I have a Spring Boot based application hosted at a public server.
Is it possible to restrict the the access to this application to those sitting at a particular PC at their work place. I want to avoid allowing them to use the application from their home, for example.
There are multiple way to only allow IPs to connect to your Spring-Boot app.
You can check this article: Spring security whitelist
The code given in example is this one:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login").permitAll()
.antMatchers("/foos/**").hasIpAddress("11.11.11.11")
.anyRequest().authenticated()
.and()
.formLogin().permitAll()
.and()
.csrf().disable();
}
}
Or to whitelist one or multiple range of IPs:
.antMatchers("/foos/**")
.access(""hasIpAddress('10.0.0.0/16') or hasIpAddress('127.0.0.1/32')")
This has the advantage of being specific to just a part of your app ( /foos/**
).
If your using Tomcat as the webserver for your Spring Boot app, you can also configure the Web.xml file to filter IP adress using the <filter>
:
<filter>
<filter-name>Remote Address Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value><!-- insert your ip list / regex here --></param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Remote Address Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
More information here: Apache Tomcat Doc . This method has the advantage of not needing to recompile your app to change settings.
There are other ways to achieve that, but outside of the Spring-boot/java env (like a reverse proxy, Linux configuration if you're on it, I guess).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.