boot (everything works fine above) but the issue is that when a user goes to the Spring App locally (localhost:8080), localhost uses an IPv6 address and the above code allows access for an IPv4 address.

You either need to change your SpringSecurityConfig file by changing the IPv4 address to a IPv6 (or whatever Tomcat defaults to) OR you can change how you access the app (by going to 127.0.0.1:8080).

Note - this is only for local testing. You'll need to test and obtain the IP addresses of the users/services that will be accessing your app.

In short, you can whitelist an IP range by using the above code without an AuthenticationManagerBuilder.

like image 123
rj2700 Avatar answered Oct 08 '22 22:10

rj2700