douquan1015 2017-02-02 09:30
浏览 35
已采纳

allow_if语句中的Unparse-able IP列表

I have the following security configuration:

security:

    # .....

    access_control:
        -
            path: ^/path/to/resource
            allow_if: "request.getClientIp() in %my.ips%"

parameters:
    my.ips:
        - '129.0.0.1'
        - '55.12.99.100'

Basically I want to allow/deny based on a list of IPs.

This list of IPs keeps changing/growing/shrinking based on some business rules and based on the environment (test, dev, prod etc.). Which is why I HAVE TO write it like that in the allow_if rule. I can't just do something like ip=X or ip=Y or ip=Z or....

Now, this doesn't work. I get an error like:

A string value must be composed of strings and/or numbers, but found parameter "my.ips" of type array inside string value.

I tried all sorts of combinations e.g.:

allow_if: "request.getClientIp() in '%my.ips%'"

allow_if: "request.getClientIp() in ['%my.ips%']"

...

and I got the same error.

My suspicion is that this is parsed and interpreted using the Expression-Language component. Therefore, according to the syntax described here, I tried it like this as well:

allow_if: "request.getClientIp() in parameter('my.ips')"

But it again failed with the error:

The function "parameter" does not exist around position 26.

And now I'm kind of stuck. Is there some way I can make this work?

  • 写回答

1条回答 默认 最新

  • douci1541 2017-02-03 09:38
    关注

    OK, so I wasn't able to make the expression parse/accept regular parameters, but I was able to work around it.

    Here's what I did:

    security:

    # .....

    access_control:
        -
            path: ^/path/to/resource
            ips: '%my.ips%'
            roles: ['ROLE_MY_ROLE']

        -
            path: ^/path/to/resource
            allow_if: 'false'

parameters:
    my.ips:
        - '129.0.0.1'
        - '55.12.0.0/16'

    So the way this works is like this:

    • try to match the first access-control-entry.
    • check if I access the correct path when I have one of these IPs
    • if it's true, then check that I have one of these roles
    • if my path or my IP does not match, then go to the 2nd entry
    • if it's the same path, then deny access (since allow_if is always false)

    So this way the user is obligated to access that route ONLY IF he is coming from a specific IP AND he has one of the allowed roles.

    Something interesting that I discovered is that you can use subnets for the list of allowed IPs, which is really cool because it means you can add IP ranges in there as well. Maybe this should be added to the docs, since it's very useful (I'll make a PR on GitHub when I have time).

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 如何绘制动力学系统的相图
  • ¥15 对接wps接口实现获取元数据
  • ¥20 给自己本科IT专业毕业的妹m找个实习工作
  • ¥15 用友U8:向一个无法连接的网络尝试了一个套接字操作,如何解决?
  • ¥30 我的代码按理说完成了模型的搭建、训练、验证测试等工作(标签-网络|关键词-变化检测)
  • ¥50 mac mini外接显示器 画质字体模糊
  • ¥15 TLS1.2协议通信解密
  • ¥40 图书信息管理系统程序编写
  • ¥20 Qcustomplot缩小曲线形状问题
  • ¥15 企业资源规划ERP沙盘模拟