2

I'm having trouble with my security configuration and I need to create a list of the Ip's that are accessing my application.

My problem is to get the Ip in a dynamic way for all my application requests. But I don't want to add a HttpServletRequest for all the requests of my application, what I want is a method that is called before every request, even before SecurityConfig events.

What I've tried to do is to use AuthenticationProvider to get the request HttpServletRequest and then get the Ip of my client. The problem is that I can't find a way to create a single class and it connects to all my requests. This is my code:

public abstract class IPAddressBasedAuthenticationProvider implements AuthenticationProvider {

  /**
   * Context http request
   */
  @Autowired
  private HttpServletRequest request;

  @Override
  public Authentication authenticate(Authentication authentication) throws AuthenticationException {

      String ipAddress = request.getRemoteAddr();
      System.out.println(ipAddress);
      return authentication;
  }
}

What I was thinking was that my requests where going to pass in this code and then show my client Ip.

I tried autowiring it in my controller classes but my application doesn't execute then. What can I do to make this work?

Davi Bogo
  • 117
  • 1
  • 4
  • 15
  • Possible duplicate of [How to extract IP Address in Spring MVC Controller get call?](https://stackoverflow.com/questions/22877350/how-to-extract-ip-address-in-spring-mvc-controller-get-call) Just inject at the Request Mapping level by adding this parameter `HttpServletRequest request` – Sully Nov 21 '19 at 17:14
  • Try using Spring AOP and handling HttpServletRequest https://stackoverflow.com/questions/19271807/how-to-inject-httpservletrequest-into-a-spring-aop-request-custom-scenario – Dilip G Nov 21 '19 at 17:56
  • I don't wan't to change for every request of my application. – Davi Bogo Nov 22 '19 at 13:24

1 Answers1

2

I've used a different way to get the addresses of my client requests.

I've created a class called WebConfig that implements WebMvcConfigurer. This class configures some usages in spring. and here's the code for this class:

@EnableWebMvc
@Configuration
public class WebConfig implements WebMvcConfigurer {

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new LoggerInterceptor());
    }
}

This method is registering an interceptor, this interceptor will intercept the requests and using methods you will create it will execute when some request is send. For exemple my code:

public class LoggerInterceptor extends HandlerInterceptorAdapter {

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response,
                             Object handler) {

        System.out.println(request.getRemoteAddr());
        return true;
    }
}

In my case I've used "preHandle" method to get the Ip of my client request, this method is called every time someone calls my application via request and before spring handles the request my method is called, it can be used as a security configuration as well, because you can return false, in that case the request won't execute. But for that usage there's others ways with spring boot.

If I'm doing something wrong please correct me.

Davi Bogo
  • 117
  • 1
  • 4
  • 15
  • 1
    While being a valid option you should consider researching exactly when the interceptor is called. Especially because you added the hint that it could be used as security mechanism. Security is normally handled by spring security itself through the spring security filter chain (https://stackoverflow.com/questions/41480102/how-spring-security-filter-chain-works) which is an ordered list determing validity of requests. Using the filter chain you can intercept the request i.e. before any authentication attempt if you need to block it due to an invalid ip. – BeWu Nov 21 '19 at 18:50
  • @BeWu If my security config blocks the request due to invalid ip, it means that my LoggerInterceptor won't execute? How can I get the information of who executes first? If my log is for example the blocked ip's, but they're blocked before, It means that I won't get any Ip.. – Davi Bogo Nov 21 '19 at 19:08
  • Well you could always check the logs or debug it. If I remember right you can see the executed spring security filter chain in debug or trace logging. An easy way to determine execution order would be to insert a log output in the interceptors prehandle method and check if it's logged before, after or as part of the chain. That way you can at least check if your solution fits your requirements. – BeWu Nov 21 '19 at 19:25
  • @BeWu If I understand it right you suggest me to put some kind o logger when my application executes each one of the classes I have (security and interceptor), but my problem is that I don't know how security config works, as it executes when my application starts up, after that, how does spring controls this configuration? or at least, where? – Davi Bogo Nov 21 '19 at 19:29
  • 1
    The security filter chain is executed every time you recieve a request and if you raise the log level for spring security you can see it's logs (thus you see it gets executed) all you need to do is to check if the ip you write out is printed before or after the chain. The security config is configered on startup but the execution and validation is happening before any incoming request including http requests, or method calls annotated with annotations like '@PreAuthorize' and also after a method execution in case of i.e. '@PostFilter'. I strongly recommend the link i posted in my first comment – BeWu Nov 21 '19 at 19:59