diff --git a/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt b/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt index a61165f33cc..8bb9fedf109 100644 --- a/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt +++ b/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,6 +26,7 @@ import org.springframework.security.config.annotation.web.configurers.AuthorizeH import org.springframework.security.core.Authentication import org.springframework.security.web.access.intercept.AuthorizationFilter import org.springframework.security.web.access.intercept.RequestAuthorizationContext +import org.springframework.security.web.access.IpAddressAuthorizationManager import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher import org.springframework.security.web.util.matcher.AnyRequestMatcher import org.springframework.security.web.util.matcher.RequestMatcher @@ -222,6 +223,13 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl() { return AuthorityAuthorizationManager.hasAnyRole(*roles) } + /** + * Require a specific IP or range of IP addresses. + * @since 6.3 + */ + fun hasIpAddress(ipAddress: String): AuthorizationManager = + IpAddressAuthorizationManager.hasIpAddress(ipAddress) + /** * Specify that URLs are allowed by anyone. */ diff --git a/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt index e3419213251..0af6bbb4833 100644 --- a/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt +++ b/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt @@ -816,4 +816,41 @@ class AuthorizeHttpRequestsDslTests { } } + + @Test + fun `request when ip address does not match then responds with forbidden`() { + this.spring.register(HasIpAddressConfig::class.java).autowire() + + this.mockMvc.perform(get("/path") + .with { request -> + request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error") + request.apply { + dispatcherType = DispatcherType.ERROR + } + }) + .andExpect(status().isForbidden) + } + + @Configuration + @EnableWebSecurity + @EnableWebMvc + open class HasIpAddressConfig { + + @Bean + open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { + http { + authorizeHttpRequests { + authorize(anyRequest, hasIpAddress("10.0.0.0/24")) + } + } + return http.build() + } + + @RestController + internal class PathController { + @RequestMapping("/path") + fun path() { + } + } + } } diff --git a/web/src/main/java/org/springframework/security/web/access/IpAddressAuthorizationManager.java b/web/src/main/java/org/springframework/security/web/access/IpAddressAuthorizationManager.java new file mode 100644 index 00000000000..35e9cfdbd23 --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/access/IpAddressAuthorizationManager.java @@ -0,0 +1,61 @@ +/* + * Copyright 2002-2023 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.access; + +import java.util.function.Supplier; + +import org.springframework.security.authorization.AuthorizationDecision; +import org.springframework.security.authorization.AuthorizationManager; +import org.springframework.security.core.Authentication; +import org.springframework.security.web.access.intercept.RequestAuthorizationContext; +import org.springframework.security.web.util.matcher.IpAddressMatcher; +import org.springframework.util.Assert; + +/** + * A {@link AuthorizationManager}, that determines if the current request contains the + * specified address or range of addresses + * + * @author brunodmartins + * @since 6.3 + */ +public final class IpAddressAuthorizationManager implements AuthorizationManager { + + private final IpAddressMatcher ipAddressMatcher; + + IpAddressAuthorizationManager(String ipAddress) { + this.ipAddressMatcher = new IpAddressMatcher(ipAddress); + } + + /** + * Creates an instance of {@link IpAddressAuthorizationManager} with the provided IP + * address. + * @param ipAddress the address or range of addresses from which the request must + * @return the new instance + */ + public static IpAddressAuthorizationManager hasIpAddress(String ipAddress) { + Assert.notNull(ipAddress, "ipAddress cannot be null"); + return new IpAddressAuthorizationManager(ipAddress); + } + + @Override + public AuthorizationDecision check(Supplier authentication, + RequestAuthorizationContext requestAuthorizationContext) { + return new AuthorizationDecision( + this.ipAddressMatcher.matcher(requestAuthorizationContext.getRequest()).isMatch()); + } + +}