I have the following security configuration:
security:
# .....
access_control:
-
path: ^/path/to/resource
allow_if: "request.getClientIp() in %my.ips%"
parameters:
my.ips:
- '129.0.0.1'
- '55.12.99.100'
Basically I want to allow/deny based on a list of IPs.
This list of IPs keeps changing/growing/shrinking based on some business rules and based on the environment (test, dev, prod etc.). Which is why I HAVE TO write it like that in the allow_if
rule. I can't just do something like ip=X or ip=Y or ip=Z or...
.
Now, this doesn't work. I get an error like:
A string value must be composed of strings and/or numbers, but found parameter "my.ips" of type array inside string value.
I tried all sorts of combinations e.g.:
allow_if: "request.getClientIp() in '%my.ips%'"
allow_if: "request.getClientIp() in ['%my.ips%']"
...
and I got the same error.
My suspicion is that this is parsed and interpreted using the Expression-Language component. Therefore, according to the syntax described here, I tried it like this as well:
allow_if: "request.getClientIp() in parameter('my.ips')"
But it again failed with the error:
The function "parameter" does not exist around position 26.
And now I'm kind of stuck. Is there some way I can make this work?