You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by jd...@apache.org on 2010/11/28 14:08:54 UTC
svn commit: r1039877 - in /wicket/trunk/wicket/src:
main/java/org/apache/wicket/mock/ main/java/org/apache/wicket/protocol/http/
main/java/org/apache/wicket/protocol/http/filter/
main/java/org/apache/wicket/protocol/http/mock/ main/java/org/apache/wick...
Author: jdonnerstag
Date: Sun Nov 28 13:08:53 2010
New Revision: 1039877
URL: http://svn.apache.org/viewvc?rev=1039877&view=rev
Log:
fixed WICKET-3015 add (even more) support for front-end proxies (schema, client ip, ...)
first attempt
Issue: WICKET-3015
Added:
wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/
wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/AbstractWicketFilterExtension.java
wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/IWicketFilterExtension.java
wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/SecuredRemoteAddressWicketFilterExtension.java
wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/XForwardedWicketFilterExtension.java
wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/servlet/XForwardedRequest.java
wicket/trunk/wicket/src/test/java/org/apache/wicket/protocol/http/XForwardedWicketFilterExtensionTest.java
wicket/trunk/wicket/src/test/java/org/apache/wicket/protocol/http/filter/
Modified:
wicket/trunk/wicket/src/main/java/org/apache/wicket/mock/MockWebResponse.java
wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/WicketFilter.java
wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/mock/MockHttpServletRequest.java
wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/servlet/ServletWebRequest.java
wicket/trunk/wicket/src/main/java/org/apache/wicket/request/cycle/RequestCycle.java
wicket/trunk/wicket/src/main/java/org/apache/wicket/util/tester/BaseWicketTester.java
Modified: wicket/trunk/wicket/src/main/java/org/apache/wicket/mock/MockWebResponse.java
URL: http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/mock/MockWebResponse.java?rev=1039877&r1=1039876&r2=1039877&view=diff
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/mock/MockWebResponse.java (original)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/mock/MockWebResponse.java Sun Nov 28 13:08:53 2010
@@ -99,7 +99,6 @@ public class MockWebResponse extends Web
{
contentLength = length;
setHeader("Content-Length", String.valueOf(length));
-
}
/**
Modified: wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/WicketFilter.java
URL: http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/WicketFilter.java?rev=1039877&r1=1039876&r2=1039877&view=diff
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/WicketFilter.java (original)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/WicketFilter.java Sun Nov 28 13:08:53 2010
@@ -17,6 +17,7 @@
package org.apache.wicket.protocol.http;
import java.io.IOException;
+import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
@@ -29,17 +30,18 @@ import javax.servlet.http.HttpServletRes
import org.apache.wicket.ThreadContext;
import org.apache.wicket.WicketRuntimeException;
+import org.apache.wicket.protocol.http.filter.IWicketFilterExtension;
import org.apache.wicket.request.cycle.RequestCycle;
import org.apache.wicket.request.http.WebRequest;
import org.apache.wicket.request.http.WebResponse;
import org.apache.wicket.util.file.WebXmlFile;
+import org.apache.wicket.util.lang.Generics;
import org.apache.wicket.util.string.Strings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Filter for initiating handling of Wicket requests.
- *
* <p>
* The advantage of a filter is that, unlike a servlet, it can choose not to process the request and
* let whatever is next in chain try. So when using a Wicket filter and a request comes in for
@@ -77,6 +79,8 @@ public class WicketFilter implements Fil
// filterPath length without trailing "/"
private int filterPathLength = -1;
+ private List<IWicketFilterExtension> filterChain;
+
/**
* @return The class loader
*/
@@ -95,9 +99,18 @@ public class WicketFilter implements Fil
* @throws IOException
* @throws ServletException
*/
- boolean processRequest(final ServletRequest request, final ServletResponse response,
+ boolean processRequest(ServletRequest request, final ServletResponse response,
final FilterChain chain) throws IOException, ServletException
{
+ // Add request wrappers if needed
+ if (filterChain != null)
+ {
+ for (IWicketFilterExtension filter : filterChain)
+ {
+ request = filter.getRequestWrapper(request);
+ }
+ }
+
// Assume we are able to handle the request
boolean res = true;
@@ -278,6 +291,14 @@ public class WicketFilter implements Fil
application.setName(filterConfig.getFilterName());
application.setWicketFilter(this);
+ if (filterChain != null)
+ {
+ for (IWicketFilterExtension filter : filterChain)
+ {
+ filter.init(application, isServlet, filterConfig);
+ }
+ }
+
// Allow the filterPath to tbe preset via setFilterPath()
if (filterPath == null)
{
@@ -374,6 +395,12 @@ public class WicketFilter implements Fil
return null;
}
+ /**
+ *
+ * @param isServlet
+ * @param filterConfig
+ * @return filter path from web.xml
+ */
protected String getFilterPathFromWebXml(final boolean isServlet,
final FilterConfig filterConfig)
{
@@ -404,6 +431,11 @@ public class WicketFilter implements Fil
return null;
}
+ /**
+ *
+ * @param filterConfig
+ * @return filter path
+ */
protected String getFilterPathFromConfig(FilterConfig filterConfig)
{
String result = filterConfig.getInitParameter(FILTER_MAPPING_PARAM);
@@ -534,4 +566,18 @@ public class WicketFilter implements Fil
}
this.filterPath = filterPath;
}
+
+ /**
+ * Sets the first element of the filter chain, which prepends Wicket's default processing
+ *
+ * @param filter
+ */
+ public final void addFilter(IWicketFilterExtension filter)
+ {
+ if (filterChain == null)
+ {
+ filterChain = Generics.newArrayList(2);
+ }
+ filterChain.add(filter);
+ }
}
Added: wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/AbstractWicketFilterExtension.java
URL: http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/AbstractWicketFilterExtension.java?rev=1039877&view=auto
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/AbstractWicketFilterExtension.java (added)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/AbstractWicketFilterExtension.java Sun Nov 28 13:08:53 2010
@@ -0,0 +1,158 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.protocol.http.filter;
+
+import java.util.List;
+import java.util.regex.Pattern;
+import java.util.regex.PatternSyntaxException;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.wicket.util.lang.Generics;
+import org.apache.wicket.util.string.Strings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * @author Juergen Donnerstag
+ */
+public abstract class AbstractWicketFilterExtension implements IWicketFilterExtension
+{
+ /** Logger */
+ private static final Logger log = LoggerFactory.getLogger(AbstractWicketFilterExtension.class);
+
+ /**
+ * {@link Pattern} for a comma delimited string that support whitespace characters
+ */
+ private static final Pattern commaSeparatedValuesPattern = Pattern.compile("\\s*,\\s*");
+
+ private boolean enabled = true;
+
+ /**
+ *
+ * @return True, if filter is enabled
+ */
+ public final boolean isEnabled()
+ {
+ return enabled;
+ }
+
+ /**
+ * Enable or disable the filter
+ *
+ * @param enabled
+ */
+ public final void setEnabled(boolean enabled)
+ {
+ this.enabled = enabled;
+ }
+
+ /**
+ * @see org.apache.wicket.protocol.http.filter.IWicketFilterExtension#getRequestWrapper(javax.servlet.ServletRequest)
+ */
+ public ServletRequest getRequestWrapper(final ServletRequest servletRequest)
+ {
+ ServletRequest xRequest = servletRequest;
+ if (isEnabled() && (servletRequest instanceof HttpServletRequest))
+ {
+ return getHttpRequestWrapper((HttpServletRequest)servletRequest);
+ }
+ return xRequest;
+ }
+
+ /**
+ *
+ * @param request
+ * @return Either the original request or a wrapper
+ */
+ abstract public HttpServletRequest getHttpRequestWrapper(HttpServletRequest request);
+
+ /**
+ * Convert a given comma delimited list of regular expressions into an array of compiled
+ * {@link Pattern}
+ *
+ * @param commaDelimitedPatterns
+ * @return array of patterns (not <code>null</code>)
+ */
+ public static final Pattern[] commaDelimitedListToPatternArray(
+ final String commaDelimitedPatterns)
+ {
+ String[] patterns = commaDelimitedListToStringArray(commaDelimitedPatterns);
+ List<Pattern> patternsList = Generics.newArrayList();
+ for (String pattern : patterns)
+ {
+ try
+ {
+ patternsList.add(Pattern.compile(pattern));
+ }
+ catch (PatternSyntaxException e)
+ {
+ throw new IllegalArgumentException("Illegal pattern syntax '" + pattern + "'", e);
+ }
+ }
+ return patternsList.toArray(new Pattern[0]);
+ }
+
+ /**
+ * Convert a given comma delimited list of regular expressions into an array of String
+ *
+ * @param commaDelimitedStrings
+ * @return array of patterns (non <code>null</code>)
+ */
+ public static final String[] commaDelimitedListToStringArray(final String commaDelimitedStrings)
+ {
+ if (Strings.isEmpty(commaDelimitedStrings))
+ {
+ return new String[0];
+ }
+ else
+ {
+ return commaSeparatedValuesPattern.split(commaDelimitedStrings);
+ }
+ }
+
+ /**
+ * Convert an array of strings in a comma delimited string
+ *
+ * @param stringList
+ * @return xxx
+ */
+ public static final String listToCommaDelimitedString(final List<String> stringList)
+ {
+ return Strings.join(", ", stringList);
+ }
+
+ /**
+ *
+ * @param str
+ * @param patterns
+ * @return Return <code>true</code> if the given <code>str</code> matches at least one of the
+ * given <code>patterns</code>.
