Spring Security
  1. Spring Security
  2. SEC-1580

WebAuthenticationDetails getRemoteAddress cannot return the real remote address when the server is behind a proxy

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Invalid
    • Affects Version/s: 3.0.2
    • Fix Version/s: 3.1.0.M2
    • Component/s: Web
    • Labels:
      None
    • Environment:
      Glassfish 3 + nginx

      Description

      If the server is behind a proxy like Apache or nginx, when call WebAuthenticationDetails.getRemoteAddress(), it returns the proxy address rather than the real address (stored in HTTP request header with name "x-forwarded-for"), which is useless.

      If fix the implementation of getRemoteAddress() is not necessary or is somewhat not that easy, what about exposing HttpServletRequest object, which is a parameter of the constructor according to the Javadoc, through a getter?

        Activity

        Hide
        Luke Taylor added a comment - - edited

        This is entirely expected if you are running behind a proxy or firewall (without using AJP, for example), so it is definitely not a bug.

        If you want to customize the behaviour you are free to do so by using a custom AuthenticationDetailsSource. That's what it's intended for. The "details" object can be anything you want. Either that or add a filter in your web.xml which creates an HttpServletRequestWrapper to replace the request and which overrides the getRemoteAddress() method to do what you want.

        You should also be able tp configure your container to address this, for example in Tomcat you would use the RemoteIpValve. That would be preferable to attempting to account for it at the application level.

        Show
        Luke Taylor added a comment - - edited This is entirely expected if you are running behind a proxy or firewall (without using AJP, for example), so it is definitely not a bug. If you want to customize the behaviour you are free to do so by using a custom AuthenticationDetailsSource. That's what it's intended for. The "details" object can be anything you want. Either that or add a filter in your web.xml which creates an HttpServletRequestWrapper to replace the request and which overrides the getRemoteAddress() method to do what you want. You should also be able tp configure your container to address this, for example in Tomcat you would use the RemoteIpValve. That would be preferable to attempting to account for it at the application level.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Jay Xu
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: