I can't get ipRestrictions to work via springsecurity. I'm working with a bare app to try and isolate the issue with Grails 3.3.10 and spring-security-core 3.2.0.
Eventually I want to restrict access to a web service to a limited subnet. But in an attempt to get this to work I'm just trying to find any case that will get rejected.
I'm working with a stock create-app application but I've added the following to build.gradle to pull in spring-security:
compile 'org.grails.plugins:spring-security-core:3.2.0'
My application.groovy to configure this is:
grails.plugin.springsecurity.rejectIfNoRule = false
grails.plugin.springsecurity.fii.rejectPublicInvocations = false
grails.plugin.springsecurity.ipRestrictions = [
[pattern: '/**', access: '172.16.0.1']
]
I'm expecting to see something like a 401 Unauthorized or 403 Forbidden.
IP Address Restrictions don't apply to requests coming from localhost. This is to "help" local development but subsequently makes testing your restrictions more difficult. There is a confusingly worded note at the bottom of section 18 of the docs that should start "All patterns can always be accessed from localhost regardless of IP address":
All addresses can always be accessed from localhost regardless of IP pattern, primarily to support local development mode.