+ */
+ public static final boolean matchesOne(final String str, final Pattern... patterns)
+ {
+ for (Pattern pattern : patterns)
+ {
+ if (pattern.matcher(str).matches())
+ {
+ return true;
+ }
+ }
+ return false;
+ }
+}
Added: wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/IWicketFilterExtension.java
URL: http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/IWicketFilterExtension.java?rev=1039877&view=auto
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/IWicketFilterExtension.java (added)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/IWicketFilterExtension.java Sun Nov 28 13:08:53 2010
@@ -0,0 +1,51 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.protocol.http.filter;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+
+import org.apache.wicket.Application;
+
+/**
+ * Allows to pre-process requests
+ */
+public interface IWicketFilterExtension
+{
+ /**
+ * Allows to return HttpServletRequestWrapper managed by Wicket
+ *
+ * @param request
+ * @return Either the original request or the wrapper
+ */
+ ServletRequest getRequestWrapper(final ServletRequest request);
+
+ /**
+ * Servlets and Filters are treated essentially the same with Wicket. This is the entry point
+ * for both of them.
+ *
+ * @see #init(FilterConfig)
+ *
+ * @param application
+ * @param isServlet
+ * True if Servlet, false of Filter
+ * @param filterConfig
+ * @throws ServletException
+ */
+ void init(Application application, boolean isServlet, FilterConfig filterConfig);
+}
\ No newline at end of file
Added: wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/SecuredRemoteAddressWicketFilterExtension.java
URL: http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/SecuredRemoteAddressWicketFilterExtension.java?rev=1039877&view=auto
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/SecuredRemoteAddressWicketFilterExtension.java (added)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/SecuredRemoteAddressWicketFilterExtension.java Sun Nov 28 13:08:53 2010
@@ -0,0 +1,203 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.protocol.http.filter;
+
+import java.util.regex.Pattern;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletRequest;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+import org.apache.wicket.Application;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * <p>
+ * Sets {@link RequestFacade#isSecure()} to <code>true</code> if
+ * {@link ServletRequest#getRemoteAddr()} matches one of the <code>securedRemoteAddresses</code> of
+ * this filter.
+ * </p>
+ * <p>
+ * This filter is often preceded by the {@link XForwardedWicketFilterExtension} to get the remote
+ * address of the client even if the request goes through load balancers (e.g. F5 Big IP, Nortel
+ * Alteon) or proxies (e.g. Apache mod_proxy_http)
+ * </p>
+ * <p>
+ * <strong>Configuration parameters:</strong>
+ * <table border="1">
+ * <tr>
+ * <th>XForwardedFilter property</th>
+ * <th>Description</th>
+ * <th>Format</th>
+ * <th>Default value</th>
+ * </tr>
+ * <tr>
+ * <td>securedRemoteAddresses</td>
+ * <td>IP addresses for which {@link ServletRequest#isSecure()} must return <code>true</code></td>
+ * <td>Comma delimited list of regular expressions (in the syntax supported by the
+ * {@link java.util.regex.Pattern} library)</td>
+ * <td>Class A, B and C <a href="http://en.wikipedia.org/wiki/Private_network">private network IP
+ * address blocks</a> : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3},
+ * 172\\.(?:1[6-9]|2\\d|3[0-1]).\\d{1,3}.\\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3},
+ * 127\.\d{1,3}\.\d{1,3}\.\d{1,3}</td>
+ * </tr>
+ * </table>
+ * Note : the default configuration is can usually be used as internal servers are often trusted.
+ * </p>
+ * <p>
+ * <strong>Sample with secured remote addresses limited to 192.168.0.10 and 192.168.0.11</strong>
+ * </p>
+ * <p>
+ * SecuredRemoteAddressFilter configuration sample :
+ * </p>
+ *
+ * <code><pre>
+ * <filter>
+ * <filter-name>SecuredRemoteAddressFilter</filter-name>
+ * <filter-class>fr.xebia.servlet.filter.SecuredRemoteAddressFilter</filter-class>
+ * <init-param>
+ * <param-name>securedRemoteAddresses</param-name><param-value>192\.168\.0\.10, 192\.168\.0\.11</param-value>
+ * </init-param>
+ * </filter>
+ *
+ * <filter-mapping>
+ * <filter-name>SecuredRemoteAddressFilter</filter-name>
+ * <url-pattern>/*</url-pattern>
+ * <dispatcher>REQUEST</dispatcher>
+ * </filter-mapping></pre></code>
+ * <p>
+ * A request with <code>{@link ServletRequest#getRemoteAddr()} = 192.168.0.10 or 192.168.0.11</code>
+ * will be seen as <code>{@link ServletRequest#isSecure()} == true</code> even if
+ * <code>{@link HttpServletRequest#getScheme()} == "http"</code>.
+ * </p>
+ *
+ * @author <a href="mailto:cyrille@cyrilleleclerc.com">Cyrille Le Clerc</a>
+ * @author Juergen Donnerstag
+ */
+public class SecuredRemoteAddressWicketFilterExtension extends AbstractWicketFilterExtension
+{
+ /** Logger */
+ private static final Logger log = LoggerFactory.getLogger(SecuredRemoteAddressWicketFilterExtension.class);
+
+ private final static String SECURED_REMOTE_ADDRESSES_PARAMETER = "securedRemoteAddresses";
+
+ /** */
+ public static class Config
+ {
+ /** @see #setSecuredRemoteAddresses(String) */
+ private Pattern[] securedRemoteAddresses = new Pattern[] {
+ Pattern.compile("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"),
+ Pattern.compile("192\\.168\\.\\d{1,3}\\.\\d{1,3}"),
+ Pattern.compile("172\\.(?:1[6-9]|2\\d|3[0-1]).\\d{1,3}.\\d{1,3}"),
+ Pattern.compile("169\\.254\\.\\d{1,3}\\.\\d{1,3}"),
+ Pattern.compile("127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}") };
+
+ /**
+ * Comma delimited list of secured remote addresses. Expressed with regular expressions.
+ * <p>
+ * Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3},
+ * 172\\.(?:1[6-9]|2\\d|3[0-1]).\\d{1,3}.\\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3},
+ * 127\.\d{1,3}\.\d{1,3}\.\d{1,3}
+ *
+ * @param comaDelimitedSecuredRemoteAddresses
+ */
+ public void setSecuredRemoteAdresses(final String comaDelimitedSecuredRemoteAddresses)
+ {
+ securedRemoteAddresses = commaDelimitedListToPatternArray(comaDelimitedSecuredRemoteAddresses);
+ }
+ }
+
+ // Filter Config
+ private Config config = new Config();
+
+ /**
+ * @return SecuredRemoteAddress and XForwarded filter specific config
+ */
+ public final Config getConfig()
+ {
+ return config;
+ }
+
+ /**
+ * The Wicket application might want to provide its own config
+ *
+ * @param config
+ */
+ public final void setConfig(final Config config)
+ {
+ this.config = config;
+ }
+
+ /**
+ *
+ * @param request
+ * @return True, if a wrapper is needed
+ */
+ public boolean needsWrapper(final HttpServletRequest request)
+ {
+ return !request.isSecure() &&
+ matchesOne(request.getRemoteAddr(), config.securedRemoteAddresses) == false;
+ }
+
+ /**
+ * If incoming remote address matches one of the declared IP pattern, wraps the incoming
+ * {@link HttpServletRequest} to override {@link HttpServletRequest#isSecure()} to set it to
+ * <code>true</code>.
