Check request source IP against dynamic data using Spring Securiy WebSecurityConfigurerAdapter

Question

Assuming I have the following class code:

@EnableWebSecurity
@Configuration
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/api/**").hasIpAddress("runtime other device ip");
    }
}

at runtime, when a request is entering the system, I want to validate it came from "runtime other device ip", which can be different at time the request retrieved.

Please assume I have a utility that can retrieve this "runtime other device ip" Utility.getOtherDeviceIP();

Any ideas?

Thanks

Marco Behler · Answer 1 · 2020-04-06T10:29:32.413

Yes, use .access() with a custom bean, that has your Utility class @Autowired and takes the current HttpServlet request as parameter, which Spring will inject for you automatically (next to the current authentication object).

Example:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/api/**").access("@yourCustomIpCheckerBean.check(authentication, request)");

}

Though, you could probably also directly write it as SpEL, if it is just your utility needed for the IP check. Something like (not tested):

.access("request.remoteAddr == @yourUtility.getOtherDeviceIP()")

Check request source IP against dynamic data using Spring Securiy WebSecurityConfigurerAdapter

1 Answers1