8

A lot of resources and stackoverflow questions that I've viewed provide answers to using .xml files:

All that I would like to know is if it's possible to whitelist an IP address range using Spring Security without using XML configs?

Below is a simple method in my controller: 

@RequestMapping(value = "/makeit", method = RequestMethod.GET)
@ResponseBody
//@PreAuthorize("hasIpAddress('192.168.0.0/16')")
public String requestData() {

    return "youve made it";
}

I've created a separate class for the security config but it doesn't have much, I just created it for the EnableGlobalMethodSecurity annotation - so that I can use the @PreAuthorize annotation (from an answer here: @PreAuthorize annotation not working spring security). 

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http
            .authorizeRequests()
                .anyRequest().access("hasIpAddress('0.0.0.0/0')");

        /*http
            .authorizeRequests()
                .anyRequest().hasIpAddress("0.0.0.0/0");*/

        /*http
            .authorizeRequests()
                .antMatchers("/**").hasIpAddress("0.0.0.0/0");*/

        /*http
            .authorizeRequests()
                .antMatchers("/**").access("hasIpAddress('0.0.0.0/0')");*/

        /*http
            .authorizeRequests()
                .anyRequest().access("hasIpAddress('0.0.0.0/0')");*/

    }
}

However, when I tried, it responded with (through POSTMAN): 

{
  "timestamp": 1486743507520,
  "status": 401,
  "error": "Unauthorized",
  "message": "Full authentication is required to access this resource",
  "path": "/makeit"
}

Additional facts:

My IP address is in this range. And I'm using Spring release 1.3.1 (Spring Security is 4.0.3, I believe).

Community
  • 1
  • 1
rj2700
  • 1,770
  • 6
  • 28
  • 55
  • @dur Thanks for the feedback. So I've updated it bit more but originally (when I posted this question), my assumption was to have not much in the websecurity config file as I wanted any requests to come through but keep only one method (in the case - /makeit) restricted by an IP address. All of the linked URLs provide examples of specific users (built with inMemoryAuthentication()) but none with ONLY IP addresses. In the above example in the security config class, I've opened it to everyone. – rj2700 Feb 13 '17 at 22:31
  • Even if I remove the method level annotation, in theory, it should be open to anyone (0.0.0.0/0) yet it still refuses access. I've also tried other solutions (commented out in the code above) – rj2700 Feb 14 '17 at 15:39
  • 1
    @dur Yeah this works with an authenticated user (using AuthenticationManagerBuilder). However, on further inspection, it seems that you were right about the IP address.. Tomcat uses an IPv6 address when calling localhost. Thus, 0.0.0.0/0 is not a valid format. So when I changed it to accept IPv6 (with no subnet), it works properly (::1). Interesting enough, if you use 127.0.0.1 (when local testing), it uses it's IPv4 address and the original way worked... So this is an issue with Tomcat, not Spring security. – rj2700 Feb 14 '17 at 17:22

1 Answers1

7

So with the help of @Dur, we were able to troubleshoot the issue. The issue isn't with Spring Boot (everything works fine above) but the issue is that when a user goes to the Spring App locally (localhost:8080), localhost uses an IPv6 address and the above code allows access for an IPv4 address.

You either need to change your SpringSecurityConfig file by changing the IPv4 address to a IPv6 (or whatever Tomcat defaults to) OR you can change how you access the app (by going to 127.0.0.1:8080).

Note - this is only for local testing. You'll need to test and obtain the IP addresses of the users/services that will be accessing your app.

In short, you can whitelist an IP range by using the above code without an AuthenticationManagerBuilder.

rj2700
  • 1,770
  • 6
  • 28
  • 55