本文介绍了Spring Security - 白名单IP范围的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我查看过的很多资源和stackoverflow问题都提供了使用 .xml 文件的答案:

A lot of resources and stackoverflow questions that I've viewed provide answers to using .xml files:


我想知道的是,如果可以在不使用XML配置的情况下使用Spring Security将IP地址范围列入白名单?

All that I would like to know is if it's possible to whitelist an IP address range using Spring Security without using XML configs?

下面是我控制器中的一个简单方法:

Below is a simple method in my controller:

@RequestMapping(value = "/makeit", method = RequestMethod.GET)
@ResponseBody
//@PreAuthorize("hasIpAddress('192.168.0.0/16')")
public String requestData() {

    return "youve made it";
}

我为安全配置创建了一个单独的类,但它没有有很多,我刚为 EnableGlobalMethodSecurity 注释创建它 - 这样我就可以使用 @PreAuthorize 注释(来自在这里回答:)。

I've created a separate class for the security config but it doesn't have much, I just created it for the EnableGlobalMethodSecurity annotation - so that I can use the @PreAuthorize annotation (from an answer here: @PreAuthorize annotation not working spring security).

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http
            .authorizeRequests()
                .anyRequest().access("hasIpAddress('0.0.0.0/0')");

        /*http
            .authorizeRequests()
                .anyRequest().hasIpAddress("0.0.0.0/0");*/

        /*http
            .authorizeRequests()
                .antMatchers("/**").hasIpAddress("0.0.0.0/0");*/

        /*http
            .authorizeRequests()
                .antMatchers("/**").access("hasIpAddress('0.0.0.0/0')");*/

        /*http
            .authorizeRequests()
                .anyRequest().access("hasIpAddress('0.0.0.0/0')");*/

    }
}

然而,当我尝试时,它回复了(通过POSTMAN):

However, when I tried, it responded with (through POSTMAN):

{
  "timestamp": 1486743507520,
  "status": 401,
  "error": "Unauthorized",
  "message": "Full authentication is required to access this resource",
  "path": "/makeit"
}

其他事实:

我的IP地址在此范围内。我正在使用Spring版本1.3.1(我相信Spring Security是4.0.3)。

My IP address is in this range. And I'm using Spring release 1.3.1 (Spring Security is 4.0.3, I believe).

推荐答案

因此,在@Dur的帮助下,我们能够解决问题。问题不在于Spring Boot(上面一切正常)但问题是当用户在本地访问Spring App(localhost:8080)时,localhost使用IPv6地址,上面的代码允许访问IPv4地址。

So with the help of @Dur, we were able to troubleshoot the issue. The issue isn't with Spring Boot (everything works fine above) but the issue is that when a user goes to the Spring App locally (localhost:8080), localhost uses an IPv6 address and the above code allows access for an IPv4 address.

您需要通过将IPv4地址更改为IPv6(或Tomcat默认设置)来更改SpringSecurityConfig文件,或者您可以更改访问应用程序的方式(通过到127.0.0.1:8080)。

You either need to change your SpringSecurityConfig file by changing the IPv4 address to a IPv6 (or whatever Tomcat defaults to) OR you can change how you access the app (by going to 127.0.0.1:8080).

注意 - 这仅适用于本地测试。您需要测试并获取将访问您的应用的用户/服务的IP地址。

Note - this is only for local testing. You'll need to test and obtain the IP addresses of the users/services that will be accessing your app.

简而言之,您可以使用上面的代码将IP范围列入白名单,而无需使用AuthenticationManagerBuilder。

In short, you can whitelist an IP range by using the above code without an AuthenticationManagerBuilder.

这篇关于Spring Security - 白名单IP范围的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-23 11:24
查看更多