You can achieve an Spring Boot Endpoint to be called only from Internal Network by using the built-in support for security and configuring a filter to check the IP address of incoming requests. Here are the steps:
Step 1: Add dependencies
In your pom.xml file (if you’re using Maven) or build.gradle file (if you’re using Gradle), add the following dependencies:
Maven:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Gradle:
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-security'
}
Step 2: Configure security
In your application.properties file, add the following configuration:
management.endpoints.web.exposure.include=*
spring.security.enabled=true
Step 3: Create a filter
Create a new Java class that implements Filter:
import org.springframework.stereotype.Component;
import javax.servlet.*;
import java.io.IOException;
@Component
public class InternalNetworkFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String remoteIp = httpRequest.getRemoteAddr();
if (!isInternalNetwork(remoteIp)) {
chain.doFilter(request, response);
return;
}
chain.doFilter(request, response);
}
private boolean isInternalNetwork(String remoteIp) {
// Define your internal network IP range here
String[] internalIps = {"192.168.1.", "10."};
for (String ip : internalIps) {
if (remoteIp.startsWith(ip)) {
return true;
}
}
return false;
}
}
Step 4: Configure the filter
In your application.properties file, add the following configuration:
spring.security.filter-chain-order=0
This will ensure that the filter is executed before any other Spring Security filters.
Step 5: Add a security configuration
Create a new Java class that implements WebSecurityConfigurerAdapter:
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(new InternalNetworkFilter(), AnyRequestMatcher.class);
}
}
This will add the InternalNetworkFilter to the filter chain.
Step 6: Test
Start your Spring Boot application and use a tool like Postman or cURL to send requests from both internal and external networks. The endpoint should only be accessible from the internal network.
It is a common case your app to run behind a load balancer, nginx, apache proxy. In these cases the IP is passed not as request.getRemoteAddr(), but as a Header:
String ip = request.getHeader("X-Forwarded-For");
if (ip != null) {
response.setStatus(401);
return;
}
Note: This is a basic example and you may need to adjust it according to your specific requirements. Additionally, this approach assumes that the internal network IP range is known and can be configured in the filter.
I’ve got a small App to store a White List of IP addresses – to use across multiple apps: https://programtom.com/dev/product/application-level-ip-white-list-micro-service/