Reputation: 133
Spring Security WebFlux IP Whitelist
In the latest Spring Security which leverages WebFlux, the security config works like below,
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange().pathMatchers("/**") ....
Before there is a method hasIpAddress("xxx.xxx.xxx.xxx") we can use to config IP whitelist, now it's gone.
How to specify IP whitelist for new Spring Security Webflux?
Based on idea from @özkan pakdil below, here is my code, but IP filter does not work - The request from IP which is not on whitelist still can go through.
private Mono<AuthorizationDecision> isAuthorizedIP(Mono<Authentication> authentication, AuthorizationContext context) {
String ip = context.getExchange().getRequest().getRemoteAddress().getAddress().toString().replace("/", "");
return authentication.map((a) -> new AuthorizationDecision(
ipWhiteList.contains(ip)));
}
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
http.authorizeExchange().anyExchange().access(this::isAuthorizedIP).and().oauth2Login();
return http.build();
}
Upvotes: 3
Views: 2635
Answers (1)
Reputation: 4602
Took me a while to figure out but finally, I found a way it works. please check https://github.com/ozkanpakdil/spring-examples/tree/master/webflux-ip-whitelist and tell me if that does not help.
simply you can define WebSecurityConfig like this
import org.springframework.context.annotation.Bean;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.authorization.AuthorizationContext;
import reactor.core.publisher.Mono;
import java.util.ArrayList;
@EnableWebFluxSecurity
public class WebSecurityConfig {
ArrayList<String> whiteListIp = new ArrayList();
public WebSecurityConfig() {
whiteListIp.add("0:0:0:0:0:0:0:1");
whiteListIp.add("192.168.1.1");
whiteListIp.add("127.0.0.1");
}
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange()
.anyExchange()
.access(this::whiteListIp)
.and()
.httpBasic();
return http.build();
}
private Mono<AuthorizationDecision> whiteListIp(Mono<Authentication> authentication, AuthorizationContext context) {
String ip = context.getExchange().getRequest().getRemoteAddress().getAddress().toString().replace("/", "");
return authentication.map((a) -> new AuthorizationDecision(a.isAuthenticated()))
.defaultIfEmpty(new AuthorizationDecision(
(whiteListIp.contains(ip)) ? true : false
));
}
}
and have your IP whitelisted.
Upvotes: 6
Related Questions
- Spring Security: IP Address Whitelist Before Deferring to HTTP Basic Auth
- Spring Boot Webflux - Security CORS is not working
- SpringBoot security allow endpoints to be public and have ip access restriction
- Spring Security - whitelist IP range
- Spring Boot security allow requests from given IP address
- How to whitelist single endpoint in Spring Boot application?
- spring boot (webflux) rest controller get remote IP address
- Spring Webflux Security Allow All But One Url
- White-listing an ip in spring project
- How to implement a ip white list secured spring integration http inbound gateway?