关于 java:IP 过滤器使用 Spring Security


IP filter using Spring Security

我想知道如何使用 Spring Security 通过 IP 过滤用户对我的 Web 应用程序的访问。
我应该扩展 AbstractAuthenticationProcessingFilter 或类似的东西并以我自己的方式覆盖它的方法吗?
如果是这样,您能否在 web.xml 中给出这样的扩展示例和过滤器描述示例?
提前致谢。

附言在我的应用程序中,我也有 Spring Security 支持(使用默认 org.springframework.web.filter.DelegatingFilterProxy),但我希望它不仅检查用户凭据,还检查他们的 IP。

相关讨论

您可以这样做的一种方法是使用 Spring Security 的 Web 安全表达式。例如:

1
2
3
4
5
<http use-expressions="true">
    <intercept-url pattern="/admin*"
        access="hasRole('admin') and hasIpAddress('192.168.1.0/24')"/>
    ...
</http>
相关讨论

Anshu 的回答是通过 ip 对用户进行身份验证是一个好主意,但它可能不适用于 cas 身份验证。我有另一种解决方案,使用过滤器更适合这种情况。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
public class IPAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
    private AuthenticationUserDetailsService<CasAssertionAuthenticationToken> authenticationUserDetailsService;
    private static Set<String> ipWhitelist;

    @Autowired
    private AppProperty appProperty;

    @PostConstruct
    public void init() {
        ipWhitelist = new HashSet<>(Arrays.asList(appProperty.getIpWhitelist()));
        setAuthenticationSuccessHandler(new AuthenticationSuccessHandler() {
            @Override
            public void onAuthenticationSuccess(
                    HttpServletRequest httpServletRequest,
                    HttpServletResponse httpServletResponse,
                    Authentication authentication) throws IOException, ServletException {
                // do nothing
            }
        });
    }

    public IPAuthenticationFilter() {
        super("/");
    }

    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
            throws AuthenticationException, IOException {
        String userName = request.getHeader(appProperty.getHeaderCurUser());
        Assertion assertion = new AssertionImpl(userName);
        CasAssertionAuthenticationToken token = new CasAssertionAuthenticationToken(assertion,"");
        UserDetails userDetails = authenticationUserDetailsService.loadUserDetails(token);

        CasAuthenticationToken result = new CasAuthenticationToken(
               "an-id-for-ip-auth",
                userDetails,
                request.getRemoteAddr(),
                userDetails.getAuthorities(),
                userDetails,
                assertion
        );
        return result;
    }

    protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
        String userName = request.getHeader(appProperty.getHeaderCurUser());
        return ipWhitelist.contains(request.getRemoteAddr()) && !StringUtils.isEmpty(userName);
    }

    protected void successfulAuthentication(
            HttpServletRequest request,
            HttpServletResponse response,
            FilterChain chain,
            Authentication authResult) throws IOException, ServletException {
        super.successfulAuthentication(request, response, chain, authResult);
        chain.doFilter(request, response);
    }

    public AuthenticationUserDetailsService<CasAssertionAuthenticationToken> getAuthenticationUserDetailsService() {
        return authenticationUserDetailsService;
    }

    public void setAuthenticationUserDetailsService(
            AuthenticationUserDetailsService<CasAssertionAuthenticationToken> authenticationUserDetailsService) {
        this.authenticationUserDetailsService = authenticationUserDetailsService;
    }
}

你可以像这样在 cas 之前添加这个过滤器:

1
http.addFilterBefore(ipAuthenticationFilter(), CasAuthenticationFilter.class)