Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1580: WebAuthenticationDetails getRemoteAddress cannot return the real remote address when the server is behind a proxy #1820

spring-issuemaster opened this Issue Sep 29, 2010 · 1 comment


None yet
1 participant

Jay Xu (Migrated from SEC-1580) said:

If the server is behind a proxy like Apache or nginx, when call WebAuthenticationDetails.getRemoteAddress(), it returns the proxy address rather than the real address (stored in HTTP request header with name "x-forwarded-for"), which is useless.

If fix the implementation of getRemoteAddress() is not necessary or is somewhat not that easy, what about exposing HttpServletRequest object, which is a parameter of the constructor according to the Javadoc, through a getter?

Luke Taylor said:

This is entirely expected if you are running behind a proxy or firewall (without using AJP, for example), so it is definitely not a bug.

If you want to customize the behaviour you are free to do so by using a custom AuthenticationDetailsSource. That's what it's intended for. The "details" object can be anything you want. Either that or add a filter in your web.xml which creates an HttpServletRequestWrapper to replace the request and which overrides the getRemoteAddress() method to do what you want.

You should also be able tp configure your container to address this, for example in Tomcat you would use the RemoteIpValve. That would be preferable to attempting to account for it at the application level.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment