1. 技术文章
  2. Spring Security WebFlux IP Whitelist

Spring Security WebFlux IP Whitelist

感情迁移 提交于 2021-01-28 19:09:46

问题


In the latest Spring Security which leverages WebFlux, the security config works like below,

SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange().pathMatchers("/**") ....

Before there is a method hasIpAddress("xxx.xxx.xxx.xxx") we can use to config IP whitelist, now it's gone.

How to specify IP whitelist for new Spring Security Webflux?

Based on idea from @özkan pakdil below, here is my code, but IP filter does not work - The request from IP which is not on whitelist still can go through. 

private Mono<AuthorizationDecision> isAuthorizedIP(Mono<Authentication> authentication, AuthorizationContext context) {
    String ip = context.getExchange().getRequest().getRemoteAddress().getAddress().toString().replace("/", "");

    return authentication.map((a) -> new AuthorizationDecision(
                                        ipWhiteList.contains(ip)));     
}

SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {

http.authorizeExchange().anyExchange().access(this::isAuthorizedIP).and().oauth2Login();

return http.build();

}


回答1:


Took me a while to figure out but finally I found a way it works. please check https://github.com/ozkanpakdil/spring-examples/tree/master/webflux-ip-whitelist and tell me if that not helps.

simply you can define WebSecurityConfig like this

import org.springframework.context.annotation.Bean;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.authorization.AuthorizationContext;
import reactor.core.publisher.Mono;

import java.util.ArrayList;

@EnableWebFluxSecurity
public class WebSecurityConfig {

    ArrayList<String> whiteListIp = new ArrayList();

    public WebSecurityConfig() {
        whiteListIp.add("0:0:0:0:0:0:0:1");
        whiteListIp.add("192.168.1.1");
        whiteListIp.add("127.0.0.1");
    }

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        http
                .authorizeExchange()
                .anyExchange()
                .access(this::whiteListIp)
                .and()
                .httpBasic();

        return http.build();
    }

    private Mono<AuthorizationDecision> whiteListIp(Mono<Authentication> authentication, AuthorizationContext context) {
        String ip = context.getExchange().getRequest().getRemoteAddress().getAddress().toString().replace("/", "");
        return authentication.map((a) -> new AuthorizationDecision(a.isAuthenticated()))
                .defaultIfEmpty(new AuthorizationDecision(
                        (whiteListIp.contains(ip)) ? true : false
                ));
    }

}

and have your ip white listed.



来源:https://stackoverflow.com/questions/59438237/spring-security-webflux-ip-whitelist

标签
Spring
spring-boot
spring-security
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!