castrogne
Reputation: 521
can't get hasIpAddress working on Spring Security
I'm trying to get hasIpAddress working on Spring Security. I've read all I could find on the web but didn't solve my issue...
I tried:
hasIpAddress('192.168.0.129')
hasIpAddress('192.168.0.0/24')
hasIpAddress('192.168.0/24')
I had it to work only without hasIpAddress...
In SpringSecurityConfig.xml:
<http use-expressions="true">
<intercept-url pattern="/init.do" access="isAnonymous() and hasIpAddress('192.168.0/24')" />
<form-login login-page="/login" />
<logout />
</http>
And in my logs:
09/15/2016 16:19:19 [http-listener-1(5)]:springframework.security.web.context.SecurityContextPersistenceFilter.doFilter()119 SecurityContextHolder now cleared, as request processing completed
09/15/2016 16:19:19 [http-listener-1(1)]:org.springframework.security.web.FilterChainProxy.doFilter()325 /init.do at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
09/15/2016 16:19:19 [http-listener-1(1)]:springframework.security.web.context.HttpSessionSecurityContextRepository.readSecurityContextFromSession()186 HttpSession returned null object for SPRING_SECURITY_CONTEXT
09/15/2016 16:19:19 [http-listener-1(1)]:springframework.security.web.context.HttpSessionSecurityContextRepository.loadContext()116 No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@4636ced1. A new one will be created.
09/15/2016 16:19:19 [http-listener-1(1)]:org.springframework.security.web.FilterChainProxy.doFilter()325 /init.do at position 2 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
09/15/2016 16:19:19 [http-listener-1(1)]:org.springframework.security.web.FilterChainProxy.doFilter()325 /init.do at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
09/15/2016 16:19:19 [http-listener-1(1)]:org.springframework.security.web.FilterChainProxy.doFilter()325 /init.do at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
09/15/2016 16:19:19 [http-listener-1(1)]:org.springframework.security.web.FilterChainProxy.doFilter()325 /init.do at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
09/15/2016 16:19:19 [http-listener-1(1)]:security.web.util.matcher.AntPathRequestMatcher.matches()137 Request 'GET /init.do' doesn't match 'POST /logout
09/15/2016 16:19:19 [http-listener-1(1)]:org.springframework.security.web.FilterChainProxy.doFilter()325 /init.do at position 6 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
09/15/2016 16:19:19 [http-listener-1(1)]:security.web.util.matcher.AntPathRequestMatcher.matches()137 Request 'GET /init.do' doesn't match 'POST /login
09/15/2016 16:19:19 [http-listener-1(1)]:org.springframework.security.web.FilterChainProxy.doFilter()325 /init.do at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
09/15/2016 16:19:19 [http-listener-1(1)]:springframework.security.web.savedrequest.DefaultSavedRequest.propertyEquals()322 pathInfo: both null (property equals)
09/15/2016 16:19:19 [http-listener-1(1)]:springframework.security.web.savedrequest.DefaultSavedRequest.propertyEquals()322 queryString: both null (property equals)
09/15/2016 16:19:19 [http-listener-1(1)]:springframework.security.web.savedrequest.DefaultSavedRequest.propertyEquals()339 requestURI: arg1=/gestionprod/; arg2=/gestionprod/ (property equals)
09/15/2016 16:19:19 [http-listener-1(1)]:springframework.security.web.savedrequest.DefaultSavedRequest.propertyEquals()339 serverPort: arg1=8080; arg2=8080 (property equals)
09/15/2016 16:19:19 [http-listener-1(1)]:springframework.security.web.savedrequest.DefaultSavedRequest.propertyEquals()339 requestURL: arg1=http://localhost:8080/gestionprod/; arg2=http://localhost:8080/gestionprod/ (property equals)
09/15/2016 16:19:19 [http-listener-1(1)]:springframework.security.web.savedrequest.DefaultSavedRequest.propertyEquals()339 scheme: arg1=http; arg2=http (property equals)
09/15/2016 16:19:19 [http-listener-1(1)]:springframework.security.web.savedrequest.DefaultSavedRequest.propertyEquals()339 serverName: arg1=localhost; arg2=localhost (property equals)
