2

I have two configuration. The first would like to achieve that all requests from(/api/**) must come only from a determined ip.

like Following...

.authorizeRequests().antMatchers("/api/**").hasIpAddress("dynamic List of IPs");

It should be checked whether the IP is stored in the database, otherwise the access is to be denied.

And the secound config takes care of the rest.

@EnableWebSecurity

public class AppSecurityConfig {

@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(new CustomUserDetailsService()).passwordEncoder(new Md5PasswordEncoder());

}

@Configuration
@Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .headers().disable()
                .authorizeRequests().antMatchers("/api/**").hasIpAddress("dynamic List of IPs");
    }
}

@Configuration
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.sessionManagement().maximumSessions(1)
                .expiredUrl("/error/expired.xhtml").and()
                .invalidSessionUrl("/Anmeldung.xhtml?check=invalid");
        http
                .csrf().disable()
                .headers().disable()
                .formLogin().loginPage("/Anmeldung/").loginProcessingUrl("/j_spring_security_check").successHandler(new CustomAuthenticationSuccessHandler())
                .failureUrl("/Anmeldung.xhtml?check=error").usernameParameter("j_username").passwordParameter("j_password")
                .and()
                .exceptionHandling().accessDeniedPage("/error/403.xhtml")
                .and()
                .logout().logoutUrl("/logout").logoutSuccessUrl("/Anmeldung.xhtml?check=logout").invalidateHttpSession(false).deleteCookies("JSESSIONID").permitAll();

        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry interceptUrlRegistry = http.authorizeRequests();
        interceptUrlRegistry.antMatchers("/Administrator/*").hasAnyAuthority("ROLE_ADMIN");
        interceptUrlRegistry.antMatchers("/*").hasAnyAuthority("ROLE_USER");
        interceptUrlRegistry.antMatchers("/Anmeldung/index.xhtml").anonymous();
        interceptUrlRegistry.antMatchers("/template/*").denyAll();
        interceptUrlRegistry.antMatchers("/resources/**").permitAll();
    }
}
}

Thanks for your help.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Sascha
  • 21
  • 1
  • 2
  • Here is nice discussion if its subnets http://forum.spring.io/forum/spring-projects/security/95303-how-to-use-hasipaddress – HRgiger Apr 28 '16 at 08:19
  • Hey, thank you for the link, but i think I need a filter or like that. So that i can check by every request (/api/**) if the request ip address is in the database. – Sascha Apr 28 '16 at 09:12
  • like this? http://stackoverflow.com/questions/28303097/spring-security-multiple-hasipaddress-antmatchers – HRgiger Apr 28 '16 at 09:32
  • Yes like that, but that is static and i need a dynmaic list. So that its possible to add or remove a IP. And i dont won`t to load the application after every change. – Sascha Apr 28 '16 at 09:38

1 Answers1

0

You can dynamically configure httpsecurity object inside for loop like the code referenced below.

for (Entry<String, String> entry : hasmapObject) {
                String url = entry.getKey().trim();
                String ips= entry.getValue().trim();
    http.authorizeRequests().and().authorizeRequests().antMatchers(url).hasIpAddress(ips);
            }

This worked for me. The hashmap object had the dynamic list of url's and their corresponding ips to give access.

"http.authorizeRequests().and()" this and() is needed to indent like we use in xml configuration to configure http child elements in XML.

Please let me know if this helps.

Shiva
  • 11
  • 5