Spring MVC: IP restriction for a single controller method

Question

I need to hide a specific API for requests coming form IP different to a specific one. For instance this should work if I try to use it and my IP is 192.168.1.1, but not if my IP is 192.168.1.2.

@RequestMapping(value = "/test/{id}", method = RequestMethod.GET)
@ResponseBody
@IpRestricted
public void download(@PathVariable("id") String id) {
  ...
}

I read I can make it creating a specific annotation, the one I called "@IpRestricted" in this example, but than how can I proceed? There are better solution to this?

Answer 1

I then realized I can make it without using spring security. I made an annotation like this:

@Retention(RetentionPolicy.RUNTIME)
public @interface IpRestricted {
}

Than I check the request IP address inside a HandlerInterceptor preHandle method:

public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
    if (handler instanceof HandlerMethod) {
        HandlerMethod method = (HandlerMethod)handler;
        if (method.getMethodAnnotation(IpRestricted.class)!=null) {
            if (!request.getRemoteAddr().equals("192.168.1.1")) {
                throw new UnauthorizedException("Ip not authorized");
            }
        }
    }
    [....]
}

And for the download method:

@RequestMapping(value = "/test/{id}", method = RequestMethod.GET)
@ResponseBody
@IpRestricted
public void download(@PathVariable("id") String id) {
   ...
}

That's it!

Answer 2

I think the best Spring solution available for this case is the hasIpAddress() method from Spring Security . There are many different ways to configure permissions to your services via Spring Security, and the IP-based solution is also implemented.

Here is a good example of how to set it up.