Authenticating By IP Address In Spring 3.1 ?

[ANewSpring]

I've implemented LDAP authentication using Spring Security 3.1. My security.xml file for that is posted below.

I need to alter my authentication process such that if a user comes to the site from an IP Address on a "white list" ( kept in a database table ), then that user should automatically be authenticated with Spring 3.1 and then redirected away from the login screen.

Then that user needs to be assigned a custom role called a "SBC_USER".

If the user is not from one of the white listed IP Addresses, then s/he should be forced to go through the LDAP authentication on the login page.

I'm new to Spring and Spring Security so I went to the Spring 3.1 Reference Documentation and read all of Section I.

There, I read the advice that if you have any special authentication needs you should read Section II Architecture and Implementation. I did that, very slowly and took notes. However, since I am new to all of this I'm not sure I completely understand what I need to do and what is the smartest way of going about doing it.

Looking at my existing *-security.xml below, it seems to me the thing to do is to make a custom "AuthenticateBYIPAddressProvider" and wire it in with a tag placed above the **ldap-authentication-provider** xml code in the authentication-manager tag.

Is this the route to go and if so is there a Spring 3.1 example somewhere that shows the details of what needs to be done?

Perusing the web, I see in Section 16.2 of the Spring 3.1 Reference Documentation there is a hasIpAddress() function to bypass authentication. Can that be easily adapted to get the allowed IP Addresses from a database and assign the user a custom role? If so, any examples?

Thanks in advance for any ideas about how to approach this problem in Spring 3.1. I'm going to keep Spring 3.1 Reference Documentation and googling around over the weekend.

Again, this is my existing, working Spring 3.1 *-security.xml which authenticates by LDAP:


My current Spring 3.1 *-security.xml file:

Code:

    <beans xmlns="http://www.springframework.org/schema/beans"  
      xmlns:s="http://www.springframework.org/schema/security"  
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
      xsi:schemaLocation="http://www.springframework.org/schema/beans  
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd  
        http://www.springframework.org/schema/security  
        http://www.springframework.org/schema/security/spring-security-3.1.xsd">  
    
    
    
      <s:http auto-config="true" use-expressions="true">  
        **<s:intercept-url pattern="/welcome*" access="isAuthenticated()" />** 
        <s:form-login login-page="/login" default-target-url="/welcome"  
          authentication-failure-url="/loginfailed" />  
        <s:logout logout-success-url="/logout" />  
      </s:http>  
    
    
    
      <s:ldap-server url = "ldap://ldap-itc.sam.acme.com:636/o=acme.com"/>  
    
      <s:authentication-manager>
        <s:ldap-authentication-provider user-dn-pattern="uid={0},ou=People" />
      </s:authentication-manager>
    
    </beans>

[mminella]

While I cannot provide any help on implementing a solution like this, I'd like to point out how this essentially eliminates any security the login provides. IP Spoofing would allow any user to utilize the services that require authentication without credentials. Bad idea.

Instead of authorizing by IP, why not provide a cert that could be used to authenticate the user? That way the incoming request needs some piece of knowledge (the cert) that is not publicly available?

[ANewSpring]

Hi mminella;

I don't disagree with you.

This was something I was ordered to do and it is only for 9 people who are in the same building, same network zone