+ */
+ @Override
+ public HttpServletRequest getHttpRequestWrapper(final HttpServletRequest request)
+ {
+ HttpServletRequest xRequest = request;
+ if (needsWrapper(request))
+ {
+ xRequest = new HttpServletRequestWrapper(request)
+ {
+ @Override
+ public boolean isSecure()
+ {
+ return true;
+ }
+ };
+ }
+
+ if (log.isDebugEnabled())
+ {
+ log.debug("Incoming request uri=" + (request).getRequestURI() +
+ " with originalSecure='" + request.isSecure() + "', remoteAddr='" +
+ request.getRemoteAddr() + "' will be seen with newSecure='" + xRequest.isSecure() +
+ "'");
+ }
+
+ return xRequest;
+ }
+
+ /**
+ * @see org.apache.wicket.protocol.http.filter.IWicketFilterExtension#init(org.apache.wicket.Application,
+ * boolean, javax.servlet.FilterConfig)
+ */
+ public void init(final Application application, final boolean isServlet,
+ final FilterConfig filterConfig)
+ {
+ String comaDelimitedSecuredRemoteAddresses = filterConfig.getInitParameter(SECURED_REMOTE_ADDRESSES_PARAMETER);
+ if (comaDelimitedSecuredRemoteAddresses != null)
+ {
+ config.setSecuredRemoteAdresses(comaDelimitedSecuredRemoteAddresses);
+ }
+ }
+}
Added: wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/XForwardedWicketFilterExtension.java
URL: http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/XForwardedWicketFilterExtension.java?rev=1039877&view=auto
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/XForwardedWicketFilterExtension.java (added)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/filter/XForwardedWicketFilterExtension.java Sun Nov 28 13:08:53 2010
@@ -0,0 +1,825 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.protocol.http.filter;
+
+import java.util.LinkedList;
+import java.util.regex.Pattern;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.wicket.Application;
+import org.apache.wicket.protocol.http.servlet.XForwardedRequest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Servlet filter to integrate "X-Forwarded-For" and "X-Forwarded-Proto" HTTP headers. </p>
+ * <p>
+ * Most of the design of this Servlet Filter is a port of <a
+ * href="http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html">mod_remoteip</a>, this servlet
+ * filter replaces the apparent client remote IP address and hostname for the request with the IP
+ * address list presented by a proxy or a load balancer via a request headers (e.g.
+ * "X-Forwarded-For").
+ * </p>
+ * <p>
+ * Another feature of this servlet filter is to replace the apparent scheme (http/https) and server
+ * port with the scheme presented by a proxy or a load balancer via a request header (e.g.
+ * "X-Forwarded-Proto").
+ * </p>
+ * <p>
+ * This servlet filter proceeds as follows:
+ * </p>
+ * <p>
+ * If the incoming <code>request.getRemoteAddr()</code> matches the servlet filter's list of
+ * internal proxies :
+ * <ul>
+ * <li>Loop on the comma delimited list of IPs and hostnames passed by the preceding load balancer
+ * or proxy in the given request's Http header named <code>$remoteIPHeader</code> (default value
+ * <code>x-forwarded-for</code>). Values are processed in right-to-left order.</li>
+ * <li>For each ip/host of the list:
+ * <ul>
+ * <li>if it matches the internal proxies list, the ip/host is swallowed</li>
+ * <li>if it matches the trusted proxies list, the ip/host is added to the created proxies header</li>
+ * <li>otherwise, the ip/host is declared to be the remote ip and looping is stopped.</li>
+ * </ul>
+ * </li>
+ * <li>If the request http header named <code>$protocolHeader</code> (e.g.
+ * <code>x-forwarded-for</code>) equals to the value of <code>protocolHeaderHttpsValue</code>
+ * configuration parameter (default <code>https</code>) then <code>request.isSecure = true</code>,
+ * <code>request.scheme = https</code> and <code>request.serverPort = 443</code>. Note that 443 can
+ * be overwritten with the <code>$httpsServerPort</code> configuration parameter.</li>
+ * </ul>
+ * </p>
+ * <p>
+ * <strong>Configuration parameters:</strong>
+ * <table border="1">
+ * <tr>
+ * <th>XForwardedFilter property</th>
+ * <th>Description</th>
+ * <th>Equivalent mod_remoteip directive</th>
+ * <th>Format</th>
+ * <th>Default Value</th>
+ * </tr>
+ * <tr>
+ * <td>remoteIPHeader</td>
+ * <td>Name of the Http Header read by this servlet filter that holds the list of traversed IP
+ * addresses starting from the requesting client</td>
+ * <td>RemoteIPHeader</td>
+ * <td>Compliant http header name</td>
+ * <td>x-forwarded-for</td>
+ * </tr>
+ * <tr>
+ * <td>allowedInternalProxies</td>
+ * <td>List of internal proxies ip adress. If they appear in the <code>remoteIpHeader</code> value,
+ * they will be trusted and will not appear in the <code>proxiesHeader</code> value</td>
+ * <td>RemoteIPInternalProxy</td>
+ * <td>Comma delimited list of regular expressions (in the syntax supported by the
+ * {@link java.util.regex.Pattern} library)</td>
+ * <td>10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3},
+ * 172\\.(?:1[6-9]|2\\d|3[0-1]).\\d{1,3}.\\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3},
+ * 127\.\d{1,3}\.\d{1,3}\.\d{1,3} <br/>
+ * By default, 10/8, 192.168/16, 172.16/12, 169.254/16 and 127/8 are allowed</td>
+ * </tr>
+ * </tr>
+ * <tr>
+ * <td>proxiesHeader</td>
+ * <td>Name of the http header created by this servlet filter to hold the list of proxies that have
+ * been processed in the incoming <code>remoteIPHeader</code></td>
+ * <td>RemoteIPProxiesHeader</td>
+ * <td>Compliant http header name</td>
+ * <td>x-forwarded-by</td>
+ * </tr>
+ * <tr>
+ * <td>trustedProxies</td>
+ * <td>List of trusted proxies ip adress. If they appear in the <code>remoteIpHeader</code> value,
+ * they will be trusted and will appear in the <code>proxiesHeader</code> value</td>
+ * <td>RemoteIPTrustedProxy</td>
+ * <td>Comma delimited list of regular expressions (in the syntax supported by the
+ * {@link java.util.regex.Pattern} library)</td>
+ * <td> </td>
+ * </tr>
+ * <tr>
+ * <td>protocolHeader</td>
+ * <td>Name of the http header read by this servlet filter that holds the flag that this request</td>
+ * <td>N/A</td>
+ * <td>Compliant http header name like <code>X-Forwarded-Proto</code>, <code>X-Forwarded-Ssl</code>
+ * or <code>Front-End-Https</code></td>
+ * <td><code>null</code></td>
+ * </tr>
+ * <tr>
+ * <td>protocolHeaderHttpsValue</td>
+ * <td>Value of the <code>protocolHeader</code> to indicate that it is an Https request</td>
+ * <td>N/A</td>
+ * <td>String like <code>https</code> or <code>ON</code></td>
+ * <td><code>https</code></td>
+ * </tr>
+ * <tr>
+ * <tr>
+ * <td>httpServerPort</td>
+ * <td>Value returned by {@link ServletRequest#getServerPort()} when the <code>protocolHeader</code>
+ * indicates <code>http</code> protocol</td>
+ * <td>N/A</td>
+ * <td>integer</td>
+ * <td>80</td>
+ * </tr>
+ * <tr>
+ * <td>httpsServerPort</td>
+ * <td>Value returned by {@link ServletRequest#getServerPort()} when the <code>protocolHeader</code>
+ * indicates <code>https</code> protocol</td>
+ * <td>N/A</td>
+ * <td>integer</td>
+ * <td>443</td>
+ * </tr>
+ * </table>
+ * </p>
+ * <p>
+ * <p>
+ * <strong>Regular expression vs. IP address blocks:</strong> <code>mod_remoteip</code> allows to
+ * use address blocks (e.g. <code>192.168/16</code>) to configure <code>RemoteIPInternalProxy</code>
+ * and <code>RemoteIPTrustedProxy</code> ; as the JVM doesnt have a library similar to <a href=
+ * "http://apr.apache.org/docs/apr/1.3/group__apr__network__io.html#gb74d21b8898b7c40bf7fd07ad3eb993d"
+ * >apr_ipsubnet_test</a>.
