0

I can't get ipRestrictions to work via springsecurity. I'm working with a bare app to try and isolate the issue with Grails 3.3.10 and spring-security-core 3.2.0.

Eventually I want to restrict access to a web service to a limited subnet. But in an attempt to get this to work I'm just trying to find any case that will get rejected.

I'm working with a stock create-app application but I've added the following to build.gradle to pull in spring-security:

    compile 'org.grails.plugins:spring-security-core:3.2.0'

My application.groovy to configure this is:

grails.plugin.springsecurity.rejectIfNoRule = false
grails.plugin.springsecurity.fii.rejectPublicInvocations = false
grails.plugin.springsecurity.ipRestrictions = [
    [pattern: '/**', access: '172.16.0.1']
]

I'm expecting to see something like a 401 Unauthorized or 403 Forbidden.

Bill B
  • 37
  • 8
  • 1
    Are you working locally? [`All addresses can always be accessed from localhost regardless of IP pattern, primarily to support local development mode.`](https://grails-plugins.github.io/grails-spring-security-core/3.2.x/index.html#ip) – doelleri Sep 13 '19 at 18:32
  • Oh, I didn't understand it that way. Maybe it should say patterns. Well that actually makes it harder to test, but thank you. – Bill B Sep 13 '19 at 19:39

1 Answers1

0

IP Address Restrictions don't apply to requests coming from localhost. This is to "help" local development but subsequently makes testing your restrictions more difficult. There is a confusingly worded note at the bottom of section 18 of the docs that should start "All patterns can always be accessed from localhost regardless of IP address":

All addresses can always be accessed from localhost regardless of IP pattern, primarily to support local development mode.

doelleri
  • 19,232
  • 5
  • 61
  • 65