public class ForwardedHeaderTransformer extends Object implements Function<ServerHttpRequest,ServerHttpRequest>
HttpRequest.getURI()
) so it reflects
the client-originated protocol and address.
An instance of this class is typically declared as a bean with the name
"forwardedHeaderTransformer" and detected by
WebHttpHandlerBuilder.applicationContext(ApplicationContext)
, or it
can also be registered directly via
WebHttpHandlerBuilder.forwardedHeaderTransformer(ForwardedHeaderTransformer)
.
There are security considerations for forwarded headers since an application cannot know if the headers were added by a proxy, as intended, or by a malicious client. This is why a proxy at the boundary of trust should be configured to remove untrusted Forwarded headers that come from the outside.
You can also configure the ForwardedHeaderFilter with removeOnly
,
in which case it removes but does not use the headers.
Constructor and Description |
---|
ForwardedHeaderTransformer() |
Modifier and Type | Method and Description |
---|---|
ServerHttpRequest |
apply(ServerHttpRequest request)
Apply and remove, or remove Forwarded type headers.
|
protected boolean |
hasForwardedHeaders(ServerHttpRequest request)
Whether the request has any Forwarded headers.
|
boolean |
isRemoveOnly()
Whether the "remove only" mode is on.
|
void |
setRemoveOnly(boolean removeOnly)
Enable mode in which any "Forwarded" or "X-Forwarded-*" headers are
removed only and the information in them ignored.
|
public void setRemoveOnly(boolean removeOnly)
removeOnly
- whether to discard and ignore forwarded headerspublic boolean isRemoveOnly()
setRemoveOnly(boolean)
public ServerHttpRequest apply(ServerHttpRequest request)
apply
in interface Function<ServerHttpRequest,ServerHttpRequest>
request
- the requestprotected boolean hasForwardedHeaders(ServerHttpRequest request)
request
- the request