+ * </p>
+ * <hr/>
+ * <p>
+ * <strong>Sample with internal proxies</strong>
+ * </p>
+ * <p>
+ * XForwardedFilter configuration:
+ * </p>
+ * <code><pre>
+ * <filter>
+ * <filter-name>XForwardedFilter</filter-name>
+ * <filter-class>fr.xebia.servlet.filter.XForwardedFilter</filter-class>
+ * <init-param>
+ * <param-name>allowedInternalProxies</param-name><param-value>192\.168\.0\.10, 192\.168\.0\.11</param-value>
+ * </init-param>
+ * <init-param>
+ * <param-name>remoteIPHeader</param-name><param-value>x-forwarded-for</param-value>
+ * </init-param>
+ * <init-param>
+ * <param-name>remoteIPProxiesHeader</param-name><param-value>x-forwarded-by</param-value>
+ * </init-param>
+ * <init-param>
+ * <param-name>protocolHeader</param-name><param-value>x-forwarded-proto</param-value>
+ * </init-param>
+ * </filter>
+ *
+ * <filter-mapping>
+ * <filter-name>XForwardedFilter</filter-name>
+ * <url-pattern>/*</url-pattern>
+ * <dispatcher>REQUEST</dispatcher>
+ * </filter-mapping></pre></code>
+ * <p>
+ * Request values:
+ * <table border="1">
+ * <tr>
+ * <th>property</th>
+ * <th>Value Before XForwardedFilter</th>
+ * <th>Value After XForwardedFilter</th>
+ * </tr>
+ * <tr>
+ * <td>request.remoteAddr</td>
+ * <td>192.168.0.10</td>
+ * <td>140.211.11.130</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-for']</td>
+ * <td>140.211.11.130, 192.168.0.10</td>
+ * <td>null</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-by']</td>
+ * <td>null</td>
+ * <td>null</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-proto']</td>
+ * <td>https</td>
+ * <td>https</td>
+ * </tr>
+ * <tr>
+ * <td>request.scheme</td>
+ * <td>http</td>
+ * <td>https</td>
+ * </tr>
+ * <tr>
+ * <td>request.secure</td>
+ * <td>false</td>
+ * <td>true</td>
+ * </tr>
+ * <tr>
+ * <td>request.serverPort</td>
+ * <td>80</td>
+ * <td>443</td>
+ * </tr>
+ * </table>
+ * Note : <code>x-forwarded-by</code> header is null because only internal proxies as been traversed
+ * by the request. <code>x-forwarded-by</code> is null because all the proxies are trusted or
+ * internal.
+ * </p>
+ * <hr/>
+ * <p>
+ * <strong>Sample with trusted proxies</strong>
+ * </p>
+ * <p>
+ * XForwardedFilter configuration:
+ * </p>
+ * <code><pre>
+ * <filter>
+ * <filter-name>XForwardedFilter</filter-name>
+ * <filter-class>fr.xebia.servlet.filter.XForwardedFilter</filter-class>
+ * <init-param>
+ * <param-name>allowedInternalProxies</param-name><param-value>192\.168\.0\.10, 192\.168\.0\.11</param-value>
+ * </init-param>
+ * <init-param>
+ * <param-name>remoteIPHeader</param-name><param-value>x-forwarded-for</param-value>
+ * </init-param>
+ * <init-param>
+ * <param-name>remoteIPProxiesHeader</param-name><param-value>x-forwarded-by</param-value>
+ * </init-param>
+ * <init-param>
+ * <param-name>trustedProxies</param-name><param-value>proxy1, proxy2</param-value>
+ * </init-param>
+ * </filter>
+ *
+ * <filter-mapping>
+ * <filter-name>XForwardedFilter</filter-name>
+ * <url-pattern>/*</url-pattern>
+ * <dispatcher>REQUEST</dispatcher>
+ * </filter-mapping></pre></code>
+ * <p>
+ * Request values:
+ * <table border="1">
+ * <tr>
+ * <th>property</th>
+ * <th>Value Before XForwardedFilter</th>
+ * <th>Value After XForwardedFilter</th>
+ * </tr>
+ * <tr>
+ * <td>request.remoteAddr</td>
+ * <td>192.168.0.10</td>
+ * <td>140.211.11.130</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-for']</td>
+ * <td>140.211.11.130, proxy1, proxy2</td>
+ * <td>null</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-by']</td>
+ * <td>null</td>
+ * <td>proxy1, proxy2</td>
+ * </tr>
+ * </table>
+ * Note : <code>proxy1</code> and <code>proxy2</code> are both trusted proxies that come in
+ * <code>x-forwarded-for</code> header, they both are migrated in <code>x-forwarded-by</code>
+ * header. <code>x-forwarded-by</code> is null because all the proxies are trusted or internal.
+ * </p>
+ * <hr/>
+ * <p>
+ * <strong>Sample with internal and trusted proxies</strong>
+ * </p>
+ * <p>
+ * XForwardedFilter configuration:
+ * </p>
+ * <code><pre>
+ * <filter>
+ * <filter-name>XForwardedFilter</filter-name>
+ * <filter-class>fr.xebia.servlet.filter.XForwardedFilter</filter-class>
+ * <init-param>
+ * <param-name>allowedInternalProxies</param-name><param-value>192\.168\.0\.10, 192\.168\.0\.11</param-value>
+ * </init-param>
+ * <init-param>
+ * <param-name>remoteIPHeader</param-name><param-value>x-forwarded-for</param-value>
+ * </init-param>
+ * <init-param>
+ * <param-name>remoteIPProxiesHeader</param-name><param-value>x-forwarded-by</param-value>
+ * </init-param>
+ * <init-param>
+ * <param-name>trustedProxies</param-name><param-value>proxy1, proxy2</param-value>
+ * </init-param>
+ * </filter>
+ *
+ * <filter-mapping>
+ * <filter-name>XForwardedFilter</filter-name>
+ * <url-pattern>/*</url-pattern>
+ * <dispatcher>REQUEST</dispatcher>
+ * </filter-mapping></pre></code>
+ * <p>
+ * Request values:
+ * <table border="1">
+ * <tr>
+ * <th>property</th>
+ * <th>Value Before XForwardedFilter</th>
+ * <th>Value After XForwardedFilter</th>
+ * </tr>
+ * <tr>
+ * <td>request.remoteAddr</td>
+ * <td>192.168.0.10</td>
+ * <td>140.211.11.130</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-for']</td>
+ * <td>140.211.11.130, proxy1, proxy2, 192.168.0.10</td>
+ * <td>null</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-by']</td>
+ * <td>null</td>
+ * <td>proxy1, proxy2</td>
+ * </tr>
+ * </table>
+ * Note : <code>proxy1</code> and <code>proxy2</code> are both trusted proxies that come in
+ * <code>x-forwarded-for</code> header, they both are migrated in <code>x-forwarded-by</code>
+ * header. As <code>192.168.0.10</code> is an internal proxy, it does not appear in
+ * <code>x-forwarded-by</code>. <code>x-forwarded-by</code> is null because all the proxies are
+ * trusted or internal.
+ * </p>
+ * <hr/>
+ * <p>
+ * <strong>Sample with an untrusted proxy</strong>
+ * </p>
+ * <p>
+ * XForwardedFilter configuration:
+ * </p>
+ * <code><pre>
+ * <filter>
+ * <filter-name>XForwardedFilter</filter-name>
+ * <filter-class>fr.xebia.servlet.filter.XForwardedFilter</filter-class>
+ * <init-param>
+ * <param-name>allowedInternalProxies</param-name><param-value>192\.168\.0\.10, 192\.168\.0\.11</param-value>
+ * </init-param>
+ * <init-param>
+ * <param-name>remoteIPHeader</param-name><param-value>x-forwarded-for</param-value>
+ * </init-param>
+ * <init-param>
+ * <param-name>remoteIPProxiesHeader</param-name><param-value>x-forwarded-by</param-value>
+ * </init-param>
+ * <init-param>
+ * <param-name>trustedProxies</param-name><param-value>proxy1, proxy2</param-value>
+ * </init-param>
+ * </filter>
+ *
+ * <filter-mapping>
+ * <filter-name>XForwardedFilter</filter-name>
+ * <url-pattern>/*</url-pattern>
+ * <dispatcher>REQUEST</dispatcher>
+ * </filter-mapping></pre></code>
+ * <p>
+ * Request values:
+ * <table border="1">
+ * <tr>
+ * <th>property</th>
+ * <th>Value Before XForwardedFilter</th>
+ * <th>Value After XForwardedFilter</th>
+ * </tr>
+ * <tr>
+ * <td>request.remoteAddr</td>
+ * <td>192.168.0.10</td>
+ * <td>untrusted-proxy</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-for']</td>
+ * <td>140.211.11.130, untrusted-proxy, proxy1</td>
+ * <td>140.211.11.130</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-by']</td>
+ * <td>null</td>
+ * <td>proxy1</td>
+ * </tr>
+ * </table>
+ * Note : <code>x-forwarded-by</code> holds the trusted proxy <code>proxy1</code>.
