Spring Security: IP whitelist before deferring HTTP authentication

Question

Spring Security: IP whitelist before deferring HTTP authentication

I have one URL accessible through a servlet that I blocked with Spring Security DaoAuthenticationProvider. Now I have a requirement that certain incoming IP addresses are whitelisted and therefore not requested for authentication.

I can easily crack this by overriding the authentication method of DaoAuthenticationProvider and bypassing the implementation of superclasses if the IP address matches a known IP address, but this only works when the sender of the request provides username and password (even if it's nonsense). Otherwise, the provider will not be called.

What would be the best way to do this? Should I use a filter to bypass the authentication procedure if the incoming known IP address?

+5

spring-security http-basic-authentication

NeilInglis Feb 28 '11 at 13:39

source share

2 answers

hasIpAddress()? , .

<security:intercept-url pattern="/services/**" access="hasIpAddress('192.168.1.0/24')"/>

+10

dbreaux 08 . '11 19:32

axtavt · Accepted Answer · 2011-02-28T14:10:00+0000

I think that the idiomatic Spring way to ensure security is to implement a pre-authentication filter that will populate the security context with a valid Authenticationobject when the client is in the white list. You can implement such a filter from scratch (for example, like here ) or use it AbstractPreAuthenticatedProcessingFilter(although this is too complicated for your task).

Spring Security: IP whitelist before deferring HTTP authentication

More articles: