Class SecuredRemoteAddressRequestWrapperFactory

  • public class SecuredRemoteAddressRequestWrapperFactory
    extends AbstractRequestWrapperFactory
    Sets ServletRequest.isSecure() to true if ServletRequest.getRemoteAddr() matches one of the securedRemoteAddresses of this filter.

    This filter is often used in combination with XForwardedRequestWrapperFactory to get the remote address of the client even if the request goes through load balancers (e.g. F5 Big IP, Nortel Alteon) or proxies (e.g. Apache mod_proxy_http)

    Configuration parameters:

    Configuration parameters
    XForwardedFilter property Description Format Default value
    securedRemoteAddresses IP addresses for which ServletRequest.isSecure() must return true Comma delimited list of regular expressions (in the syntax supported by the Pattern library) Class A, B and C private network IP address blocks : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 172\\.(?:1[6-9]|2\\d|3[0-1]).\\d{1,3}.\\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3}
    Note : the default configuration is can usually be used as internal servers are often trusted.

    Sample with secured remote addresses limited to and

    SecuredRemoteAddressFilter configuration sample :

           <param-name>securedRemoteAddresses</param-name><param-value>192\.168\.0\.10, 192\.168\.0\.11</param-value>

    A request with ServletRequest.getRemoteAddr() = or will be seen as ServletRequest.isSecure() == true even if ServletRequest.getScheme() == "http".

    Cyrille Le Clerc, Juergen Donnerstag