Reputation: 18719
How to modify hasIpAddress to validate X-Forwarded-For?
I would like to know, how can I modify the hasIpAddress method in the Spring Security, so that it verify the X-Forwarded-For header in the request, instead of remote ip address?
Upvotes: 1
Views: 1493
Answers (1)
Reputation: 1143
You can choose to create a custom class with the logic that you want. Then, maybe extend DefaultWebSecurityExpressionHandler and override createEvaluationContextInternal where you can instantiate your custom class and set it as a variable in the StandardEvaluationContext. See OAuth2WebSecurityExpressionHandler to see how spring-security-oauth2 extended DefaultWebSecurityExpressionHandler to add oauth2-specific validation logic for example. Then in your http security rule, set the expression handler to use your custom expression handler. In xml, this would look something like:
<security:http>
<security:expression-handler ref="yourCustomExpressionHandler"/>
</security:http>
Upvotes: 1
Related Questions
- Spring security multiple hasIPAddress antMatchers
- How to check for authenticated() or hasIpAddress for the same antMatcher()?
- Is remote address the same as x-forwarded-for?
- Associating an `AuthenticationFailureBadCredentialsEvent` with the remote address in the presence of XFF headers
- Failed to evaluate expression 'hasIpAddress(..)' in PreAuthorize
- Spring Security: How to programmatically define forwarding logic if a user isn't authenticated
- can't get hasIpAddress working on Spring Security
- How can authenticate user by only ip address in spring security?
- Spring validation based on client IP
- Spring Security hasIpAddress issue