Spring Boot application security

Question

I have a Spring Boot based application hosted at a public server.

Is it possible to restrict the the access to this application to those sitting at a particular PC at their work place. I want to avoid allowing them to use the application from their home, for example.

Answer 1

There are multiple way to only allow IPs to connect to your Spring-Boot app.

You can check this article: Spring security whitelist

The code given in example is this one:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
      .antMatchers("/login").permitAll()
      .antMatchers("/foos/**").hasIpAddress("11.11.11.11")
      .anyRequest().authenticated()
      .and()
      .formLogin().permitAll()
      .and()
      .csrf().disable();
    }
}

Or to whitelist one or multiple range of IPs:

.antMatchers("/foos/**")
.access(""hasIpAddress('10.0.0.0/16') or hasIpAddress('127.0.0.1/32')")

This has the advantage of being specific to just a part of your app ( /foos/** ).

If your using Tomcat as the webserver for your Spring Boot app, you can also configure the Web.xml file to filter IP adress using the <filter> :

<filter>
  <filter-name>Remote Address Filter</filter-name>
  <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
  <init-param>
    <param-name>allow</param-name>
    <param-value><!-- insert your ip list / regex here --></param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>Remote Address Filter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

More information here: Apache Tomcat Doc . This method has the advantage of not needing to recompile your app to change settings.

There are other ways to achieve that, but outside of the Spring-boot/java env (like a reverse proxy, Linux configuration if you're on it, I guess).