This can be done using Web Security Expressions, using hasIpAddress(...).
<http use-expressions="true">
<intercept-url pattern="/admin*"
access="hasRole('admin') and hasIpAddress('192.168.1.0/24')"/>
...
</http>
You can add more features to above basic IP check by implementing your own IP address check service, as below:
<bean id="validateIdService" class="your.pkg.ValidateIdService">
</bean>
<security:http auto-config="false" access-denied-page="/accessDenied.jsp"
use-expressions="true">
<security:intercept-url pattern="/login.jsp"
access="@validateIdService.isValid()" />
</security:http>
And the you can have your service to check the IP address for you, as below:
public class ValidateIdService {
public boolean isValid() {
HttpServletRequest req = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes())
.getRequest();
String ipAddr = req.getRemoteAddr();
// validate IP address
if(valid)
return true;
else return false;
}
}
Hope this helps you.