I have a single URL accessible through a servlet that I have locked down using Spring Security's DaoAuthenticationProvider. I now have the requirement that certain incoming IP addresses must be whitelisted and so are not requested to authenticate.
I can hack around this easily enough by overriding DaoAuthenticationProvider's authenticate method and bypassing the superclasses's implementation if the IP address matches a known IP address but this then only works when the sender of the request supplies a username and password (even if it's nonsense). Otherwise the provider doesn't get called.
What would be the best way to do this? Should I be using a filter to bypass the authentication procedure if a known IP address is incoming?
I think the idiomatic Spring Security way to do it is to implement a pre-authentication filter that would populate security context with a valid
Authentication
object when client is in the whitelist. You can implement such a filter from scratch (for example, as here) or useAbstractPreAuthenticatedProcessingFilter
(though it seems to be overcomplicated for your task).Could you just use the
hasIpAddress()
expression? We're doing that for what appears to be a similar case.