Handling hasIpAddress Issues in Spring Boot Security on Azure: Custom AuthorizationManager Solution

Описание: Learn how to fix Spring Boot security errors caused by Azure appending port numbers to IP addresses by creating a custom AuthorizationManager to safely parse remote IPs.
---
This video is based on the question https://stackoverflow.com/q/79464194/ asked by the user 'Jacob B.' ( https://stackoverflow.com/u/5692133/ ) and on the answer https://stackoverflow.com/a/79467118/ provided by the user 'Jacob B.' ( https://stackoverflow.com/u/5692133/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: Spring Boot deployement fails to parse IP address

Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/l...
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license.

If anything seems off to you, please feel free to drop me a comment under this video.
---
Problem: Spring Boot Security Fails When Azure Appends Ports to IP Addresses

Spring Boot's hasIpAddress() method in security expressions expects a pure IP address without a port number. However, when deploying on Azure, the remote IP address received by your application may include a port appended (e.g., 123.456.0.1:12345). This causes Spring Security to throw a parsing error:

[[See Video to Reveal this Text or Code Snippet]]

This happens because IpAddressMatcher cannot handle IP addresses with port numbers.

Why Does This Happen?

Locally, IP addresses come without ports, so hasIpAddress() works fine.

Azure injects port information into the getRemoteAddr() call, which leads to parsing failures in Spring Security.

Why Not Use hasIpAddress() Directly?

The method does not support the port portion; it only accepts valid IPs or CIDR blocks. Since you cannot easily control how Azure formats the IP string, you must handle this manually.

The Solution: Implement a Custom AuthorizationManager

Create a custom authorization check that safely extracts the IP address from getRemoteAddr() by stripping out the port if present. Then compare the IP against your whitelist.

Key Points of the Custom Manager

Access the remote address using context.getRequest().getRemoteAddr().

Detect if a port is included by counting colons (:).

If a single colon exists, assume it's [ip]:[port] and extract only the IP part.

Check the cleaned IP against your list of allowed IP addresses.

Return an AuthorizationDecision accordingly.

Sample Custom Authorization Manager Implementation

[[See Video to Reveal this Text or Code Snippet]]

Benefits of This Approach

Works reliably when Azure appends port numbers to IPs.

Avoids exceptions from the default IpAddressMatcher.

Provides fine-grained control over allowed IP access.

Summary

To handle Spring Boot security IP filtering on Azure deployments correctly:

Don't rely on hasIpAddress() directly if Azure modifies IPs with ports.

Implement a custom AuthorizationManager that parses out ports and compares clean IPs against your whitelist.

This approach ensures your IP-based access control works consistently both locally and on Azure.