blacklisting a set of ipAdresses in a microservice created using java and SpringBoot framework

Question

I have a micro-service designed to interrogate devices of different types and Operating Systems, but for a set of reasons, I want to blacklist a handful of IPs. Is there a way I can achieve that?

Answer 1

Have you tried using HandlerInterceptor interface?

Combine with WebMvcConfigurerAdapter. This should do the job.

Something like this, not exact working code here

//Call after request processing, but before the view is rendered (after controller method call)
@Override
public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {
    String ip = IPAddressUtil.getClientIpAddress(httpServletRequest);
    List<BlackList> blackLists = blackListDao.findByIp(ip);
    if (blackLists == null || blackLists.size() == 0){
        urlHandle(httpServletRequest, 5000, 10);
    } else {
         //Forced control jump
         modelAndView.setViewName("/errorpage/error.html");
    }
}

BlackListDao class can be something like this

@Mapper
public interface BlackListDao {
    //Find records by IP
    List<BlackList> findByIp(String IP);
    //Add record
    int addBlackList(@Param("blackList") BlackList blackList);
}

Configure the Interceptor Webmvcconfigureradapter for spring MVC.

@Configuration
public class MyWebAppConfigurer extends WebMvcConfigurerAdapter {
    @Bean // inject our interceptor as bean
    public HandlerInterceptor getMyInterceptor(){
    return new URLInterceptor();
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
    //Multiple interceptors form an interceptor chain
    //Addpathpatterns is used to add interception rules. Here we assume that all links after interception / URL
    //Excludepathpatterns user exclusion
registry.addInterceptor(getMyInterceptor()).addPathPatterns("/url/**");
            super.addInterceptors(registry);
}

Answer 2

The best way is to check it in the HttpFirewall which can check if a HttpServletRequest is potentially dangerous or not before allowing it to go through FilterChainProxy .

Basically you need to override the default StrictHttpFirewall and add the logic to check if the source IP of the request is in the blacklist, something likes:

public class MyFirewall extends StrictHttpFirewall {

    private Set<String> backlistIPs;

    public MyFirewall(Set<String> backlistIPs){
         this.backlistIPs = backlistIPs;
    }

    @Override
    public FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException {
        
        String sourceIp = getClientIpAddress(request);

        if(backlistIPs.contains(sourceIp)){
          throw new RequestRejectedException("IP is blacklisted");
        }

        return super.getFirewalledRequest(request);
    }
}

_{Note: Refer this for how to implement getClientIpAddress()}

Then configure to use it:

@EnableWebSecurity
public class Config extends WebSecurityConfigurerAdapter {
    
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.httpFirewall(new MyFirewall(Set.of("123.123.123.123" ,"123.123.123.124"));
    }
}