Announcement Announcement Module
Collapse
No announcement yet.
How to configure WebAuthenticationDetails, get the real IP address, support for rever Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to configure WebAuthenticationDetails, get the real IP address, support for rever

    Hello!
    I use spring-security-3.0 as my security framework.I need to verify the user's IP address.But here I can not get the real IP address :
    Code:
    public class AcegiDaoAuthenticationProvider extends DaoAuthenticationProvider {
        @Override
        protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) throws AuthenticationException {
                 String presentedPassword = usernamePasswordAuthenticationToken.getCredentials() == null ? "" : usernamePasswordAuthenticationToken.getCredentials()
                    .toString();
            if (!presentedPassword.equals(userDetails.getPassword())) {
                throw new BadCredentialsException(messages.getMessage(
                        "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
            }
              
            String ip = ((WebAuthenticationDetails) usernamePasswordAuthenticationToken.getDetails()).getRemoteAddress();
            System.out.println(ip);
            
        }
    }
    How do I configure org.springframework.security.web.authentication.We bAuthenticationDetails can get to the real IP address?

    The current configuration is:
    <authentication-manager>
    <authentication-provider ref="acegiDaoAuthenticationProvider"/>
    </authentication-manager>

    <beans:bean id="userDetailsService" class="com.woniu.components.acegi.AcegiLoadUserSer vice"/>

    <beans:bean id="acegiDaoAuthenticationProvider" class="com.woniu.components.acegi.AcegiDaoAuthenti cationProvider">
    <beansroperty name="userDetailsService" ref="userDetailsService"/>
    <beansroperty name="userCache" ref="userCache"/>
    </beans:bean>

  • #2
    What do you mean by "I can not get the real IP address"? What is actually the problem?

    Comment


    • #3
      Oh God. Thank you for answering my question.

      The source of the WebAuthenticationDetails class, using request.getRemoteAddr () to obtain IP address. But by the Apache, Squid and other reverse proxy software, I can not get to the real IP address of the client.
      I need to rewrite WebAuthenticationDetails class, and add the following code:
      Code:
       HttpSession session = request.getSession(false);
              this.sessionId = (session != null) ? session.getId() : null;
      
              String ip = request.getHeader("x-forwarded-for");
              if(ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
                  ip = request.getHeader("Proxy-Client-IP");
              }
              if(ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
                  ip = request.getHeader("WL-Proxy-Client-IP");
              }
              if(ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
                  ip = request.getRemoteAddr();
              }
              this.remoteAddress = ip;
      But I do not know how to add it to the configuration file.

      I really hope it can be added to the "security" project. Do not have to rewrite it each time.
      Last edited by xujingames007; Apr 12th, 2010, 09:48 AM.

      Comment


      • #4
        Ok, you never mentioned a proxy - it looks like your original subject was truncated. As you say, you will have to use a custom AuthenticationDetailsSource to pull out whatever headers your proxy sets in the request. This is easy enough to do.

        Comment


        • #5
          by overriding the additionalAuthenticationChecks()... it is possible to get the client ipaddress?

          would like to obtain the ipaddress in order to use during registering user info to my Logs table..

          Code:
          String ip = ((WebAuthenticationDetails) usernamePasswordAuthenticationToken.getDetails()).getRemoteAddress();

          Comment


          • #6
            Originally posted by eros View Post
            by overriding the additionalAuthenticationChecks()... it is possible to get the client ipaddress?

            would like to obtain the ipaddress in order to use during registering user info to my Logs table..
            Please don't cross-post the same question in multiple threads.

            Comment


            • #7
              Easy? I do not know how to configure.
              My last method is to rewrite the class to copy the jar package 。

              Comment


              • #8
                Implement the AuthenticationDetailsSource to return your customized WebAuthenticationDetails, configure it as a Spring bean and then inject the bean into the AuthenticationProcessingFilter.

                Comment


                • #9
                  I have a problem to config bean to use my own WebAuthenticationDetails.

                  Can somebody post the application config?


                  Thank you

                  Comment

                  Working...
                  X