如何在Spring 5.7+中通过IP地址和凭证限制对资源的访问
既然Spring5.6中的WebSecurityConfigurerAdapter已被废弃,我们如何限制基于一组IP地址的web应用程序资源的访问?我的目标是禁用默认的spring登录表单,但仍然只从给定的一组IP地址向应用程序发送带有特定凭据的post请求。
我一直跟随Eugen在这里的Baeldung https://github.com/eugenp/tutorials/blob/4fa0844faf6f95bbde4a38d0b16cde066fd4d8af/spring-security-modules/spring-security-web-boot-1/src/main/java/com/baeldung/roles/ip/config/CustomIpAuthenticationProvider.java的例子,这是为Spring5.6编写的。我尝试升级到这里推荐的SecurityFilterChain:https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter。然后,我在使用SecurityAutoConfiguration的类上使用@EnableWebSecurity时禁用了SecurityFilterChain,但是我的代码无法阻止来自特定IP地址和给定用户的请求。
下面是我的密码。
主应用程序
@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })
public class MainApp {
public static void main(String[] args) {
SpringApplication.run(MainApp.class, args);
}
}配置类
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity security) throws Exception {
security.csrf().disable().authorizeRequests().anyRequest().permitAll(); // Works for GET, POST, PUT, DELETE
security.authenticationProvider(new CustomIpAuthenticationProvider());
security.formLogin().disable();
return security.build();
}
}
@Bean
public InMemoryUserDetailsManager userDetailsService() {
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
UserDetails user = User.withUsername("test_user")
.password(encoder.encode("password"))
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
}自定义身份验证提供者
public class CustomIpAuthenticationProvider implements AuthenticationProvider {
Set<String> whitelist = new HashSet<>();
public CustomIpAuthenticationProvider() {
super();
whitelist.add("11.11.11.11");
// whitelist.add("0.0.0.0");
// whitelist.add("127.0.0.1");
}
@Override
public Authentication authenticate(Authentication auth){
WebAuthenticationDetails details = (WebAuthenticationDetails) auth.getDetails();
String userIp = details.getRemoteAddress();
System.out.println(userIp);
if (!whitelist.contains(userIp)) {
throw new BadCredentialsException("Invalid IP Address");
}
final String name = auth.getName();
final String password = auth.getCredentials().toString();
if (name.equals("test_user") && password.equals("password")) {
List<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
return new UsernamePasswordAuthenticationToken(name, password, authorities);
}
else{
throw new BadCredentialsException("Invalid username or password");
}
}
@Override
public boolean supports(Class<?> authentication) {
return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
}
}单元测试到测试应用程序
@Test
public void givenUserWithWrongIPForbidden() {
Response response = RestAssured.given().auth().form("test_user", "password")
.get(base + "/login");
assertEquals(403, response.getStatusCode());
assertTrue(response.asString().contains("Forbidden"));
}回答 1
Stack Overflow用户
发布于 2022-07-20 13:09:41
我也有同样的问题。最后我改变了主意,用了一个过滤器。这是一个示例
https://stackoverflow.com/questions/72493384
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号