From 826fc645496df7946679775f46a486d4c0a311aa Mon Sep 17 00:00:00 2001 From: clzola Date: Mon, 10 Mar 2025 15:44:55 +0100 Subject: [PATCH] Sets correct remote address in WebAuthenticationDetails Signed-off-by: clzola --- .../WebAuthenticationDetails.java | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/WebAuthenticationDetails.java b/web/src/main/java/org/springframework/security/web/authentication/WebAuthenticationDetails.java index 9d038cc9e0..67d92a4639 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/WebAuthenticationDetails.java +++ b/web/src/main/java/org/springframework/security/web/authentication/WebAuthenticationDetails.java @@ -29,6 +29,7 @@ * * @author Ben Alex * @author Luke Taylor + * @author Lazar Radinović */ public class WebAuthenticationDetails implements Serializable { @@ -44,7 +45,7 @@ public class WebAuthenticationDetails implements Serializable { * @param request that the authentication request was received from */ public WebAuthenticationDetails(HttpServletRequest request) { - this(request.getRemoteAddr(), extractSessionId(request)); + this(getClientIp(request), extractSessionId(request)); } /** @@ -58,6 +59,20 @@ public WebAuthenticationDetails(String remoteAddress, String sessionId) { this.sessionId = sessionId; } + private static String getClientIp(HttpServletRequest request) { + String ip = request.getHeader("X-Forwarded-For"); + if (ip != null && !ip.isBlank()) { + // Take the first IP (original client) + return ip.split(",")[0].trim(); + } + + // Alternative proxy header + ip = request.getHeader("X-Real-IP"); + + // Fallback to direct client ip + return (ip != null && !ip.isBlank()) ? ip : request.getRemoteAddr(); + } + private static String extractSessionId(HttpServletRequest request) { HttpSession session = request.getSession(false); return (session != null) ? session.getId() : null;