Spring Security:推迟到HTTP基本身份验证之前的IP地址白名单 [英] Spring Security: IP Address Whitelist Before Deferring to HTTP Basic Auth

问题描述

我有一个URL，该URL可通过使用Spring Security的DaoAuthenticationProvider锁定的servlet访问.现在，我要求某些传入IP地址必须列入白名单，因此不要求进行身份验证.

I have a single URL accessible through a servlet that I have locked down using Spring Security's DaoAuthenticationProvider. I now have the requirement that certain incoming IP addresses must be whitelisted and so are not requested to authenticate.

如果IP地址与已知IP地址匹配，我可以通过重写DaoAuthenticationProvider的authenticate方法并绕过超类的实现来轻松解决此问题，但这仅在请求的发送者提供用户名和密码时有效(即使它是废话) ).否则提供程序将不会被呼叫.

I can hack around this easily enough by overriding DaoAuthenticationProvider's authenticate method and bypassing the superclasses's implementation if the IP address matches a known IP address but this then only works when the sender of the request supplies a username and password (even if it's nonsense). Otherwise the provider doesn't get called.

做到这一点的最佳方法是什么?如果传入了已知的IP地址，我应该使用过滤器绕过身份验证过程吗?

What would be the best way to do this? Should I be using a filter to bypass the authentication procedure if a known IP address is incoming?

推荐答案

我认为，惯用的Spring Security方法是实现预身份验证过滤器，该过滤器将在客户端处于活动状态时使用有效的Authentication对象填充安全上下文.在白名单中.您可以从头开始实施这样的过滤器(例如， AbstractPreAuthenticatedProcessingFilter (尽管对于您的任务来说似乎过于复杂).

I think the idiomatic Spring Security way to do it is to implement a pre-authentication filter that would populate security context with a valid Authentication object when client is in the whitelist. You can implement such a filter from scratch (for example, as here) or use AbstractPreAuthenticatedProcessingFilter (though it seems to be overcomplicated for your task).

这篇关于Spring Security:推迟到HTTP基本身份验证之前的IP地址白名单的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！