Re: X-Forwarded-For handling in method getRemoteAddr()
On Tue, Sep 25, 2012 at 2:10 AM, Benjamin Steinert wrote: > Hi everyone, > > I need you input regarding the Wicket WebClientInfo implementation of > getRemoteAddr() (extracted from Wicket 1.5.3 but I think it did not > change in release 6): > > ... > String remoteAddr = request.getHeader("X-Forwarded-For"); > if (remoteAddr == null) > { > remoteAddr = req.getRemoteAddr(); > } > else > { > if (remoteAddr.contains(",")) > { > // we just want the client > remoteAddr = remoteAddr.split(",")[0].trim(); > } > } > return remoteAddr; > > I am facing the problem that we get the String "unknown" set by some > Proxy in the Forwarded-For field. > According to the IETF draft this is in fact a valid value: > http://tools.ietf.org/html/draft-petersson-forwarded-for-02#section-6 > > Now unfortunately the the simple null check prevents falling back to the > Servlet request based getRemoteAddr which would be more helpful than > having a String that is no IP Address. how is an ip address of some proxy in your data center more useful? i dont think an external proxy would set such a header -igor > > I would suggest something like > if (remoteAddr == null || > !InetAddressValidator.getInstance().isValid(remoteAddr)) > { ... } > > to ensure that the given value is an IP. What would you say? Bug, > Feature or simply unnecessary? ;) > > Cheers > Ben > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: X-Forwarded-For handling in method getRemoteAddr()
Hi, Please file a ticket to improve this. Thanks! On Tue, Sep 25, 2012 at 12:10 PM, Benjamin Steinert wrote: > Hi everyone, > > I need you input regarding the Wicket WebClientInfo implementation of > getRemoteAddr() (extracted from Wicket 1.5.3 but I think it did not > change in release 6): > > ... > String remoteAddr = request.getHeader("X-Forwarded-For"); > if (remoteAddr == null) > { > remoteAddr = req.getRemoteAddr(); > } > else > { > if (remoteAddr.contains(",")) > { > // we just want the client > remoteAddr = remoteAddr.split(",")[0].trim(); > } > } > return remoteAddr; > > I am facing the problem that we get the String "unknown" set by some > Proxy in the Forwarded-For field. > According to the IETF draft this is in fact a valid value: > http://tools.ietf.org/html/draft-petersson-forwarded-for-02#section-6 > > Now unfortunately the the simple null check prevents falling back to the > Servlet request based getRemoteAddr which would be more helpful than > having a String that is no IP Address. > > I would suggest something like > if (remoteAddr == null || > !InetAddressValidator.getInstance().isValid(remoteAddr)) > { ... } > > to ensure that the given value is an IP. What would you say? Bug, > Feature or simply unnecessary? ;) > > Cheers > Ben > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > -- Martin Grigorov jWeekend Training, Consulting, Development http://jWeekend.com - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
X-Forwarded-For handling in method getRemoteAddr()
Hi everyone, I need you input regarding the Wicket WebClientInfo implementation of getRemoteAddr() (extracted from Wicket 1.5.3 but I think it did not change in release 6): ... String remoteAddr = request.getHeader("X-Forwarded-For"); if (remoteAddr == null) { remoteAddr = req.getRemoteAddr(); } else { if (remoteAddr.contains(",")) { // we just want the client remoteAddr = remoteAddr.split(",")[0].trim(); } } return remoteAddr; I am facing the problem that we get the String "unknown" set by some Proxy in the Forwarded-For field. According to the IETF draft this is in fact a valid value: http://tools.ietf.org/html/draft-petersson-forwarded-for-02#section-6 Now unfortunately the the simple null check prevents falling back to the Servlet request based getRemoteAddr which would be more helpful than having a String that is no IP Address. I would suggest something like if (remoteAddr == null || !InetAddressValidator.getInstance().isValid(remoteAddr)) { ... } to ensure that the given value is an IP. What would you say? Bug, Feature or simply unnecessary? ;) Cheers Ben - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org