Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add hasIpAddress Migration Steps 

Closes gh-13474
This commit is contained in:
Josh Cummings 2023-07-10 13:35:16 -06:00
parent 80a5028f3f
commit 8895a66a2b
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
1 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
docs/modules/ROOT/pages/migration/servlet/authorization.adoc
View File

@ -1090,6 +1090,59 @@ Xml::
---- ----
====== ======
=== Migrate `hasIpAddress` to `access(AuthorizationManager)`
`hasIpAddress` has no DSL equivalent in `authorizeHttpRequests`.
As such, you need to change any called to `hasIpAddress` to using an `AuthorizationManager`.
First, construct an `IpAddressMatcher` like so:
====
.Java
[source,java,role="primary"]
----
IpAddressMatcher hasIpAddress = new IpAddressMatcher("127.0.0.1");
----
====
And then change from this:
====
.Java
[source,java,role="primary"]
----
http
.authorizeRequests((authorize) -> authorize
.mvcMatchers("/app/**").hasIpAddress("127.0.0.1")
// ...
.anyRequest().denyAll()
)
// ...
----
====
to this:
====
.Java
[source,java,role="primary"]
----
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/app/**").access((authentication, context) ->
new AuthorizationDecision(hasIpAddress.matches(context.getRequest()))
// ...
.anyRequest().denyAll()
)
// ...
----
====
[NOTE]
Securing by IP Address is quite fragile to begin with.
For that reason, there are no plans to port this support over to `authorizeHttpRequests`.
=== Migrate SpEL expressions to `AuthorizationManager` === Migrate SpEL expressions to `AuthorizationManager`
For authorization rules, Java tends to be easier to test and maintain than SpEL. For authorization rules, Java tends to be easier to test and maintain than SpEL.