如何在spring security中只通过ip地址验证用户?
[英]How can authenticate user by only ip address in spring security?
问题描述
I have table with users. 
我有用户表。 There is "ip_address" column in this table. 此表中有“ip_address”列。
I have server - java server I have web app on spring boot. 我有服务器 - java服务器我在春季启动时有网络应用程序。
Spring boot communicates with java server by rest. Spring引导通过休息与java服务器通信。
I need realize authonticate user in system by ip. 我需要通过ip实现系统中的authonticate用户。 Whem user open web page - spring boot app get remoteIpAddress( String ipAddress = request.getRemoteAddr(); ) and pass it to java server in url. 用户打开网页 - spring boot app获取remoteIpAddress( String ipAddress = request.getRemoteAddr(); ipAddress String ipAddress = request.getRemoteAddr(); )并将其传递给url中的java服务器。 java server ckeck this ip in db in table users and if user can login return this user to spring boot app. java server ckeck这个ip在表用户的db中,如果用户可以登录则将此用户返回到spring boot app。
I want realize this with spring security. 我希望通过弹簧安全来实现这一点。 But when i open web page, in browser opened dialog window for input login and password. 但是当我打开网页时,在浏览器中打开对话框窗口输入登录名和密码。 But I do not need login and password. 但我不需要登录和密码。 I need if user is not null - give access to pages and save the user. 如果用户不为null,我需要 - 允许访问页面并保存用户。
and if I input login and password and press "ok" button I move to my IPAddressBasedAuthenticationProvider 如果我输入登录名和密码并按“确定”按钮,我将移动到我的IPAddressBasedAuthenticationProvider
@Component
public class IPAddressBasedAuthenticationProvider implements AuthenticationProvider {
@Autowired
private HttpServletRequest request;
@Autowired
AuthService authService;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String ipAddress = request.getRemoteAddr();
AuthLkUser authLkUserByIp = authService.getAuthLkUserByIp(ipAddress);
if (authLkUserByIp == null) return null;
boolean b = authService.checkAuthLkUser(authLkUserByIp);
if (b) return null;
final List<GrantedAuthority> grantedAuths = new ArrayList<>();
GrantedAuthority grantedAuthority = new SimpleGrantedAuthority("ROLE_ADMIN");
grantedAuths.add(grantedAuthority);
UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(authentication.getName(), authentication.getCredentials(), grantedAuths);
result.setDetails(authentication.getDetails());
return result;
}
@Override
public boolean supports(Class<?> aClass) {
return true;
}
}
And in this class saved user to session. 并在此类中将用户保存到会话中。 And after that when I open web pages i not need input login and password. 之后,当我打开网页时,我不需要输入登录名和密码。 it contains in session. 它包含在会话中。 but my wep page not openned with error 但我的wep页面没有错误打开
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Mon Jul 11 14:27:59 ALMT 2016
There was an unexpected error (type=Forbidden, status=403).
Access is denied
2 个解决方案
解决方案1
2 2016-07-11 12:36:28
For Spring Boot applications that run with the embedded Apache Tomcat container, you can use the org.apache.catalina.filters.RemoteAddrFilter from Apache Tomcat. 对于使用嵌入式Apache Tomcat容器运行的Spring Boot应用程序 ,可以使用Apache Tomcat中的org.apache.catalina.filters.RemoteAddrFilter。
@Bean
public FilterRegistrationBean remoteAddressFilter() {
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
RemoteAddrFilter filter = new RemoteAddrFilter();
// filter.setAllow("127.0.0.1");
filter.setAllow("127\\.0\\.0\\.1");
filterRegistrationBean.setFilter(filter);
filterRegistrationBean.addUrlPatterns("/gs/serving-web-content/testParameters");
return filterRegistrationBean;
}
allow : A regular expression (using java.util.regex) that the remote client's IP address is compared to.
You can refer this article - How do I restrict access to my application by IP address? 您可以参考这篇文章 - 如何通过IP地址限制对我的应用程序的访问?
解决方案2
1 2016-07-11 10:05:29
You can use Expression-Based Access Control provided by Spring. 您可以使用Spring提供的基于表达式的访问控制 。 To secure individual URL, you are able to do something like this: 要保护单个URL,您可以执行以下操作:
<http use-expressions="true">
<intercept-url pattern="/admin*"
access="hasRole('admin') and hasIpAddress('192.168.1.0/24')"/>
...
</http>
Where you created expression like if he has role admin and his IP address is xxx.xxx.xx, then it is allowed. 你创建表达式的地方,如果他有角色admin,他的IP地址是xxx.xxx.xx,那么它是允许的。 So you are looking for hasIpAddress . 所以你正在寻找hasIpAddress 。 More about expression-based access control is in their docs . 有关基于表达式的访问控制的更多信息, 请参见其文档 。
If you want to create this restrictions for Spring Boot and if you are using Apache Tomcat, then you are able to to enable a Servlet Filter ( here is description) and then you can just enable Remote Address Filter and then set addresses which you want to allow. 如果你想为Spring Boot创建这个限制,如果你正在使用Apache Tomcat,那么你可以启用一个Servlet过滤器( 这里是描述),然后你可以启用远程地址过滤器 ,然后设置你想要的地址允许。 More abouy this filter is in Apache Tomcat docs . 更多abouy这个过滤器在Apache Tomcat 文档中 。
And another one option is that if you will use Spring Security. 另一个选择是,如果你将使用Spring Security。 There is class WebAuthenticationDetails which provide method getRemoteAddress() . 有类WebAuthenticationDetails提供方法getRemoteAddress() 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.