Sets
ServletRequest#isSecure() to
true
if
ServletRequest#getRemoteAddr() matches one of the
securedRemoteAddresses
of
this filter.
This filter is often used in combination with
XForwardedRequestWrapperFactory to get the
remote address of the client even if the request goes through load balancers (e.g. F5 Big IP,
Nortel Alteon) or proxies (e.g. Apache mod_proxy_http)
Configuration parameters:
XForwardedFilter property |
Description |
Format |
Default value |
securedRemoteAddresses |
IP addresses for which
ServletRequest#isSecure() must return true |
Comma delimited list of regular expressions (in the syntax supported by the
java.util.regex.Pattern library) |
Class A, B and C private network IP
address blocks : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3},
172\\.(?:1[6-9]|2\\d|3[0-1]).\\d{1,3}.\\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3},
127\.\d{1,3}\.\d{1,3}\.\d{1,3} |
Note : the default configuration is can usually be used as internal servers are often trusted.
Sample with secured remote addresses limited to 192.168.0.10 and 192.168.0.11
SecuredRemoteAddressFilter configuration sample :
<filter>
<filter-name>SecuredRemoteAddressFilter</filter-name>
<filter-class>fr.xebia.servlet.filter.SecuredRemoteAddressFilter</filter-class>
<init-param>
<param-name>securedRemoteAddresses</param-name><param-value>192\.168\.0\.10, 192\.168\.0\.11</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SecuredRemoteAddressFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
A request with
ServletRequest#getRemoteAddr() = 192.168.0.10 or 192.168.0.11
will be seen as
ServletRequest#isSecure() == true
even if
HttpServletRequest#getScheme() == "http"
.