-2

I have a micro-service designed to interrogate devices of different types and Operating Systems, but for a set of reasons , I want to blacklist a handful of IPs . Is there a way I can achieve that?

learnerNT
  • 9
  • 4
  • If you already have spring security write an expression that checks the IP-address. Basically an inverse check of what `hasIpAddress` does. You want a `notHasIpAddress`. – M. Deinum Jan 17 '22 at 09:00

2 Answers2

1

The best way is to check it in the HttpFirewall which can check if a HttpServletRequest is potentially dangerous or not before allowing it to go through FilterChainProxy.

Basically you need to override the default StrictHttpFirewall and add the logic to check if the source IP of the request is in the blacklist , something likes:

public class MyFirewall extends StrictHttpFirewall {

    private Set<String> backlistIPs;

    public MyFirewall(Set<String> backlistIPs){
         this.backlistIPs = backlistIPs;
    }

    @Override
    public FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException {
        
        String sourceIp = getClientIpAddress(request);

        if(backlistIPs.contains(sourceIp)){
          throw new RequestRejectedException("IP is blacklisted");
        }

        return super.getFirewalledRequest(request);
    }
}

Note : Refer this for how to implement getClientIpAddress()

Then configure to use it :

@EnableWebSecurity
public class Config extends WebSecurityConfigurerAdapter {
    
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.httpFirewall(new MyFirewall(Set.of("123.123.123.123" ,"123.123.123.124"));
    }
}
Ken Chan
  • 84,777
  • 26
  • 143
  • 172
  • this is again checking the ip of the request, which is not the case here.Is there a configurable property for blacklisting certain ips. I understand, we can do it through code mechanisms but , I am trying to crack a way if we can do it via configurations. – learnerNT Jan 18 '22 at 06:40
  • you must accept the fact the client IP must be checked from the HTTP request. If you do not believe it or willing to accept it , i think no one in this world can help you. thanks – Ken Chan Jan 18 '22 at 07:30
0

Have you tried using HandlerInterceptor interface?

Combine with WebMvcConfigurerAdapter. This should do the job.

Something like this, not exact working code here

//Call after request processing, but before the view is rendered (after controller method call)
@Override
public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {
    String ip = IPAddressUtil.getClientIpAddress(httpServletRequest);
    List<BlackList> blackLists = blackListDao.findByIp(ip);
    if (blackLists == null || blackLists.size() == 0){
        urlHandle(httpServletRequest, 5000, 10);
    } else {
         //Forced control jump
         modelAndView.setViewName("/errorpage/error.html");
    }
}

BlackListDao class can be something like this

@Mapper
public interface BlackListDao {
    //Find records by IP
    List<BlackList> findByIp(String IP);
    //Add record
    int addBlackList(@Param("blackList") BlackList blackList);
}

Configure the Interceptor Webmvcconfigureradapter for spring MVC.

@Configuration
public class MyWebAppConfigurer extends WebMvcConfigurerAdapter {
    @Bean // inject our interceptor as bean
    public HandlerInterceptor getMyInterceptor(){
    return new URLInterceptor();
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
    //Multiple interceptors form an interceptor chain
    //Addpathpatterns is used to add interception rules. Here we assume that all links after interception / URL
    //Excludepathpatterns user exclusion
registry.addInterceptor(getMyInterceptor()).addPathPatterns("/url/**");
            super.addInterceptors(registry);
}
Rathan Naik
  • 993
  • 12
  • 25
  • My ask is about blacklisting the ipAddress of particular devices and not where the request came from ; Not sure , if an interceptor will help solve this problem ..!! – learnerNT Jan 17 '22 at 09:51
  • 1
    According to the tags he is using Spring security, thus it should be part of the security chain (that way everything is handled accordingly). @TimcyNihalani the ipaddress **is** where the request came from. How else would you check. – M. Deinum Jan 17 '22 at 10:05
  • the request goes from one ip whereas the devices to be interrogated are different and have different ips. hence, cant rely on interceptors – learnerNT Jan 18 '22 at 06:39