09/15/2016 16:19:19 [http-listener-1(1)]:springframework.security.web.savedrequest.DefaultSavedRequest.propertyEquals()339 contextPath: arg1=/gestionprod; arg2=/gestionprod (property equals)
09/15/2016 16:19:19 [http-listener-1(1)]:springframework.security.web.savedrequest.DefaultSavedRequest.propertyEquals()339 servletPath: arg1=/init.do; arg2=/init.do (property equals)
09/15/2016 16:19:19 [http-listener-1(1)]:springframework.security.web.savedrequest.HttpSessionRequestCache.removeRequest()82 Removing DefaultSavedRequest from session if present
09/15/2016 16:19:19 [http-listener-1(1)]:org.springframework.security.web.FilterChainProxy.doFilter()325 /init.do at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
09/15/2016 16:19:19 [http-listener-1(1)]:org.springframework.security.web.FilterChainProxy.doFilter()325 /init.do at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
09/15/2016 16:19:19 [http-listener-1(1)]:springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter()100 Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: e2c51e45dac31339aa97b4863285; Granted Authorities: ROLE_ANONYMOUS'
09/15/2016 16:19:19 [http-listener-1(1)]:org.springframework.security.web.FilterChainProxy.doFilter()325 /init.do at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
09/15/2016 16:19:19 [http-listener-1(1)]:org.springframework.security.web.FilterChainProxy.doFilter()325 /init.do at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
09/15/2016 16:19:19 [http-listener-1(1)]:org.springframework.security.web.FilterChainProxy.doFilter()325 /init.do at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
09/15/2016 16:19:19 [http-listener-1(1)]:security.web.util.matcher.AntPathRequestMatcher.matches()157 Checking match of request : '/init.do'; against '/init.do'
09/15/2016 16:19:19 [http-listener-1(1)]:security.web.access.intercept.FilterSecurityInterceptor.beforeInvocation()219 Secure object: FilterInvocation: URL: /init.do; Attributes: [isAnonymous() and hasIpAddress('192.168.0/24')]
09/15/2016 16:19:19 [http-listener-1(1)]:security.web.access.intercept.FilterSecurityInterceptor.authenticateIfRequired()348 Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: e2c51e45dac31339aa97b4863285; Granted Authorities: ROLE_ANONYMOUS
09/15/2016 16:19:19 [http-listener-1(1)]:springframework.security.access.vote.AffirmativeBased.decide()66 Voter: org.springframework.security.web.access.expression.WebExpressionVoter@36f219a, returned: -1
09/15/2016 16:19:19 [http-listener-1(1)]:springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException()174 Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
Upvotes: 7
Views: 4635
Answers (1)
dur
Reputation: 17011
Your client has the wrong IP address 0:0:0:0:0:0:0:1, see:
09/15/2016 16:19:19 [http-listener-1(1)]:security.web.access.intercept.FilterSecurityInterceptor.authenticateIfRequired()348 Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: e2c51e45dac31339aa97b4863285; Granted Authorities: ROLE_ANONYMOUS
0:0:0:0:0:0:0:1 is the IPv6 address for loopback, see RFC 4291:
The unicast address 0:0:0:0:0:0:0:1 is called the loopback address.
Don't use localhost to call your server, it is a loopback, see Wikipedia:
The resolution of the name localhost into one or more IP addresses is configured by the following lines in the operating system's hosts file:
127.0.0.1 localhost ::1 localhost
Upvotes: 3
Related Questions
- Spring security multiple hasIPAddress antMatchers
- Why is my web service forbidding my connections when using .hasIpAddress()?
- How to secure anonymous access restricted by ip address in Spring Security?
- spring security authentication using ip address and username password
- Failed to evaluate expression 'hasIpAddress(..)' in PreAuthorize
- Ip authentication in Spring Security
- How to modify hasIpAddress to validate X-Forwarded-For?
- Spring Security hasIpAddress causes errors
- How can authenticate user by only ip address in spring security?
- Spring Security hasIpAddress issue