[jira] [Commented] (WICKET-6440) SecuredRemoteAddressRequestWrapperFactory doesn't make request secure

Mon, 04 Sep 2017 14:34:26 -0700 

    [ 
https://issues.apache.org/jira/browse/WICKET-6440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16152953#comment-16152953
 ] 

ASF subversion and git services commented on WICKET-6440:
---------------------------------------------------------

Commit 18a1c2f9ea793a6707b30644f14a63a5edafcbc4 in wicket's branch 
refs/heads/wicket-7.x from [~mgrigorov]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=18a1c2f ]

WICKET-6440 SecuredRemoteAddressRequestWrapperFactory doesn't make request 
secure

Use the wrapped request in the logging of the new secure state


> SecuredRemoteAddressRequestWrapperFactory doesn't make request secure
> ---------------------------------------------------------------------
>
>                 Key: WICKET-6440
>                 URL: https://issues.apache.org/jira/browse/WICKET-6440
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 7.8.0
>            Reporter: Hendy Irawan
>            Priority: Minor
>
> I'm using SecuredRemoteAddressRequestWrapperFactory and what I get is:
> {noformat}
> 2017-08-08 09:07:53.460 DEBUG 3851 --- [nio-8080-exec-3] 
> ecuredRemoteAddressRequestWrapperFactory : Incoming request 
> uri=/id/cari-wanita/di/Kota%20Malang,%20Jawa%20Timur,%20Republic%20of%20Indonesia
>  with originalSecure='false', remoteAddr='127.0.0.1' will be seen with 
> newSecure='false'
> {noformat}
> Since remoteAddr is 127.* then it should be treated as secure, per 
> documentation.
> This code in SecuredRemoteAddressRequestWrapperFactory is probably buggy: 
> (i.e. need to remove {{==false}})
> {code:java}
>       @Override
>       public boolean needsWrapper(final HttpServletRequest request)
>       {
>               return !request.isSecure() &&
>                       matchesOne(request.getRemoteAddr(), 
> config.securedRemoteAddresses) == false;
>       }
> {code}
> Additionally, newSecure = should be {{xRequest.isSecure()}} :
> {code:java}
>               HttpServletRequest xRequest = super.getWrapper(request);
>               if (log.isDebugEnabled())
>               {
>                       log.debug("Incoming request uri=" + 
> request.getRequestURI() + " with originalSecure='" +
>                               request.isSecure() + "', remoteAddr='" + 
> request.getRemoteAddr() +
>                               "' will be seen with newSecure='" + 
> request.isSecure() + "'");
>               }
> {code}
> Related to WICKET-3015.
> Tag [~jdonnerstag] [~pete]



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to