IP Authentication

Hi,

I have a requirement to perform the following authentication process.

If the requested URL requires no authentication, anonymous, is the remote IP valid?
If the remote IP is valid then carry on else force the client to authenticate themselves.

I know that relying on remote IP address is poor security but thats our requirement.

Can anyone suggest how I can use/extend Spring Security to perform this authentication process?

Regards

Ben Short

Hi Jamin,

it is actually easy. You should develop one more Voter and add it to your decisionVoters property.

here is the very simple sample. I needed to develop very similar thing.

public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {

if (authentication.getDetails() != null) {
String remoteIpAddress = ((WebAuthenticationDetails) authentication.getDetails())
.getRemoteAddress();

// attempt to find a matching granted authority
for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
// checking if ip address matches one of the authorities IP
if (grantedAuthority.getAuthority().startsWith(getIpP refix())) {
if (matches(grantedAuthority.getAuthority(), remoteIpAddress)) {
return ACCESS_GRANTED;
}
result = ACCESS_DENIED;
}
}
}

return result;
}