Hendy Irawan created WICKET-6440: ------------------------------------ Summary: SecuredRemoteAddressRequestWrapperFactory doesn't make request secure Key: WICKET-6440 URL: https://issues.apache.org/jira/browse/WICKET-6440 Project: Wicket Issue Type: Bug Components: wicket Affects Versions: 7.8.0 Reporter: Hendy Irawan
I'm using SecuredRemoteAddressRequestWrapperFactory and what I get is: {noformat} 2017-08-08 09:07:53.460 DEBUG 3851 --- [nio-8080-exec-3] ecuredRemoteAddressRequestWrapperFactory : Incoming request uri=/id/cari-wanita/di/Kota%20Malang,%20Jawa%20Timur,%20Republic%20of%20Indonesia with originalSecure='false', remoteAddr='127.0.0.1' will be seen with newSecure='false' {noformat} Since remoteAddr is 127.* then it should be treated as secure, per documentation. This code in SecuredRemoteAddressRequestWrapperFactory is probably buggy: (i.e. need to remove {{==false}}) {code:java} @Override public boolean needsWrapper(final HttpServletRequest request) { return !request.isSecure() && matchesOne(request.getRemoteAddr(), config.securedRemoteAddresses) == false; } {code} Related to WICKET-3015. Tag [~jdonnerstag] [~pete] -- This message was sent by Atlassian JIRA (v6.4.14#64029)