Jay Xu (Migrated from SEC-1580) said:
If the server is behind a proxy like Apache or nginx, when call WebAuthenticationDetails.getRemoteAddress(), it returns the proxy address rather than the real address (stored in HTTP request header with name "x-forwarded-for"), which is useless.
If fix the implementation of getRemoteAddress() is not necessary or is somewhat not that easy, what about exposing HttpServletRequest object, which is a parameter of the constructor according to the Javadoc, through a getter?
Luke Taylor said:
This is entirely expected if you are running behind a proxy or firewall (without using AJP, for example), so it is definitely not a bug.
If you want to customize the behaviour you are free to do so by using a custom AuthenticationDetailsSource. That's what it's intended for. The "details" object can be anything you want. Either that or add a filter in your web.xml which creates an HttpServletRequestWrapper to replace the request and which overrides the getRemoteAddress() method to do what you want.
You should also be able tp configure your container to address this, for example in Tomcat you would use the RemoteIpValve. That would be preferable to attempting to account for it at the application level.