How to get client ip address during login

felix-office · May 13, 2024, 11:37am

Hey,

we’re trying to log the clients ip address during login. Login is done by Spring Security with a custom authentication provider:

@Bean
    public AuthenticationProvider authenticationProvider() {
        return new AuthenticationProvider() {
            @Override
            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
                String username = authentication.getName();
                String password = authentication.getCredentials().toString();

                return securityService.login(username, password);
            }

            @Override
            public boolean supports(Class<?> clazz) {
                return clazz.equals(UsernamePasswordAuthenticationToken.class);
            }
        };
    }

Login method of SecurityService:

public UsernamePasswordAuthenticationToken login(String username, String password) throws AuthenticationException {
        String address = VaadinSession.getCurrent().getBrowser().getAddress();
        ...
}

Somehow during login the VaadinSession is null

13:32:25 ERROR (system) org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/].[dispatcherServlet] - Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
java.lang.NullPointerException: Cannot invoke "com.vaadin.flow.server.VaadinSession.getBrowser()" because the return value of "com.vaadin.flow.server.VaadinSession.getCurrent()" is null
	at SecurityService.login(SecurityService.java:74) ~[classes/:?]
	at SecurityConfiguration$1.authenticate(SecurityConfiguration.java:89) ~[classes/:?]

We’re on Vaadin 24.3.11 with Spring Boot Parent 3.2.4.

Thanks for your help
Felix

Tatu2 · May 13, 2024, 12:13pm

SpringSecurity is practically a fancy WebFilter with API specifically built for authentication purposes. It catches the HttpRequest before it is let to be processed by Vaadin. So it is a gate keeper. When user has not logged in yet, no request has been passed to VaadinSession. Hence it does not exist yet. VaadinSession is established when first authenticated request is passed by SpringSecurity. So that is the reason why it is null. This is perfectly as expected.

ollit.1 · May 13, 2024, 12:15pm

You could check if this works for you: session - How to find users' IPs in Spring Security? - Stack Overflow

felix-office · May 13, 2024, 4:49pm

Thanks to both of you. Makes sense @Tatu2 and the solution provided works @ollit.1!