IP Address Authentication before login into application

StackOverflow https://stackoverflow.com/questions/22802914

Question

Below is my use case/requirement.

  1. Provide a feature for IP Address authentication, let say i have 3 areas. (Black, Grey, White). Black area holds blocked IP Address, grey area hold temporarily disabled IP Address and white area contains valid IP Address.

  2. My login page should only be seen, when request comes from IP Address available in White area. For others, it should show some default page with some error message.

Do I need to do it through filters or any other option available?

Since this done Pre login, so I cannot use AuthenticationProvider.

Was it helpful?

Solution

This can be done using Web Security Expressions, using hasIpAddress(...).

<http use-expressions="true">
    <intercept-url pattern="/admin*"
        access="hasRole('admin') and hasIpAddress('192.168.1.0/24')"/>
    ...
</http>

You can add more features to above basic IP check by implementing your own IP address check service, as below:

<bean id="validateIdService" class="your.pkg.ValidateIdService">
</bean>

<security:http auto-config="false" access-denied-page="/accessDenied.jsp" 
use-expressions="true">
    <security:intercept-url pattern="/login.jsp"
        access="@validateIdService.isValid()" />
</security:http>

And the you can have your service to check the IP address for you, as below: 

public class ValidateIdService {
    public boolean isValid() {
        HttpServletRequest req = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes())
               .getRequest(); 
        String ipAddr = req.getRemoteAddr();
        // validate IP address
        if(valid)
           return true;
        else return false;
    }
}

Hope this helps you.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top