From 8895a66a2b8820cbc2fc39dfa9c2573a201aaa4f Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Mon, 10 Jul 2023 13:35:16 -0600 Subject: [PATCH] Add hasIpAddress Migration Steps Closes gh-13474 --- .../migration/servlet/authorization.adoc | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/docs/modules/ROOT/pages/migration/servlet/authorization.adoc b/docs/modules/ROOT/pages/migration/servlet/authorization.adoc index 142ac19541..ac3a3774b5 100644 --- a/docs/modules/ROOT/pages/migration/servlet/authorization.adoc +++ b/docs/modules/ROOT/pages/migration/servlet/authorization.adoc @@ -1090,6 +1090,59 @@ Xml:: ---- ====== +=== Migrate `hasIpAddress` to `access(AuthorizationManager)` + +`hasIpAddress` has no DSL equivalent in `authorizeHttpRequests`. + +As such, you need to change any called to `hasIpAddress` to using an `AuthorizationManager`. + +First, construct an `IpAddressMatcher` like so: + +==== +.Java +[source,java,role="primary"] +---- +IpAddressMatcher hasIpAddress = new IpAddressMatcher("127.0.0.1"); +---- +==== + +And then change from this: + +==== +.Java +[source,java,role="primary"] +---- +http + .authorizeRequests((authorize) -> authorize + .mvcMatchers("/app/**").hasIpAddress("127.0.0.1") + // ... + .anyRequest().denyAll() + ) + // ... +---- +==== + +to this: + +==== +.Java +[source,java,role="primary"] +---- +http + .authorizeHttpRequests((authorize) -> authorize + .requestMatchers("/app/**").access((authentication, context) -> + new AuthorizationDecision(hasIpAddress.matches(context.getRequest())) + // ... + .anyRequest().denyAll() + ) + // ... +---- +==== + +[NOTE] +Securing by IP Address is quite fragile to begin with. +For that reason, there are no plans to port this support over to `authorizeHttpRequests`. + === Migrate SpEL expressions to `AuthorizationManager` For authorization rules, Java tends to be easier to test and maintain than SpEL.