[
https://issues.apache.org/jira/browse/WICKET-6440?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hendy Irawan updated WICKET-6440:
---------------------------------
Description:
I'm using SecuredRemoteAddressRequestWrapperFactory and what I get is:
{noformat}
2017-08-08 09:07:53.460 DEBUG 3851 --- [nio-8080-exec-3]
ecuredRemoteAddressRequestWrapperFactory : Incoming request
uri=/id/cari-wanita/di/Kota%20Malang,%20Jawa%20Timur,%20Republic%20of%20Indonesia
with originalSecure='false', remoteAddr='127.0.0.1' will be seen with
newSecure='false'
{noformat}
Since remoteAddr is 127.* then it should be treated as secure, per
documentation.
This code in SecuredRemoteAddressRequestWrapperFactory is probably buggy: (i.e.
need to remove {{==false}})
{code:java}
@Override
public boolean needsWrapper(final HttpServletRequest request)
{
return !request.isSecure() &&
matchesOne(request.getRemoteAddr(),
config.securedRemoteAddresses) == false;
}
{code}
Additionally, newSecure = should be {{xRequest.isSecure()}} :
{code:java}
HttpServletRequest xRequest = super.getWrapper(request);
if (log.isDebugEnabled())
{
log.debug("Incoming request uri=" +
request.getRequestURI() + " with originalSecure='" +
request.isSecure() + "', remoteAddr='" +
request.getRemoteAddr() +
"' will be seen with newSecure='" +
request.isSecure() + "'");
}
{code}
Related to WICKET-3015.
Tag [~jdonnerstag] [~pete]
was:
I'm using SecuredRemoteAddressRequestWrapperFactory and what I get is:
{noformat}
2017-08-08 09:07:53.460 DEBUG 3851 --- [nio-8080-exec-3]
ecuredRemoteAddressRequestWrapperFactory : Incoming request
uri=/id/cari-wanita/di/Kota%20Malang,%20Jawa%20Timur,%20Republic%20of%20Indonesia
with originalSecure='false', remoteAddr='127.0.0.1' will be seen with
newSecure='false'
{noformat}
Since remoteAddr is 127.* then it should be treated as secure, per
documentation.
This code in SecuredRemoteAddressRequestWrapperFactory is probably buggy: (i.e.
need to remove {{==false}})
{code:java}
@Override
public boolean needsWrapper(final HttpServletRequest request)
{
return !request.isSecure() &&
matchesOne(request.getRemoteAddr(),
config.securedRemoteAddresses) == false;
}
{code}
Related to WICKET-3015.
Tag [~jdonnerstag] [~pete]
> SecuredRemoteAddressRequestWrapperFactory doesn't make request secure
> ---------------------------------------------------------------------
>
> Key: WICKET-6440
> URL: https://issues.apache.org/jira/browse/WICKET-6440
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 7.8.0
> Reporter: Hendy Irawan
>
> I'm using SecuredRemoteAddressRequestWrapperFactory and what I get is:
> {noformat}
> 2017-08-08 09:07:53.460 DEBUG 3851 --- [nio-8080-exec-3]
> ecuredRemoteAddressRequestWrapperFactory : Incoming request
> uri=/id/cari-wanita/di/Kota%20Malang,%20Jawa%20Timur,%20Republic%20of%20Indonesia
> with originalSecure='false', remoteAddr='127.0.0.1' will be seen with
> newSecure='false'
> {noformat}
> Since remoteAddr is 127.* then it should be treated as secure, per
> documentation.
> This code in SecuredRemoteAddressRequestWrapperFactory is probably buggy:
> (i.e. need to remove {{==false}})
> {code:java}
> @Override
> public boolean needsWrapper(final HttpServletRequest request)
> {
> return !request.isSecure() &&
> matchesOne(request.getRemoteAddr(),
> config.securedRemoteAddresses) == false;
> }
> {code}
> Additionally, newSecure = should be {{xRequest.isSecure()}} :
> {code:java}
> HttpServletRequest xRequest = super.getWrapper(request);
> if (log.isDebugEnabled())
> {
> log.debug("Incoming request uri=" +
> request.getRequestURI() + " with originalSecure='" +
> request.isSecure() + "', remoteAddr='" +
> request.getRemoteAddr() +
> "' will be seen with newSecure='" +
> request.isSecure() + "'");
> }
> {code}
> Related to WICKET-3015.
> Tag [~jdonnerstag] [~pete]
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
