Java 在存在XFF标头的情况下,将“AuthenticationFailureBadCredentialsEvent”与远程地址关联
所以我写了这个Java 在存在XFF标头的情况下,将“AuthenticationFailureBadCredentialsEvent”与远程地址关联,java,spring,kotlin,spring-security,x-forwarded-for,Java,Spring,Kotlin,Spring Security,X Forwarded For,所以我写了这个 @Component class AuthenticationFailureListener : ApplicationListener<AuthenticationFailureBadCredentialsEvent>{ private val bruteForceProtection : BruteForceProtection @Inject constructor(bruteForceProtection: BruteForcePr
@Component
class AuthenticationFailureListener : ApplicationListener<AuthenticationFailureBadCredentialsEvent>{
private val bruteForceProtection : BruteForceProtection
@Inject
constructor(bruteForceProtection: BruteForceProtection){
this.bruteForceProtection = bruteForceProtection
}
override fun onApplicationEvent(event: AuthenticationFailureBadCredentialsEvent) {
val webDetails = event.authentication.details as WebAuthenticationDetails
val remoteAddress = webDetails.remoteAddress
bruteForceProtection.recordFailedAttempt(remoteAddress)
}
}
@组件
类AuthenticationFailureListener:ApplicationListener{
私有val bruteForceProtection:bruteForceProtection
@注入
构造函数(bruteForceProtection:bruteForceProtection){
this.bruteForceProtection=bruteForceProtection
}
覆盖ApplicationEvent上的乐趣(事件:AuthenticationFailureBadCredentialsEvent){
val webDetails=event.authentication.details作为WebAuthenticationDetails
val remoteAddress=webDetails.remoteAddress
bruteForceProtection.recordFailedAttempt(远程地址)
}
}
然后意识到,在安全上下文中设置远程地址时,我不知道Spring是否考虑了X-Forwarded-for
头
是吗
或者,我如何将身份验证失败BadCredentialsEvent与其来源的远程地址相关联?来源:
使用代理服务器时,确保正确配置应用程序非常重要。例如,许多应用程序都会有一个负载平衡器来响应https://example.com/
通过将请求转发到应用服务器https://192.168.1:8080
如果配置不正确,应用服务器将不知道负载平衡器存在,并将请求视为https://192.168.1:8080
是客户要求的
要解决此问题,可以使用RFC 7239指定正在使用负载平衡器。要使应用程序意识到这一点,您需要配置应用程序服务器,使其意识到X-Forwarded
标题。例如,Tomcat使用RemoteIpValve
,Jetty使用ForwardedRequestCustomizer
。或者,Spring 4.3+用户可以利用ForwardedHeaderFilter
Spring框架和Spring安全本身都没有对X-Forwarded*
头做任何特殊的处理
因此,我们可以选择应用这些信息:
- 暴露
- 配置服务器
5.1.7.发行版起,转发的HeaderFilter
不
所以剩下的选项是配置服务器
因为您使用的是tomcat,所以可以提供一个server.tomcat.remote ip头
属性来考虑头
另见
应用程序.yml:
server:
tomcat:
remote-ip-header: X-Forwarded-For
@RestController
class IpController {
@GetMapping("/ip")
fun getIp(request: HttpServletRequest) = mapOf("ip" to request.remoteAddr)
}
然后将返回自身使用的X-Forwarded-For
报头中的ip地址
WebAuthenticationDetails.java
@SpringBootTest(properties = ["server.tomcat.remote-ip-header=X-Forwarded-For"],
webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
class IpControllerTest {
@Autowired
private lateinit var testRestTemplate: TestRestTemplate
@Test
fun `uses ip from x-forwarded-for`() {
val httpHeaders = HttpHeaders()
httpHeaders["X-Forwarded-For"] = "8.8.8.8"
val httpEntity = HttpEntity<Any>(httpHeaders)
val map = testRestTemplate.exchange<Map<String, *>>("/ip", HttpMethod.GET, httpEntity)
.body!!
assertEquals("8.8.8.8", map["ip"])
}
}
public-WebAuthenticationDetails(HttpServletRequest){
this.remoteAddress=request.getRemoteAddr();
HttpSession session=request.getSession(false);
this.sessionId=(session!=null)?session.getId():null;
}
下面是一个简单的测试:
IpController.kt
:
server:
tomcat:
remote-ip-header: X-Forwarded-For
@RestController
class IpController {
@GetMapping("/ip")
fun getIp(request: HttpServletRequest) = mapOf("ip" to request.remoteAddr)
}
IpControllerTest.kt
@SpringBootTest(properties = ["server.tomcat.remote-ip-header=X-Forwarded-For"],
webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
class IpControllerTest {
@Autowired
private lateinit var testRestTemplate: TestRestTemplate
@Test
fun `uses ip from x-forwarded-for`() {
val httpHeaders = HttpHeaders()
httpHeaders["X-Forwarded-For"] = "8.8.8.8"
val httpEntity = HttpEntity<Any>(httpHeaders)
val map = testRestTemplate.exchange<Map<String, *>>("/ip", HttpMethod.GET, httpEntity)
.body!!
assertEquals("8.8.8.8", map["ip"])
}
}
@SpringBootTest(属性=[“server.tomcat.remote ip header=X-Forwarded-For”],
webEnvironment=SpringBootTest.webEnvironment.RANDOM\u端口)
类IpControllerTest{
@自动连线
私有lateinit var testRestTemplate:testRestTemplate
@试验
fun`使用来自x-forwarded-for`()的ip{
val httpHeaders=httpHeaders()
httpHeaders[“X-Forwarded-For”]=“8.8.8.8”
val httpEntity=httpEntity(httpHeaders)
val map=testrestemplate.exchange(“/ip”,HttpMethod.GET,httpEntity)
.身体!!
资产质量(“8.8.8.8”,地图[“ip”])
}
}
您使用的是Tomcat吗?@caco3是Spring Boot附带的嵌入式版本。