+ * <code>x-forwarded-by</code> holds <code>140.211.11.130</code> because
+ * <code>untrusted-proxy</code> is not trusted and thus, we can not trust that
+ * <code>untrusted-proxy</code> is the actual remote ip. <code>request.remoteAddr</code> is
+ * <code>untrusted-proxy</code> that is an IP verified by <code>proxy1</code>.
+ * </p>
+ * <hr/>
+ *
+ * @author <a href="mailto:cyrille@cyrilleleclerc.com">Cyrille Le Clerc</a>
+ * @author Juergen Donnerstag
+ */
+public class XForwardedWicketFilterExtension extends AbstractWicketFilterExtension
+{
+ /** Logger */
+ private static final Logger log = LoggerFactory.getLogger(XForwardedWicketFilterExtension.class);
+
+ protected static final String HTTP_SERVER_PORT_PARAMETER = "httpServerPort";
+
+ protected static final String HTTPS_SERVER_PORT_PARAMETER = "httpsServerPort";
+
+ protected static final String INTERNAL_PROXIES_PARAMETER = "allowedInternalProxies";
+
+ protected static final String PROTOCOL_HEADER_PARAMETER = "protocolHeader";
+
+ protected static final String PROTOCOL_HEADER_SSL_VALUE_PARAMETER = "protocolHeaderSslValue";
+
+ protected static final String PROXIES_HEADER_PARAMETER = "proxiesHeader";
+
+ protected static final String REMOTE_IP_HEADER_PARAMETER = "remoteIPHeader";
+
+ protected static final String TRUSTED_PROXIES_PARAMETER = "trustedProxies";
+
+ /**
+ * Filter Config
+ */
+ public static class Config
+ {
+ // Enable / disable xforwarded functionality
+ private boolean enabled = true;
+
+ /** @see #setHttpServerPort(int) */
+ private int httpServerPort = 80;
+
+ /** @see #setHttpsServerPort(int) */
+ private int httpsServerPort = 443;
+
+ /** @see #setProtocolHeader(String) */
+ private String protocolHeader = null;
+
+ /** @see #setProtocolHeaderSsl(String) */
+ private String protocolHeaderSslValue = "https";
+
+ /** @see #setProxiesHeader(String) */
+ private String proxiesHeader = "X-Forwarded-By";
+
+ /** @see #setRemoteIPHeader(String) */
+ private String remoteIPHeader = "X-Forwarded-For";
+
+ /** @see #setTrustedProxies(String) */
+ private Pattern[] trustedProxies = new Pattern[0];
+
+ /** @see #setInternalProxies(String) */
+ private Pattern[] allowedInternalProxies = new Pattern[] {
+ Pattern.compile("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"),
+ Pattern.compile("192\\.168\\.\\d{1,3}\\.\\d{1,3}"),
+ Pattern.compile("172\\.(?:1[6-9]|2\\d|3[0-1]).\\d{1,3}.\\d{1,3}"),
+ Pattern.compile("169\\.254\\.\\d{1,3}\\.\\d{1,3}"),
+ Pattern.compile("127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}") };
+
+ /**
+ * Comma delimited list of internal proxies. Expressed with regular expressions.
+ * <p>
+ * Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3},
+ * 172\\.(?:1[6-9]|2\\d|3[0-1]).\\d{1,3}.\\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3},
+ * 127\.\d{1,3}\.\d{1,3}\.\d{1,3}
+ *
+ * @param allowedInternalProxies
+ */
+ public void setAllowedInternalProxies(final String allowedInternalProxies)
+ {
+ this.allowedInternalProxies = commaDelimitedListToPatternArray(allowedInternalProxies);
+ }
+
+ /**
+ * Server Port value if the {@link #protocolHeader} does not indicate HTTPS
+ * <p>
+ * Default value : 80
+ *
+ * @param httpServerPort
+ */
+ public void setHttpServerPort(final int httpServerPort)
+ {
+ this.httpServerPort = httpServerPort;
+ }
+
+ /**
+ * Server Port value if the {@link #protocolHeader} indicates HTTPS
+ * <p>
+ * Default value : 443
+ *
+ * @param httpsServerPort
+ */
+ public void setHttpsServerPort(final int httpsServerPort)
+ {
+ this.httpsServerPort = httpsServerPort;
+ }
+
+ /**
+ * Header that holds the incoming protocol, usally named <code>X-Forwarded-Proto</code>. If
+ * <code>null</code>, request.scheme and request.secure will not be modified.
+ * <p>
+ * Default value : <code>null</code>
+ *
+ * @param protocolHeader
+ */
+ public void setProtocolHeader(final String protocolHeader)
+ {
+ this.protocolHeader = protocolHeader;
+ }
+
+ /**
+ * Case insensitive value of the protocol header to indicate that the incoming http request
+ * uses SSL.
+ * <p>
+ * Default value : <code>HTTPS</code>
+ *
+ * @param protocolHeaderSslValue
+ */
+ public void setProtocolHeaderSslValue(final String protocolHeaderSslValue)
+ {
+ this.protocolHeaderSslValue = protocolHeaderSslValue;
+ }
+
+ /**
+ * The proxiesHeader directive specifies a header into which mod_remoteip will collect a
+ * list of all of the intermediate client IP addresses trusted to resolve the actual remote
+ * IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header,
+ * while any intermediate RemoteIPInternalProxy addresses are discarded.
+ * <p>
+ * Name of the http header that holds the list of trusted proxies that has been traversed by
+ * the http request.
+ * <p>
+ * The value of this header can be comma delimited.
+ * <p>
+ * Default value : <code>X-Forwarded-By</code>
+ *
+ * @param proxiesHeader
+ */
+ public void setProxiesHeader(final String proxiesHeader)
+ {
+ this.proxiesHeader = proxiesHeader;
+ }
+
+ /**
+ * Name of the http header from which the remote ip is extracted.
+ * <p>
+ * The value of this header can be comma delimited.
+ * <p>
+ * Default value : <code>X-Forwarded-For</code>
+ *
+ * @param remoteIPHeader
+ */
+ public void setRemoteIPHeader(final String remoteIPHeader)
+ {
+ this.remoteIPHeader = remoteIPHeader;
+ }
+
+ /**
+ * Comma delimited list of proxies that are trusted when they appear in the
+ * {@link #remoteIPHeader} header. Can be expressed as a regular expression.
+ * <p>
+ * Default value : empty list, no external proxy is trusted.
