SEC-1580: WebAuthenticationDetails getRemoteAddress cannot return the real remote address when the server is behind a proxy #1820

Closed
spring-issuemaster opened this Issue Sep 29, 2010 · 1 comment

1 participant

@spring-issuemaster

Jay Xu (Migrated from SEC-1580) said:

If the server is behind a proxy like Apache or nginx, when call WebAuthenticationDetails.getRemoteAddress(), it returns the proxy address rather than the real address (stored in HTTP request header with name "x-forwarded-for"), which is useless.

If fix the implementation of getRemoteAddress() is not necessary or is somewhat not that easy, what about exposing HttpServletRequest object, which is a parameter of the constructor according to the Javadoc, through a getter?

@spring-issuemaster

Luke Taylor said:

This is entirely expected if you are running behind a proxy or firewall (without using AJP, for example), so it is definitely not a bug.

If you want to customize the behaviour you are free to do so by using a custom AuthenticationDetailsSource. That's what it's intended for. The "details" object can be anything you want. Either that or add a filter in your web.xml which creates an HttpServletRequestWrapper to replace the request and which overrides the getRemoteAddress() method to do what you want.

You should also be able tp configure your container to address this, for example in Tomcat you would use the RemoteIpValve. That would be preferable to attempting to account for it at the application level.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment