0

I have two applications (war), one acting as a Resource Server and other is my Auth Server running on two different servers. I am using client_credentials grant_type. I need to white list the IP of my resource server so that nobody else can access the "/oauth/check_token" end point directly using post-man or browser or any other user-agent. Here is the code snippet from auth server : 

@EnableAuthorizationServer
@Configuration
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {

    security.checkTokenAccess("isFullyAuthenticated()")
            .allowFormAuthenticationForClients().realm(REALM + "/client");
  }
 ... 
 some other configuration code related to ClientDetails and tokenStore.
 ...
}

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter { 

 @Override
 public void configure(HttpSecurity http) throws Exception {

  http
    .csrf().disable()
    .anonymous().disable()
    .authorizeRequests()
    .antMatchers(HttpMethod.GET,"/oauth/check_token").access("isFullyAuthenticated() and hasIpAddress('0.0.0.0/0')").accessDecisionManager(accessDecisionManager)
    .and()
    .httpBasic()
    .authenticationEntryPoint(authenticationEntryPoint)
    .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
 }
}

I found a way to whitelist IP in spring :

@Override
public void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();
    http
        .authorizeRequests()
            .anyRequest().access("hasIpAddress('0.0.0.0/0')");
}

But this is not helping in my situation because it is only checking for fullyAuthenticated(). I want all the resource server should be authenticated and authorized before accessing "/oauth/check_token"

Edited

I have referred to a similar kind of problem : How to find users' IPs in Spring Security? but it wasn't helping me because in that question they were trying to authorize a resource server Api, but in my case i want to authorize spring-security default endpoint i.e; /oauth/check_token

On further debuggin I found that if I remove .antMatchers(HttpMethod.GET,"/oauth/check_token").access("hasIpAddress('0.0.0.0/0')").accessDecisionManager(accessDecisionManager) i am still able to use /oauth/check_token endpoint.

Then I tried to change fullyAuthenticated to permitAll() in AuthorizationServerSecurityConfigurer.checkTokenAccess("permittAll()"); it started allowing everybody to access check_token endpoint. Which implies it isn't even reading the configuration from .antMatchers(HttpMethod.GET,"/oauth/check_token")

Now I am confused how to configure hasIpAddress() and do we need to explicitly mention antMatcher("/oauth/check_token") or it is provided by default.

iam.Carrot
  • 4,976
  • 2
  • 24
  • 71
truekiller
  • 470
  • 6
  • 19
  • Possible duplicate of [How to find users' IPs in Spring Security?](https://stackoverflow.com/questions/11920395/how-to-find-users-ips-in-spring-security) – dur Mar 28 '18 at 15:05

1 Answers1

0

You can model it like this, which keeps both requirements - IP whitelisting and all requests are authenticated. You can remove the localhost access rule if not needed:

     http
      .authorizeRequests()
      .antMatchers(GET, "/oauth/check_token")
        .access("isFullyAuthenticated() and
               (hasIpAddress('IP_OR_NETWORK_OF_RESOURCE_SERVER') 
                or hasIpAddress('127.0.0.1/32'))")
      .antMatchers("/**").fullyAuthenticated();
hovanessyan
  • 30,580
  • 6
  • 55
  • 83
  • I don't have permitAll() anywhere in my answer. Have you tried the provided configuration and does it solve your initial problem? – hovanessyan Apr 02 '18 at 12:27