+ *
+ * @param trustedProxies
+ */
+ public void setTrustedProxies(final String trustedProxies)
+ {
+ this.trustedProxies = commaDelimitedListToPatternArray(trustedProxies);
+ }
+
+ /**
+ * Enable / disable XForwarded related processing
+ *
+ * @param enable
+ */
+ public void setEnabled(boolean enable)
+ {
+ enabled = enable;
+ }
+
+ /**
+ * @return True, if filter is active
+ */
+ public boolean isEnabled()
+ {
+ return enabled;
+ }
+ }
+
+ // Filter Config
+ private Config config = new Config();
+
+ /**
+ * @return XForwarded filter specific config
+ */
+ public final Config getConfig()
+ {
+ return config;
+ }
+
+ /**
+ * The Wicket application might want to provide its own config
+ *
+ * @param config
+ */
+ public final void setConfig(final Config config)
+ {
+ this.config = config;
+ }
+
+ /**
+ *
+ * @param request
+ * @return True, if a wrapper is needed
+ */
+ public boolean needsWrapper(final HttpServletRequest request)
+ {
+ return matchesOne(request.getRemoteAddr(), config.allowedInternalProxies);
+ }
+
+ /**
+ *
+ * @param request
+ * @return Either the original request or the wrapper
+ */
+ @Override
+ public HttpServletRequest getHttpRequestWrapper(final HttpServletRequest request)
+ {
+ if (needsWrapper(request) == false)
+ {
+ if (log.isDebugEnabled())
+ {
+ log.debug("Skip XForwardedFilter for request " + request.getRequestURI() +
+ " with remote address " + request.getRemoteAddr());
+ }
+
+ return request;
+ }
+
+ String remoteIp = null;
+ // In java 6, proxiesHeaderValue should be declared as a java.util.Deque
+ LinkedList<String> proxiesHeaderValue = new LinkedList<String>();
+
+ String[] remoteIPHeaderValue = commaDelimitedListToStringArray(request.getHeader(config.remoteIPHeader));
+ int idx;
+ // loop on remoteIPHeaderValue to find the first trusted remote ip and to build the
+ // proxies chain
+ for (idx = remoteIPHeaderValue.length - 1; idx >= 0; idx--)
+ {
+ String currentRemoteIp = remoteIPHeaderValue[idx];
+ remoteIp = currentRemoteIp;
+ if (matchesOne(currentRemoteIp, config.allowedInternalProxies))
+ {
+ // do nothing, allowedInternalProxies IPs are not appended to the
+ }
+ else if (matchesOne(currentRemoteIp, config.trustedProxies))
+ {
+ proxiesHeaderValue.addFirst(currentRemoteIp);
+ }
+ else
+ {
+ idx--; // decrement idx because break statement doesn't do it
+ break;
+ }
+ }
+ // continue to loop on remoteIPHeaderValue to build the new value of the remoteIPHeader
+ LinkedList<String> newRemoteIpHeaderValue = new LinkedList<String>();
+ for (; idx >= 0; idx--)
+ {
+ String currentRemoteIp = remoteIPHeaderValue[idx];
+ newRemoteIpHeaderValue.addFirst(currentRemoteIp);
+ }
+
+ XForwardedRequest xRequest = new XForwardedRequest(request);
+ if (remoteIp != null)
+ {
+ xRequest.setRemoteAddr(remoteIp);
+ xRequest.setRemoteHost(remoteIp);
+
+ if (proxiesHeaderValue.size() == 0)
+ {
+ xRequest.removeHeader(config.proxiesHeader);
+ }
+ else
+ {
+ String commaDelimitedListOfProxies = listToCommaDelimitedString(proxiesHeaderValue);
+ xRequest.setHeader(config.proxiesHeader, commaDelimitedListOfProxies);
+ }
+ if (newRemoteIpHeaderValue.size() == 0)
+ {
+ xRequest.removeHeader(config.remoteIPHeader);
+ }
+ else
+ {
+ String commaDelimitedRemoteIpHeaderValue = listToCommaDelimitedString(newRemoteIpHeaderValue);
+ xRequest.setHeader(config.remoteIPHeader, commaDelimitedRemoteIpHeaderValue);
+ }
+ }
+
+ if (config.protocolHeader != null)
+ {
+ String protocolHeaderValue = request.getHeader(config.protocolHeader);
+ if (protocolHeaderValue == null)
+ {
+ // don't modify the secure,scheme and serverPort attributes of the request
+ }
+ else if (config.protocolHeaderSslValue.equalsIgnoreCase(protocolHeaderValue))
+ {
+ xRequest.setSecure(true);
+ xRequest.setScheme("https");
+ xRequest.setServerPort(config.httpsServerPort);
+ }
+ else
+ {
+ xRequest.setSecure(false);
+ xRequest.setScheme("http");
+ xRequest.setServerPort(config.httpServerPort);
+ }
+ }
+
+ if (log.isDebugEnabled())
+ {
+ log.debug("Incoming request " + request.getRequestURI() + " with originalRemoteAddr '" +
+ request.getRemoteAddr() + "', originalRemoteHost='" + request.getRemoteHost() +
+ "', originalSecure='" + request.isSecure() + "', originalScheme='" +
+ request.getScheme() + "', original[" + config.remoteIPHeader + "]='" +
+ request.getHeader(config.remoteIPHeader) + ", original[" + config.protocolHeader +
+ "]='" +
+ (config.protocolHeader == null ? null : request.getHeader(config.protocolHeader)) +
+ "' will be seen as newRemoteAddr='" + xRequest.getRemoteAddr() +
+ "', newRemoteHost='" + xRequest.getRemoteHost() + "', newScheme='" +
+ xRequest.getScheme() + "', newSecure='" + xRequest.isSecure() + "', new[" +
+ config.remoteIPHeader + "]='" + xRequest.getHeader(config.remoteIPHeader) +
+ ", new[" + config.proxiesHeader + "]='" + xRequest.getHeader(config.proxiesHeader) +
+ "'");
+ }
+ return xRequest;
+ }
+
+ /**
+ * Get xforwarded specific config from web.xml filter config
+ *
+ * @param isServlet
+ * @param filterConfig
+ * @throws ServletException
+ */
+ public void init(final Application application, final boolean isServlet,
+ final FilterConfig filterConfig)
+ {
+ if (filterConfig.getInitParameter(INTERNAL_PROXIES_PARAMETER) != null)
+ {
+ config.setAllowedInternalProxies(filterConfig.getInitParameter(INTERNAL_PROXIES_PARAMETER));
+ }
+
+ if (filterConfig.getInitParameter(PROTOCOL_HEADER_PARAMETER) != null)
+ {
+ config.setProtocolHeader(filterConfig.getInitParameter(PROTOCOL_HEADER_PARAMETER));
+ }
+
+ if (filterConfig.getInitParameter(PROTOCOL_HEADER_SSL_VALUE_PARAMETER) != null)
+ {
+ config.setProtocolHeaderSslValue(filterConfig.getInitParameter(PROTOCOL_HEADER_SSL_VALUE_PARAMETER));
+ }
+
+ if (filterConfig.getInitParameter(PROXIES_HEADER_PARAMETER) != null)
+ {
+ config.setProxiesHeader(filterConfig.getInitParameter(PROXIES_HEADER_PARAMETER));
+ }
+
+ if (filterConfig.getInitParameter(REMOTE_IP_HEADER_PARAMETER) != null)
+ {
+ config.setRemoteIPHeader(filterConfig.getInitParameter(REMOTE_IP_HEADER_PARAMETER));
+ }
+
+ if (filterConfig.getInitParameter(TRUSTED_PROXIES_PARAMETER) != null)
+ {
+ config.setTrustedProxies(filterConfig.getInitParameter(TRUSTED_PROXIES_PARAMETER));
+ }
+
+ if (filterConfig.getInitParameter(HTTP_SERVER_PORT_PARAMETER) != null)
+ {
+ try
+ {
+ config.setHttpServerPort(Integer.parseInt(filterConfig.getInitParameter(HTTP_SERVER_PORT_PARAMETER)));
+ }
+ catch (NumberFormatException e)
+ {
+ throw new NumberFormatException("Illegal " + HTTP_SERVER_PORT_PARAMETER + " : " +
+ e.getMessage());
+ }
+ }
+
+ if (filterConfig.getInitParameter(HTTPS_SERVER_PORT_PARAMETER) != null)
+ {
+ try
+ {
+ config.setHttpsServerPort(Integer.parseInt(filterConfig.getInitParameter(HTTPS_SERVER_PORT_PARAMETER)));
+ }
+ catch (NumberFormatException e)
+ {
+ throw new NumberFormatException("Illegal " + HTTPS_SERVER_PORT_PARAMETER + " : " +
+ e.getMessage());
+ }
+ }
+ }
+}
Modified: wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/mock/MockHttpServletRequest.java
URL: http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/mock/MockHttpServletRequest.java?rev=1039877&r1=1039876&r2=1039877&view=diff
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/mock/MockHttpServletRequest.java (original)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/mock/MockHttpServletRequest.java Sun Nov 28 13:08:53 2010
@@ -177,6 +177,14 @@ public class MockHttpServletRequest impl
private boolean useMultiPartContentType;
+ private boolean secure = false;
+
+ private String remoteAddr = "127.0.0.1";
+
+ private String scheme = "http";
+
+ private int serverPort = 80;
+
/**
* Create the request using the supplied session object. Note that in order for temporary
* sessions to work, the supplied session must be an instance of {@link MockHttpSession}
@@ -788,7 +796,17 @@ public class MockHttpServletRequest impl
*/
public String getRemoteAddr()
{
- return "127.0.0.1";
+ return remoteAddr;
+ }
+
+ /**
+ *
+ * @param addr
+ * Format: "aaa.bbb.ccc.ddd"
+ */
+ public void setRemoteAddr(String addr)
+ {
+ remoteAddr = addr;
}
/**
@@ -893,7 +911,16 @@ public class MockHttpServletRequest impl
*/
public String getScheme()
{
- return "http";
+ return scheme;
+ }
+
+ /**
+ *
+ * @param scheme
+ */
+ public void setScheme(String scheme)
+ {
+ this.scheme = scheme;
}
/**
@@ -913,7 +940,16 @@ public class MockHttpServletRequest impl
*/
public int getServerPort()
{
- return 80;
+ return serverPort;
+ }
+
+ /**
+ *
+ * @param port
+ */
+ public void setServerPort(int port)
+ {
+ serverPort = port;
}
/**
@@ -1053,7 +1089,16 @@ public class MockHttpServletRequest impl
*/
public boolean isSecure()
{
- return false;
+ return secure;
+ }
+
+ /**
+ *
+ * @param secure
+ */
+ public void setSecure(boolean secure)
+ {
+ this.secure = secure;
}
/**
Modified: wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/servlet/ServletWebRequest.java
URL: http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/servlet/ServletWebRequest.java?rev=1039877&r1=1039876&r2=1039877&view=diff
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/servlet/ServletWebRequest.java (original)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/servlet/ServletWebRequest.java Sun Nov 28 13:08:53 2010
@@ -55,6 +55,7 @@ import org.slf4j.LoggerFactory;
* {@link WebRequest} subclass that wraps a {@link HttpServletRequest} object.
