Re: X-Forwarded-For handling in method getRemoteAddr()
On Tue, Sep 25, 2012 at 2:10 AM, Benjamin Steinert
wrote:
> Hi everyone,
>
> I need you input regarding the Wicket WebClientInfo implementation of
> getRemoteAddr() (extracted from Wicket 1.5.3 but I think it did not
> change in release 6):
>
> ...
> String remoteAddr = request.getHeader("X-Forwarded-For");
> if (remoteAddr == null)
> {
> remoteAddr = req.getRemoteAddr();
> }
> else
> {
> if (remoteAddr.contains(","))
> {
> // we just want the client
> remoteAddr = remoteAddr.split(",")[0].trim();
> }
> }
> return remoteAddr;
>
> I am facing the problem that we get the String "unknown" set by some
> Proxy in the Forwarded-For field.
> According to the IETF draft this is in fact a valid value:
> http://tools.ietf.org/html/draft-petersson-forwarded-for-02#section-6
>
> Now unfortunately the the simple null check prevents falling back to the
> Servlet request based getRemoteAddr which would be more helpful than
> having a String that is no IP Address.
how is an ip address of some proxy in your data center more useful? i
dont think an external proxy would set such a header
-igor
>
> I would suggest something like
> if (remoteAddr == null ||
> !InetAddressValidator.getInstance().isValid(remoteAddr))
> { ... }
>
> to ensure that the given value is an IP. What would you say? Bug,
> Feature or simply unnecessary? ;)
>
> Cheers
> Ben
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: X-Forwarded-For handling in method getRemoteAddr()
Hi,
Please file a ticket to improve this.
Thanks!
On Tue, Sep 25, 2012 at 12:10 PM, Benjamin Steinert
wrote:
> Hi everyone,
>
> I need you input regarding the Wicket WebClientInfo implementation of
> getRemoteAddr() (extracted from Wicket 1.5.3 but I think it did not
> change in release 6):
>
> ...
> String remoteAddr = request.getHeader("X-Forwarded-For");
> if (remoteAddr == null)
> {
> remoteAddr = req.getRemoteAddr();
> }
> else
> {
> if (remoteAddr.contains(","))
> {
> // we just want the client
> remoteAddr = remoteAddr.split(",")[0].trim();
> }
> }
> return remoteAddr;
>
> I am facing the problem that we get the String "unknown" set by some
> Proxy in the Forwarded-For field.
> According to the IETF draft this is in fact a valid value:
> http://tools.ietf.org/html/draft-petersson-forwarded-for-02#section-6
>
> Now unfortunately the the simple null check prevents falling back to the
> Servlet request based getRemoteAddr which would be more helpful than
> having a String that is no IP Address.
>
> I would suggest something like
> if (remoteAddr == null ||
> !InetAddressValidator.getInstance().isValid(remoteAddr))
> { ... }
>
> to ensure that the given value is an IP. What would you say? Bug,
> Feature or simply unnecessary? ;)
>
> Cheers
> Ben
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
X-Forwarded-For handling in method getRemoteAddr()
Hi everyone,
I need you input regarding the Wicket WebClientInfo implementation of
getRemoteAddr() (extracted from Wicket 1.5.3 but I think it did not
change in release 6):
...
String remoteAddr = request.getHeader("X-Forwarded-For");
if (remoteAddr == null)
{
remoteAddr = req.getRemoteAddr();
}
else
{
if (remoteAddr.contains(","))
{
// we just want the client
remoteAddr = remoteAddr.split(",")[0].trim();
}
}
return remoteAddr;
I am facing the problem that we get the String "unknown" set by some
Proxy in the Forwarded-For field.
According to the IETF draft this is in fact a valid value:
http://tools.ietf.org/html/draft-petersson-forwarded-for-02#section-6
Now unfortunately the the simple null check prevents falling back to the
Servlet request based getRemoteAddr which would be more helpful than
having a String that is no IP Address.
I would suggest something like
if (remoteAddr == null ||
!InetAddressValidator.getInstance().isValid(remoteAddr))
{ ... }
to ensure that the given value is an IP. What would you say? Bug,
Feature or simply unnecessary? ;)
Cheers
Ben
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
