You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Martin Grigorov (JIRA)" <ji...@apache.org> on 2017/08/13 11:25:01 UTC

[jira] [Commented] (WICKET-6440) SecuredRemoteAddressRequestWrapperFactory doesn't make request secure

    [ https://issues.apache.org/jira/browse/WICKET-6440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16124885#comment-16124885 ] 

Martin Grigorov commented on WICKET-6440:
-----------------------------------------

Any chance for a quickstart app ?

> SecuredRemoteAddressRequestWrapperFactory doesn't make request secure
> ---------------------------------------------------------------------
>
>                 Key: WICKET-6440
>                 URL: https://issues.apache.org/jira/browse/WICKET-6440
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 7.8.0
>            Reporter: Hendy Irawan
>
> I'm using SecuredRemoteAddressRequestWrapperFactory and what I get is:
> {noformat}
> 2017-08-08 09:07:53.460 DEBUG 3851 --- [nio-8080-exec-3] ecuredRemoteAddressRequestWrapperFactory : Incoming request uri=/id/cari-wanita/di/Kota%20Malang,%20Jawa%20Timur,%20Republic%20of%20Indonesia with originalSecure='false', remoteAddr='127.0.0.1' will be seen with newSecure='false'
> {noformat}
> Since remoteAddr is 127.* then it should be treated as secure, per documentation.
> This code in SecuredRemoteAddressRequestWrapperFactory is probably buggy: (i.e. need to remove {{==false}})
> {code:java}
> 	@Override
> 	public boolean needsWrapper(final HttpServletRequest request)
> 	{
> 		return !request.isSecure() &&
> 			matchesOne(request.getRemoteAddr(), config.securedRemoteAddresses) == false;
> 	}
> {code}
> Additionally, newSecure = should be {{xRequest.isSecure()}} :
> {code:java}
> 		HttpServletRequest xRequest = super.getWrapper(request);
> 		if (log.isDebugEnabled())
> 		{
> 			log.debug("Incoming request uri=" + request.getRequestURI() + " with originalSecure='" +
> 				request.isSecure() + "', remoteAddr='" + request.getRemoteAddr() +
> 				"' will be seen with newSecure='" + request.isSecure() + "'");
> 		}
> {code}
> Related to WICKET-3015.
> Tag [~jdonnerstag] [~pete]



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)