[ https://issues.apache.org/jira/browse/WICKET-6440?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hendy Irawan updated WICKET-6440: --------------------------------- Description: I'm using SecuredRemoteAddressRequestWrapperFactory and what I get is: {noformat} 2017-08-08 09:07:53.460 DEBUG 3851 --- [nio-8080-exec-3] ecuredRemoteAddressRequestWrapperFactory : Incoming request uri=/id/cari-wanita/di/Kota%20Malang,%20Jawa%20Timur,%20Republic%20of%20Indonesia with originalSecure='false', remoteAddr='127.0.0.1' will be seen with newSecure='false' {noformat} Since remoteAddr is 127.* then it should be treated as secure, per documentation. This code in SecuredRemoteAddressRequestWrapperFactory is probably buggy: (i.e. need to remove {{==false}}) {code:java} @Override public boolean needsWrapper(final HttpServletRequest request) { return !request.isSecure() && matchesOne(request.getRemoteAddr(), config.securedRemoteAddresses) == false; } {code} Additionally, newSecure = should be {{xRequest.isSecure()}} : {code:java} HttpServletRequest xRequest = super.getWrapper(request); if (log.isDebugEnabled()) { log.debug("Incoming request uri=" + request.getRequestURI() + " with originalSecure='" + request.isSecure() + "', remoteAddr='" + request.getRemoteAddr() + "' will be seen with newSecure='" + request.isSecure() + "'"); } {code} Related to WICKET-3015. Tag [~jdonnerstag] [~pete] was: I'm using SecuredRemoteAddressRequestWrapperFactory and what I get is: {noformat} 2017-08-08 09:07:53.460 DEBUG 3851 --- [nio-8080-exec-3] ecuredRemoteAddressRequestWrapperFactory : Incoming request uri=/id/cari-wanita/di/Kota%20Malang,%20Jawa%20Timur,%20Republic%20of%20Indonesia with originalSecure='false', remoteAddr='127.0.0.1' will be seen with newSecure='false' {noformat} Since remoteAddr is 127.* then it should be treated as secure, per documentation. This code in SecuredRemoteAddressRequestWrapperFactory is probably buggy: (i.e. need to remove {{==false}}) {code:java} @Override public boolean needsWrapper(final HttpServletRequest request) { return !request.isSecure() && matchesOne(request.getRemoteAddr(), config.securedRemoteAddresses) == false; } {code} Related to WICKET-3015. Tag [~jdonnerstag] [~pete] > SecuredRemoteAddressRequestWrapperFactory doesn't make request secure > --------------------------------------------------------------------- > > Key: WICKET-6440 > URL: https://issues.apache.org/jira/browse/WICKET-6440 > Project: Wicket > Issue Type: Bug > Components: wicket > Affects Versions: 7.8.0 > Reporter: Hendy Irawan > > I'm using SecuredRemoteAddressRequestWrapperFactory and what I get is: > {noformat} > 2017-08-08 09:07:53.460 DEBUG 3851 --- [nio-8080-exec-3] > ecuredRemoteAddressRequestWrapperFactory : Incoming request > uri=/id/cari-wanita/di/Kota%20Malang,%20Jawa%20Timur,%20Republic%20of%20Indonesia > with originalSecure='false', remoteAddr='127.0.0.1' will be seen with > newSecure='false' > {noformat} > Since remoteAddr is 127.* then it should be treated as secure, per > documentation. > This code in SecuredRemoteAddressRequestWrapperFactory is probably buggy: > (i.e. need to remove {{==false}}) > {code:java} > @Override > public boolean needsWrapper(final HttpServletRequest request) > { > return !request.isSecure() && > matchesOne(request.getRemoteAddr(), > config.securedRemoteAddresses) == false; > } > {code} > Additionally, newSecure = should be {{xRequest.isSecure()}} : > {code:java} > HttpServletRequest xRequest = super.getWrapper(request); > if (log.isDebugEnabled()) > { > log.debug("Incoming request uri=" + > request.getRequestURI() + " with originalSecure='" + > request.isSecure() + "', remoteAddr='" + > request.getRemoteAddr() + > "' will be seen with newSecure='" + > request.isSecure() + "'"); > } > {code} > Related to WICKET-3015. > Tag [~jdonnerstag] [~pete] -- This message was sent by Atlassian JIRA (v6.4.14#64029)