Secure header authentication with IP whitelist

[piotrp]

Hader authentication was added in #724.

To make it secure in internal networks that aren't fully locked down it should work only when directly connecting client is coming from a whitelisted IP address.

[tchiotludo]

Just a thinking, maybe late ;)
You can achieve this with that : https://micronaut-projects.github.io/micronaut-security/latest/guide/#ipPattern
In case you are behind a reverse proxy, you never want that the instance is available for other ip that the loadbalancer

[piotrp]

Then this will boil down to properly documenting that this option is available. I will try to integrate this into my environment and see how it works.

[tchiotludo]

@piotrp thanks for trying ;)

[piotrp]

I will add custom ip-pattern property anyway, with implementation based on Micronaut's - thanks for the link. The use case I want to cover is a setup with two access routes to AKHQ:

1. Official via proxy, with header authentication (currently it uses LDAP). But in this case header authentication should be trusted only when coming from proxy's IP pool.
2. Direct access with a few predefined accounts (basic auth), used for emergencies when corporate SSO can't be accessed by users.