*
* @author Matej Knopp
+ * @author Juergen Donnerstag
*/
public class ServletWebRequest extends WebRequest
{
@@ -68,7 +69,6 @@ public class ServletWebRequest extends W
* Construct.
*
* @param httpServletRequest
- *
* @param filterPrefix
* contentPath + filterPath, used to extract the actual {@link Url}
*/
@@ -81,10 +81,8 @@ public class ServletWebRequest extends W
* Construct.
*
* @param httpServletRequest
- *
* @param filterPrefix
* contentPath + filterPath, used to extract the actual {@link Url}
- *
* @param url
*/
public ServletWebRequest(HttpServletRequest httpServletRequest, String filterPrefix, Url url)
Added: wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/servlet/XForwardedRequest.java
URL: http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/servlet/XForwardedRequest.java?rev=1039877&view=auto
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/servlet/XForwardedRequest.java (added)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/protocol/http/servlet/XForwardedRequest.java Sun Nov 28 13:08:53 2010
@@ -0,0 +1,323 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.protocol.http.servlet;
+
+import java.text.DateFormat;
+import java.text.SimpleDateFormat;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+/**
+ * {@link href http://code.google.com/p/xebia-france/wiki/XForwardedFilter}
+ *
+ * @author Juergen Donnerstag
+ */
+public class XForwardedRequest extends HttpServletRequestWrapper
+{
+ private final static ThreadLocal<SimpleDateFormat[]> threadLocalDateFormats = new ThreadLocal<SimpleDateFormat[]>()
+ {
+ @Override
+ protected SimpleDateFormat[] initialValue()
+ {
+ return new SimpleDateFormat[] {
+ new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss zzz", Locale.US),
+ new SimpleDateFormat("EEEEEE, dd-MMM-yy HH:mm:ss zzz", Locale.US),
+ new SimpleDateFormat("EEE MMMM d HH:mm:ss yyyy", Locale.US) };
+ };
+ };
+
+ private Map<String, List<String>> headers;
+
+ private String remoteAddr;
+
+ private String remoteHost;
+
+ private String scheme;
+
+ private boolean secure;
+
+ private int serverPort;
+
+ /**
+ * Construct.
+ *
+ * @param request
+ */
+ @SuppressWarnings("unchecked")
+ public XForwardedRequest(final HttpServletRequest request)
+ {
+ super(request);
+
+ remoteAddr = request.getRemoteAddr();
+ remoteHost = request.getRemoteHost();
+ scheme = request.getScheme();
+ secure = request.isSecure();
+ serverPort = request.getServerPort();
+
+ headers = new HashMap<String, List<String>>();
+ Enumeration<?> headerNames = request.getHeaderNames();
+ while (headerNames.hasMoreElements())
+ {
+ String header = (String)headerNames.nextElement();
+ headers.put(header, Collections.list(request.getHeaders(header)));
+ }
+ }
+
+ /**
+ * @see javax.servlet.http.HttpServletRequestWrapper#getDateHeader(java.lang.String)
+ */
+ @Override
+ public long getDateHeader(final String name)
+ {
+ String value = getHeader(name);
+ if (value == null)
+ {
+ return -1;
+ }
+
+ DateFormat[] dateFormats = threadLocalDateFormats.get();
+ Date date = null;
+ for (int i = 0; ((i < dateFormats.length) && (date == null)); i++)
+ {
+ DateFormat dateFormat = dateFormats[i];
+ try
+ {
+ date = dateFormat.parse(value);
+ }
+ catch (Exception ParseException)
+ {
+ ;
+ }
+ }
+
+ if (date == null)
+ {
+ throw new IllegalArgumentException(value);
+ }
+ else
+ {
+ return date.getTime();
+ }
+ }
+
+ /**
+ * @see javax.servlet.http.HttpServletRequestWrapper#getHeader(java.lang.String)
+ */
+ @Override
+ public String getHeader(final String name)
+ {
+ Map.Entry<String, List<String>> header = getHeaderEntry(name);
+ if (header == null || header.getValue() == null || header.getValue().isEmpty())
+ {
+ return null;
+ }
+ else
+ {
+ return header.getValue().get(0);
+ }
+ }
+
+ /**
+ *
+ * @param name
+ * @return The map entry for 'name'
+ */
+ private Map.Entry<String, List<String>> getHeaderEntry(final String name)
+ {
+ for (Map.Entry<String, List<String>> entry : headers.entrySet())
+ {
+ if (entry.getKey().equalsIgnoreCase(name))
+ {
+ return entry;
+ }
+ }
+ return null;
+ }
+
+ /**
+ * @see javax.servlet.http.HttpServletRequestWrapper#getHeaderNames()
+ */
+ @Override
+ public Enumeration<?> getHeaderNames()
+ {
+ return Collections.enumeration(headers.keySet());
+ }
+
+ /**
+ * @see javax.servlet.http.HttpServletRequestWrapper#getHeaders(java.lang.String)
+ */
+ @Override
+ public Enumeration<?> getHeaders(final String name)
+ {
+ Map.Entry<String, List<String>> header = getHeaderEntry(name);
+ if (header == null || header.getValue() == null)
+ {
+ return Collections.enumeration(Collections.emptyList());
+ }
+ else
+ {
+ return Collections.enumeration(header.getValue());
+ }
+ }
+
+ /**
+ * @see javax.servlet.http.HttpServletRequestWrapper#getIntHeader(java.lang.String)
+ */
+ @Override
+ public int getIntHeader(final String name)
+ {
+ String value = getHeader(name);
+ if (value == null)
+ {
+ return -1;
+ }
+ else
+ {
+ return Integer.parseInt(value);
+ }
+ }
+
+ /**
+ * @see javax.servlet.ServletRequestWrapper#getRemoteAddr()
+ */
+ @Override
+ public String getRemoteAddr()
+ {
+ return remoteAddr;
+ }
+
+ /**
+ * @see javax.servlet.ServletRequestWrapper#getRemoteHost()
+ */
+ @Override
+ public String getRemoteHost()
+ {
+ return remoteHost;
+ }
+
+ /**
+ * @see javax.servlet.ServletRequestWrapper#getScheme()
+ */
+ @Override
+ public String getScheme()
+ {
+ return scheme;
+ }
+
+ /**
+ * @see javax.servlet.ServletRequestWrapper#getServerPort()
+ */
+ @Override
+ public int getServerPort()
+ {
+ return serverPort;
+ }
+
+ /**
+ * @see javax.servlet.ServletRequestWrapper#isSecure()
+ */
+ @Override
+ public boolean isSecure()
+ {
+ return secure;
+ }
+
+ /**
+ * @param name
+ */
+ public void removeHeader(final String name)
+ {
+ Map.Entry<String, List<String>> header = getHeaderEntry(name);
+ if (header != null)
+ {
+ headers.remove(header.getKey());
+ }
+ }
+
+ /**
+ *
+ * @param name
+ * @param value
+ */
+ public void setHeader(final String name, final String value)
+ {
+ List<String> values = Arrays.asList(value);
+ Map.Entry<String, List<String>> header = getHeaderEntry(name);
+ if (header == null)
+ {
+ headers.put(name, values);
+ }
+ else
+ {
+ header.setValue(values);
+ }
+ }
+
+ /**
+ *
+ * @param remoteAddr
+ */
+ public void setRemoteAddr(final String remoteAddr)
+ {
+ this.remoteAddr = remoteAddr;
+ }
+
+ /**
+ *
+ * @param remoteHost
+ */
+ public void setRemoteHost(final String remoteHost)
+ {
+ this.remoteHost = remoteHost;
+ }
+
+ /**
+ *
+ * @param scheme
+ */
+ public void setScheme(final String scheme)
+ {
+ this.scheme = scheme;
+ }
+
+ /**
+ *
+ * @param secure
+ */
+ public void setSecure(final boolean secure)
+ {
+ this.secure = secure;
+ }
+
+ /**
+ *
+ * @param serverPort
+ */
+ public void setServerPort(final int serverPort)
+ {
+ this.serverPort = serverPort;
+ }
+}
Modified: wicket/trunk/wicket/src/main/java/org/apache/wicket/request/cycle/RequestCycle.java
