Package org.apache.wicket.protocol.http.servlet

Class SecuredRemoteAddressRequestWrapperFactory

java.lang.Object

org.apache.wicket.protocol.http.servlet.AbstractRequestWrapperFactory

org.apache.wicket.protocol.http.servlet.SecuredRemoteAddressRequestWrapperFactory

public class SecuredRemoteAddressRequestWrapperFactory
extends AbstractRequestWrapperFactory

Sets ServletRequest.isSecure() to true if ServletRequest.getRemoteAddr() matches one of the securedRemoteAddresses of this filter.

This filter is often used in combination with XForwardedRequestWrapperFactory to get the remote address of the client even if the request goes through load balancers (e.g. F5 Big IP, Nortel Alteon) or proxies (e.g. Apache mod_proxy_http)

Configuration parameters:

Configuration parameters

XForwardedFilter property	Description	Format	Default value
securedRemoteAddresses	IP addresses for which ServletRequest.isSecure() must return true	Comma delimited list of regular expressions (in the syntax supported by the Pattern library)	Class A, B and C private network IP address blocks : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 172\\.(?:1[6-9]|2\\d|3[0-1]).\\d{1,3}.\\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3}

Note : the default configuration is can usually be used as internal servers are often trusted.

Sample with secured remote addresses limited to 192.168.0.10 and 192.168.0.11

SecuredRemoteAddressFilter configuration sample :

 <filter>
    <filter-name>SecuredRemoteAddressFilter</filter-name>
    <filter-class>fr.xebia.servlet.filter.SecuredRemoteAddressFilter</filter-class>
    <init-param>
       <param-name>securedRemoteAddresses</param-name><param-value>192\.168\.0\.10, 192\.168\.0\.11</param-value>
    </init-param>
 </filter>
 
 <filter-mapping>
    <filter-name>SecuredRemoteAddressFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
 </filter-mapping>

A request with ServletRequest.getRemoteAddr() = 192.168.0.10 or 192.168.0.11 will be seen as ServletRequest.isSecure() == true even if ServletRequest.getScheme() == "http".

Author:

Cyrille Le Clerc, Juergen Donnerstag

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	SecuredRemoteAddressRequestWrapperFactory.Config

Constructor Summary

Constructors

Constructor	Description
SecuredRemoteAddressRequestWrapperFactory()	Construct.

Method Summary

Modifier and Type	Method	Description
SecuredRemoteAddressRequestWrapperFactory.Config	getConfig()
javax.servlet.http.HttpServletRequest	getWrapper(javax.servlet.http.HttpServletRequest request)	Wrap the given request.
void	init(javax.servlet.FilterConfig filterConfig)
boolean	needsWrapper(javax.servlet.http.HttpServletRequest request)
javax.servlet.http.HttpServletRequest	newRequestWrapper(javax.servlet.http.HttpServletRequest request)	If incoming remote address matches one of the declared IP pattern, wraps the incoming HttpServletRequest to override ServletRequest.isSecure() to set it to true.
void	setConfig(SecuredRemoteAddressRequestWrapperFactory.Config config)	The Wicket application might want to provide its own config

Methods inherited from class org.apache.wicket.protocol.http.servlet.AbstractRequestWrapperFactory

commaDelimitedListToPatternArray, commaDelimitedListToStringArray, isEnabled, listToCommaDelimitedString, matchesOne, setEnabled

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SecuredRemoteAddressRequestWrapperFactory

public SecuredRemoteAddressRequestWrapperFactory()

Construct.

Method Detail

getConfig

public final SecuredRemoteAddressRequestWrapperFactory.Config getConfig()

Returns:

SecuredRemoteAddress and XForwarded filter specific config

setConfig

public final void setConfig(SecuredRemoteAddressRequestWrapperFactory.Config config)

The Wicket application might want to provide its own config

Parameters:

config -

getWrapper

public javax.servlet.http.HttpServletRequest getWrapper(javax.servlet.http.HttpServletRequest request)

Description copied from class: AbstractRequestWrapperFactory

Wrap the given request.

Overrides:

getWrapper in class AbstractRequestWrapperFactory

Parameters:

request - request to wrap

Returns:

Either return the request itself, or if needed a wrapper for the request

needsWrapper

public boolean needsWrapper(javax.servlet.http.HttpServletRequest request)

Specified by:

needsWrapper in class AbstractRequestWrapperFactory

Returns:

True, if a wrapper is needed

newRequestWrapper

public javax.servlet.http.HttpServletRequest newRequestWrapper(javax.servlet.http.HttpServletRequest request)

If incoming remote address matches one of the declared IP pattern, wraps the incoming HttpServletRequest to override ServletRequest.isSecure() to set it to true.

Specified by:

newRequestWrapper in class AbstractRequestWrapperFactory

Returns:

Create a wrapper for the request

init

public void init(javax.servlet.FilterConfig filterConfig)

Parameters:

filterConfig -