You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Hendy Irawan (JIRA)" <ji...@apache.org> on 2017/08/08 09:15:00 UTC

[jira] [Created] (WICKET-6440) SecuredRemoteAddressRequestWrapperFactory doesn't make request secure

Hendy Irawan created WICKET-6440:
------------------------------------

             Summary: SecuredRemoteAddressRequestWrapperFactory doesn't make request secure
                 Key: WICKET-6440
                 URL: https://issues.apache.org/jira/browse/WICKET-6440
             Project: Wicket
          Issue Type: Bug
          Components: wicket
    Affects Versions: 7.8.0
            Reporter: Hendy Irawan


I'm using SecuredRemoteAddressRequestWrapperFactory and what I get is:


{noformat}
2017-08-08 09:07:53.460 DEBUG 3851 --- [nio-8080-exec-3] ecuredRemoteAddressRequestWrapperFactory : Incoming request uri=/id/cari-wanita/di/Kota%20Malang,%20Jawa%20Timur,%20Republic%20of%20Indonesia with originalSecure='false', remoteAddr='127.0.0.1' will be seen with newSecure='false'
{noformat}

Since remoteAddr is 127.* then it should be treated as secure, per documentation.

This code in SecuredRemoteAddressRequestWrapperFactory is probably buggy: (i.e. need to remove {{==false}})

{code:java}
	@Override
	public boolean needsWrapper(final HttpServletRequest request)
	{
		return !request.isSecure() &&
			matchesOne(request.getRemoteAddr(), config.securedRemoteAddresses) == false;
	}
{code}

Related to WICKET-3015.
Tag [~jdonnerstag] [~pete]



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)