Java 使用Spring安全性的IP过滤器
我想知道如何使用Spring Security按IP过滤用户访问我的web应用的权限。 我是否应该扩展Java 使用Spring安全性的IP过滤器,java,spring,spring-mvc,filter,spring-security,Java,Spring,Spring Mvc,Filter,Spring Security,我想知道如何使用Spring Security按IP过滤用户访问我的web应用的权限。 我是否应该扩展AbstractAuthenticationProcessingFilter或类似的东西,并以自己的方式重写它的方法? 如果是这样,您能否在web.xml中给出这样一个扩展示例和过滤器描述示例? 提前谢谢 另外,在我的应用程序中,我还支持Spring安全性(使用默认的org.springframework.web.filter.DelegatingFilterProxy),但我希望它不仅检查用户
AbstractAuthenticationProcessingFilter
或类似的东西,并以自己的方式重写它的方法?
如果是这样,您能否在web.xml
中给出这样一个扩展示例和过滤器描述示例?
提前谢谢
另外,在我的应用程序中,我还支持Spring安全性(使用默认的
org.springframework.web.filter.DelegatingFilterProxy),但我希望它不仅检查用户凭据,还检查他们的IP。一种方法是使用Spring安全性。例如:
<http use-expressions="true">
<intercept-url pattern="/admin*"
access="hasRole('admin') and hasIpAddress('192.168.1.0/24')"/>
...
</http>
...
Anshu的答案是通过ip对用户进行身份验证的好主意,但它可能不适用于cas身份验证。我有另一个解决方案,使用过滤器更适合这种情况
public class IPAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
private AuthenticationUserDetailsService<CasAssertionAuthenticationToken> authenticationUserDetailsService;
private static Set<String> ipWhitelist;
@Autowired
private AppProperty appProperty;
@PostConstruct
public void init() {
ipWhitelist = new HashSet<>(Arrays.asList(appProperty.getIpWhitelist()));
setAuthenticationSuccessHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(
HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse,
Authentication authentication) throws IOException, ServletException {
// do nothing
}
});
}
public IPAuthenticationFilter() {
super("/");
}
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException, IOException {
String userName = request.getHeader(appProperty.getHeaderCurUser());
Assertion assertion = new AssertionImpl(userName);
CasAssertionAuthenticationToken token = new CasAssertionAuthenticationToken(assertion, "");
UserDetails userDetails = authenticationUserDetailsService.loadUserDetails(token);
CasAuthenticationToken result = new CasAuthenticationToken(
"an-id-for-ip-auth",
userDetails,
request.getRemoteAddr(),
userDetails.getAuthorities(),
userDetails,
assertion
);
return result;
}
protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
String userName = request.getHeader(appProperty.getHeaderCurUser());
return ipWhitelist.contains(request.getRemoteAddr()) && !StringUtils.isEmpty(userName);
}
protected void successfulAuthentication(
HttpServletRequest request,
HttpServletResponse response,
FilterChain chain,
Authentication authResult) throws IOException, ServletException {
super.successfulAuthentication(request, response, chain, authResult);
chain.doFilter(request, response);
}
public AuthenticationUserDetailsService<CasAssertionAuthenticationToken> getAuthenticationUserDetailsService() {
return authenticationUserDetailsService;
}
public void setAuthenticationUserDetailsService(
AuthenticationUserDetailsService<CasAssertionAuthenticationToken> authenticationUserDetailsService) {
this.authenticationUserDetailsService = authenticationUserDetailsService;
}
}
可能的复制品效果很好。只需确保您已经使用expressions=“true”,因为这是web安全表达式工作所必需的。尽管这个解决方案确实有这样的功能,但它并没有明确地说这是必要的(这对我会有帮助)。然而,这并不是一个在现实场景中可以很好地工作的解决方案,因为它是硬编码到XML文件中的,需要重新启动应用程序服务器。
http.addFilterBefore(ipAuthenticationFilter(), CasAuthenticationFilter.class)