URL: http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/request/cycle/RequestCycle.java?rev=1039877&r1=1039876&r2=1039877&view=diff
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/request/cycle/RequestCycle.java (original)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/request/cycle/RequestCycle.java Sun Nov 28 13:08:53 2010
@@ -69,7 +69,6 @@ public class RequestCycle extends Reques
private interface IExecutor<T>
{
-
void execute(T object);
}
Modified: wicket/trunk/wicket/src/main/java/org/apache/wicket/util/tester/BaseWicketTester.java
URL: http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/util/tester/BaseWicketTester.java?rev=1039877&r1=1039876&r2=1039877&view=diff
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/util/tester/BaseWicketTester.java (original)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/util/tester/BaseWicketTester.java Sun Nov 28 13:08:53 2010
@@ -290,6 +290,12 @@ public class BaseWicketTester
// prepare session
setupNextRequestCycle();
+
+ // Remove comments to run all tests with filter extensions added
+// IWicketFilterExtension filter1 = new XForwardedWicketFilterExtension();
+// IWicketFilterExtension filter2 = new SecuredRemoteAddressWicketFilterExtension();
+// getApplication().getWicketFilter().addFilter(filter1);
+// getApplication().getWicketFilter().addFilter(filter2);
}
protected IPageManagerProvider newTestPageManagerProvider()
Added: wicket/trunk/wicket/src/test/java/org/apache/wicket/protocol/http/XForwardedWicketFilterExtensionTest.java
URL: http://svn.apache.org/viewvc/wicket/trunk/wicket/src/test/java/org/apache/wicket/protocol/http/XForwardedWicketFilterExtensionTest.java?rev=1039877&view=auto
==============================================================================
--- wicket/trunk/wicket/src/test/java/org/apache/wicket/protocol/http/XForwardedWicketFilterExtensionTest.java (added)
+++ wicket/trunk/wicket/src/test/java/org/apache/wicket/protocol/http/XForwardedWicketFilterExtensionTest.java Sun Nov 28 13:08:53 2010
@@ -0,0 +1,156 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.protocol.http;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.wicket.WicketTestCase;
+import org.apache.wicket.protocol.http.filter.XForwardedWicketFilterExtension;
+import org.apache.wicket.protocol.http.mock.MockHttpServletRequest;
+
+/**
+ *
+ * @author Juergen Donnerstag
+ */
+public class XForwardedWicketFilterExtensionTest extends WicketTestCase
+{
+ MockHttpServletRequest request;
+ XForwardedWicketFilterExtension filter;
+
+ @Override
+ protected void setUp() throws Exception
+ {
+ super.setUp();
+
+ filter = new XForwardedWicketFilterExtension();
+ tester.getApplication().getWicketFilter().addFilter(filter);
+ request = tester.getRequest();
+ }
+
+ /** */
+ public void test1()
+ {
+ HttpServletRequest resp = (HttpServletRequest)filter.getRequestWrapper(request);
+ assertEquals("127.0.0.1", resp.getRemoteAddr());
+ assertEquals(null, resp.getHeader("x-forwarded-for"));
+ assertEquals(null, resp.getHeader("x-forwarded-by"));
+ assertEquals(null, resp.getHeader("x-forwarded-proto"));
+ assertEquals("http", resp.getScheme());
+ assertFalse(resp.isSecure());
+ assertEquals(80, resp.getServerPort());
+ }
+
+ /** */
+ public void test2()
+ {
+ filter.getConfig().setProtocolHeader("x-forwarded-proto");
+
+ HttpServletRequest resp = (HttpServletRequest)filter.getRequestWrapper(request);
+ assertEquals("127.0.0.1", resp.getRemoteAddr());
+ assertEquals(null, resp.getHeader("x-forwarded-for"));
+ assertEquals(null, resp.getHeader("x-forwarded-by"));
+ assertEquals(null, resp.getHeader("x-forwarded-proto"));
+ assertEquals("http", resp.getScheme());
+ assertFalse(resp.isSecure());
+ assertEquals(80, resp.getServerPort());
+ }
+
+ /**
+ * Sample with internal proxies
+ */
+ public void test3()
+ {
+ filter.getConfig().setAllowedInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");
+ filter.getConfig().setRemoteIPHeader("x-forwarded-for");
+ filter.getConfig().setProxiesHeader("x-forwarded-by");
+ filter.getConfig().setProtocolHeader("x-forwarded-proto");
+
+ request.setRemoteAddr("192.168.0.10");
+ request.addHeader("x-forwarded-for", "140.211.11.130, 192.168.0.10");
+ // request.addHeader("x-forwarded-by", null);
+ request.addHeader("x-forwarded-proto", "https");
+ request.setScheme("http");
+ request.setSecure(false);
+ request.setServerPort(80);
+
+ HttpServletRequest resp = (HttpServletRequest)filter.getRequestWrapper(request);
+ assertEquals("140.211.11.130", resp.getRemoteAddr());
+ assertEquals(null, resp.getHeader("x-forwarded-for"));
+ assertEquals(null, resp.getHeader("x-forwarded-by"));
+ assertEquals("https", resp.getHeader("x-forwarded-proto"));
+ assertEquals("https", resp.getScheme());
+ assertEquals(true, resp.isSecure());
+ assertEquals(443, resp.getServerPort());
+ }
+
+ /**
+ * Sample with trusted proxies
+ */
+ public void test4()
+ {
+ filter.getConfig().setAllowedInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");
+ filter.getConfig().setRemoteIPHeader("x-forwarded-for");
+ filter.getConfig().setProxiesHeader("x-forwarded-by");
+ filter.getConfig().setTrustedProxies("proxy1, proxy2");
+
+ request.setRemoteAddr("192.168.0.10");
+ request.addHeader("x-forwarded-for", "140.211.11.130, proxy1, proxy2");
+
+ HttpServletRequest resp = (HttpServletRequest)filter.getRequestWrapper(request);
+ assertEquals("140.211.11.130", resp.getRemoteAddr());
+ assertEquals(null, resp.getHeader("x-forwarded-for"));
+ assertEquals("proxy1, proxy2", resp.getHeader("x-forwarded-by"));
+ }
+
+ /**
+ * Sample with internal and trusted proxies
+ */
+ public void test5()
+ {
+ filter.getConfig().setAllowedInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");
+ filter.getConfig().setRemoteIPHeader("x-forwarded-for");
+ filter.getConfig().setProxiesHeader("x-forwarded-by");
+ filter.getConfig().setTrustedProxies("proxy1, proxy2");
+
+ request.setRemoteAddr("192.168.0.10");
+ request.addHeader("x-forwarded-for", "140.211.11.130, proxy1, proxy2, 192.168.0.10");
+
+ HttpServletRequest resp = (HttpServletRequest)filter.getRequestWrapper(request);
+ assertEquals("140.211.11.130", resp.getRemoteAddr());
+ assertEquals(null, resp.getHeader("x-forwarded-for"));
+ assertEquals("proxy1, proxy2", resp.getHeader("x-forwarded-by"));
+ }
+
+ /**
+ * Sample with an untrusted proxy
+ */
+ public void test6()
+ {
+ filter.getConfig().setAllowedInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");
+ filter.getConfig().setRemoteIPHeader("x-forwarded-for");
+ filter.getConfig().setProxiesHeader("x-forwarded-by");
+ filter.getConfig().setTrustedProxies("proxy1, proxy2");
+
+ request.setRemoteAddr("192.168.0.10");
+ request.addHeader("x-forwarded-for", "140.211.11.130, untrusted-proxy, proxy1");
+
+ HttpServletRequest resp = (HttpServletRequest)filter.getRequestWrapper(request);
+ assertEquals("untrusted-proxy", resp.getRemoteAddr());
+ assertEquals("140.211.11.130", resp.getHeader("x-forwarded-for"));
+ assertEquals("proxy1", resp.getHeader("x-forwarded-by"));
+ }
+}