Single role multiple IP addresses in Spring Security configuration

by

Your for loop results in following configuration:

@SuppressWarnings("ALL")
@Configuration
@EnableWebSecurity
public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
            .authorizeRequests()
                .antMatchers("/admin/**").access("hasRole('admin') and hasIpAddress('127.0.0.1')")
                .antMatchers("/admin/**").access("hasRole('admin') and hasIpAddress('192.168.1.0/24')")
                .antMatchers("/admin/**").access("hasRole('admin') and hasIpAddress('0:0:0:0:0:0:0:1')");
    }

    //some other configurations
}

So for URL:

http://localhost:9595/admin/checkappeals/211

only the first matcher is considered, see HttpSecurity#authorizeRequests:

Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping:

http.authorizeRequests().antMatchers("/**").hasRole("USER").antMatchers("/admin/**")
            .hasRole("ADMIN")

You have to build something like:

http
    .authorizeRequests()
        .antMatchers("/admin/**").acces("hasRole('admin') and (hasIpAddress('127.0.0.1') or hasIpAddress('192.168.1.0/24') or hasIpAddress('0:0:0:0:0:0:0:1'))";

More Related Contents:

  1. Spring Security : Multiple HTTP Config not working
  2. Filter invoke twice when register as Spring bean
  3. Spring security CORS Filter
  4. Spring Security Configuration – HttpSecurity vs WebSecurity
  5. Spring Boot 2.0.x disable security for certain profile
  6. How to disable ‘X-Frame-Options’ response header in Spring Security?
  7. How to enable HTTP response caching in Spring Boot
  8. 401 instead of 403 with Spring Boot 2
  9. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  10. Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
  11. Unit testing with Spring Security
  12. Spring Security, secured and none secured access
  13. Spring Security 5 : There is no PasswordEncoder mapped for the id “null”
  14. How to apply Spring Security filter only on secured endpoints?
  15. Securing Spring Boot API with API key and secret
  16. JAAS for human beings
  17. Spring Security HTTP Basic for RESTFul and FormLogin (Cookies) for web – Annotations
  18. How do I disable resolving login parameters passed as url parameters / from the url
  19. How do I add method based security to a Spring Boot project?
  20. What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?
  21. Disable HTTP OPTIONS method in spring boot application
  22. disabling spring security in spring boot app [duplicate]
  23. Disabling a filter for only a few paths
  24. Spring Boot Microservices – Spring Security – ServiceTest and ControllerTest for JUnit throwing java.lang.StackOverflowError
  25. Secure HTTP Post in Android
  26. Can Spring Security use @PreAuthorize on Spring controllers methods?
  27. Filter order in spring-boot
  28. No serializer found for class org.hibernate.proxy.pojo.bytebuddy.ByteBuddyInterceptor
  29. java.lang.IllegalArgumentException: No converter found for return value of type
  30. Jackson – deserialize inner list of objects to list of one higher level

Leave a Comment