Announcement Announcement Module
No announcement yet.
IP address in userdetails service Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • IP address in userdetails service

    Hi, I need to work on a requirement to obtain the incomming ip address in Spring security. Being completely new to this framework, the proposed solutions seem to be too complex.
    Just wanted to know if there is an easier way of doing this.
    A proxy layer rewrites the incomming ip-address in the incomming url and it is passed as a query string.
    I'm stuck at two places, a)where and how can I get this IP address from url parameter and
    b) where and how can I store this IP address ?

    I want to validate this IP address against a set of rules and would want this to happen in the authenticate method of my Custom DaoAuthenticationProvider ( subclasses from DaoAuthenticationProvider).

    Any help to point me in a better direction ?

    The various solutions I have been through on this forum :
    - Plugin this somewhere between AuthenticationProcessingFilter and AuthenticationProvider
    - Get access to HttpServletRequest by customising WebAuthenticationDetails and obtain IP address from here(how do I pass it to AuthenticationProvider and how do I wire this CustomWebAuthentication ? )
    - Someone suggested to use RequestContextHolder to acheive this.

  • #2
    You can obtain the IP Address a user logged in using:

    // Obtain the current Authentication. Depending on where you do this, you you might get it
    // from the SecurityContext or an argument to a SS interface
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    // authentication may be null
    WebAuthenticationDetails details = (WebAuthenticationDetails) authentication.getDetails();
    String remoteAddress = details.getRemoteAddress();
    If you want the current HttpServletRequest which contains the current IP information you can use Spring Web's RequestContextHolder. First plugin the RequestContextListener into your web.xml so that the RequestContextHolder is populated. Then you can access the current HttpServletRequest using

    ServletRequestAttributes attrs = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
    HttpServletRequest request = attrs.getRequest();


    • #3
      Hi, thank you so much for your reply.
      I cannot use Webauthentication details since the request is received via proxy. Our proxy server re-writes the ip-address to the url as a parameter.
      So i would essentially require the HttpServletRequest object to get the request url.
      If i implement the RequestContextListener in web.xml, how can I use it in my DaoAuthenticationProvider's authenticate method ?
      Do i need to wire it up somehow or inject it from spring application context or can simply use in the way you described above ?



      • #4
        I would consult your application server's documentation. If this does not work, consult it's forums. Typically this is done by setting a via header.


        • #5
          I will give this a try, although something so trivial should have an easier way to get access to the Http request object.


          • #6
            If i use RequestContextHolder during authenticate will it have the same http request as obtained in Spring Security or can it lead to funny results where-in my RequestContextHolder has a different instance of the http request and the one being used in Authentication token is different ?


            • #7
              An approach to the above problem can be found here :

              Thanks Luke for pointing me in the right direction !


              • #8
                You need to consult admin and try to make sort out this and ask help for Technical Support and make a contact him surely you will get your solution and figure out this problem.
                Last edited by pollostar; Mar 28th, 2012, 07:30 AM.


                • #9
                  RequestContextListener is a 2.4+ servlet listener which needs to be configured in your web applications web.xml file. Once you have configured this in web.xml the current request object will be plugged onto the current thread. To retrieve it you can use either LocaleContextHolder or RequestContextHolder.
                  If you are using Spring MVC the DispatcherServlet handles this and you shouldnt have any problem getting the request object from RequestContextHolder in your java file.

                  Otherwise you can declare RequestContextFilter in your web.xml and then in your java file retrieve the request object from either LocaleContextHolder or RequestContextHolder.
                  Last edited by tomcyjohn; Mar 28th, 2012, 08:11 AM.