java Spring Security - 白名单 IP 范围
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/42164876/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring Security - whitelist IP range
提问by rj2700
A lot of resources and stackoverflow questions that I've viewed provide answers to using .xmlfiles:
我查看过的许多资源和 stackoverflow 问题都提供了使用.xml文件的答案:
All that I would like to know is if it's possible to whitelist an IP address range using Spring Security without using XML configs?
我只想知道是否可以在不使用 XML 配置的情况下使用 Spring Security 将 IP 地址范围列入白名单?
Below is a simple method in my controller:
下面是我的控制器中的一个简单方法:
@RequestMapping(value = "/makeit", method = RequestMethod.GET)
@ResponseBody
//@PreAuthorize("hasIpAddress('192.168.0.0/16')")
public String requestData() {
return "youve made it";
}
I've created a separate class for the security config but it doesn't have much, I just created it for the EnableGlobalMethodSecurityannotation - so that I can use the @PreAuthorizeannotation (from an answer here: @PreAuthorize annotation not working spring security).
我为安全配置创建了一个单独的类,但它没有太多,我只是为EnableGlobalMethodSecurity注释创建了它- 这样我就可以使用@PreAuthorize注释(来自这里的答案:@PreAuthorize annotation not working spring security)。
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http
.authorizeRequests()
.anyRequest().access("hasIpAddress('0.0.0.0/0')");
/*http
.authorizeRequests()
.anyRequest().hasIpAddress("0.0.0.0/0");*/
/*http
.authorizeRequests()
.antMatchers("/**").hasIpAddress("0.0.0.0/0");*/
/*http
.authorizeRequests()
.antMatchers("/**").access("hasIpAddress('0.0.0.0/0')");*/
/*http
.authorizeRequests()
.anyRequest().access("hasIpAddress('0.0.0.0/0')");*/
}
}
However, when I tried, it responded with (through POSTMAN):
但是,当我尝试时,它响应(通过邮递员):
{
"timestamp": 1486743507520,
"status": 401,
"error": "Unauthorized",
"message": "Full authentication is required to access this resource",
"path": "/makeit"
}
Additional facts:
补充事实:
My IP address is in this range. And I'm using Spring release 1.3.1 (Spring Security is 4.0.3, I believe).
我的IP地址在这个范围内。我使用的是 Spring 版本 1.3.1(我相信 Spring Security 是 4.0.3)。
采纳答案by rj2700
So with the help of @Dur, we were able to troubleshoot the issue. The issue isn't with Spring Boot (everything works fine above) but the issue is that when a user goes to the Spring App locally (localhost:8080), localhost uses an IPv6 address and the above code allows access for an IPv4 address.
所以在@Dur 的帮助下,我们能够解决问题。问题不在于 Spring Boot(上面一切正常),但问题是当用户在本地访问 Spring 应用程序 (localhost:8080) 时,localhost 使用 IPv6 地址并且上面的代码允许访问 IPv4 地址。
You either need to change your SpringSecurityConfig file by changing the IPv4 address to a IPv6 (or whatever Tomcat defaults to) OR you can change how you access the app (by going to 127.0.0.1:8080).
您要么需要通过将 IPv4 地址更改为 IPv6(或 Tomcat 默认设置的任何地址)来更改 SpringSecurityConfig 文件,要么您可以更改访问应用程序的方式(转到 127.0.0.1:8080)。
Note - this is only for local testing. You'll need to test and obtain the IP addresses of the users/services that will be accessing your app.
注意 - 这仅用于本地测试。您需要测试并获取将访问您的应用程序的用户/服务的 IP 地址。
In short, you can whitelist an IP range by using the above code without an AuthenticationManagerBuilder.
简而言之,您可以使用上述代码将 IP 范围列入白名单,而无需 AuthenticationManagerBuilder。
