Class ForwardedHeaderFilter
- All Implemented Interfaces:
Filter
,Aware
,BeanNameAware
,DisposableBean
,InitializingBean
,EnvironmentAware
,EnvironmentCapable
,ServletContextAware
There are security considerations for forwarded headers since an application cannot know if the headers were added by a proxy, as intended, or by a malicious client. This is why a proxy at the boundary of trust should be configured to remove untrusted Forwarded headers that come from the outside.
You can also configure the ForwardedHeaderFilter with removeOnly
,
in which case it removes but does not use the headers.
- Since:
- 4.3
- Author:
- Rossen Stoyanchev, EddĂș MelĂ©ndez, Rob Winch, Brian Clozel
- See Also:
-
Field Summary
Fields inherited from class org.springframework.web.filter.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected void
doFilterInternal
(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) Same contract as fordoFilter
, but guaranteed to be just invoked once per request within a single request thread.protected void
doFilterNestedErrorDispatch
(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) Typically an ERROR dispatch happens after the REQUEST dispatch completes, and the filter chain starts anew.protected String
formatRequest
(HttpServletRequest request) Format the request for logging purposes including HTTP method and URL.void
setRelativeRedirects
(boolean relativeRedirects) Use this property to enable relative redirects as explained inRelativeRedirectFilter
, and also using the same response wrapper as that filter does, or if both are configured, only one will wrap.void
setRemoveOnly
(boolean removeOnly) Enables mode in which any "Forwarded" or "X-Forwarded-*" headers are removed only and the information in them ignored.protected boolean
shouldNotFilter
(HttpServletRequest request) Can be overridden in subclasses for custom filtering control, returningtrue
to avoid filtering of the given request.protected boolean
The dispatcher typejakarta.servlet.DispatcherType.ASYNC
means a filter can be invoked in more than one thread over the course of a single request.protected boolean
Whether to filter error dispatches such as when the servlet container processes and error mapped inweb.xml
.Methods inherited from class org.springframework.web.filter.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Constructor Details
-
ForwardedHeaderFilter
public ForwardedHeaderFilter()
-
-
Method Details
-
setRemoveOnly
public void setRemoveOnly(boolean removeOnly) Enables mode in which any "Forwarded" or "X-Forwarded-*" headers are removed only and the information in them ignored.- Parameters:
removeOnly
- whether to discard and ignore forwarded headers- Since:
- 4.3.9
-
setRelativeRedirects
public void setRelativeRedirects(boolean relativeRedirects) Use this property to enable relative redirects as explained inRelativeRedirectFilter
, and also using the same response wrapper as that filter does, or if both are configured, only one will wrap.By default, if this property is set to false, in which case calls to
HttpServletResponse.sendRedirect(String)
are overridden in order to turn relative into absolute URLs, also taking into account forwarded headers.- Parameters:
relativeRedirects
- whether to use relative redirects- Since:
- 4.3.10
-
shouldNotFilter
Description copied from class:OncePerRequestFilter
Can be overridden in subclasses for custom filtering control, returningtrue
to avoid filtering of the given request.The default implementation always returns
false
.- Overrides:
shouldNotFilter
in classOncePerRequestFilter
- Parameters:
request
- current HTTP request- Returns:
- whether the given request should not be filtered
-
shouldNotFilterAsyncDispatch
protected boolean shouldNotFilterAsyncDispatch()Description copied from class:OncePerRequestFilter
The dispatcher typejakarta.servlet.DispatcherType.ASYNC
means a filter can be invoked in more than one thread over the course of a single request. Some filters only need to filter the initial thread (e.g. request wrapping) while others may need to be invoked at least once in each additional thread for example for setting up thread locals or to perform final processing at the very end.Note that although a filter can be mapped to handle specific dispatcher types via
web.xml
or in Java through theServletContext
, servlet containers may enforce different defaults with respect to dispatcher types. This flag enforces the design intent of the filter.The default return value is "true", which means the filter will not be invoked during subsequent async dispatches. If "false", the filter will be invoked during async dispatches with the same guarantees of being invoked only once during a request within a single thread.
- Overrides:
shouldNotFilterAsyncDispatch
in classOncePerRequestFilter
-
shouldNotFilterErrorDispatch
protected boolean shouldNotFilterErrorDispatch()Description copied from class:OncePerRequestFilter
Whether to filter error dispatches such as when the servlet container processes and error mapped inweb.xml
. The default return value is "true", which means the filter will not be invoked in case of an error dispatch.- Overrides:
shouldNotFilterErrorDispatch
in classOncePerRequestFilter
-
doFilterInternal
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException Description copied from class:OncePerRequestFilter
Same contract as fordoFilter
, but guaranteed to be just invoked once per request within a single request thread. SeeOncePerRequestFilter.shouldNotFilterAsyncDispatch()
for details.Provides HttpServletRequest and HttpServletResponse arguments instead of the default ServletRequest and ServletResponse ones.
- Specified by:
doFilterInternal
in classOncePerRequestFilter
- Throws:
ServletException
IOException
-
formatRequest
Format the request for logging purposes including HTTP method and URL.- Parameters:
request
- the request to format- Returns:
- the String to display, never empty or
null
-
doFilterNestedErrorDispatch
protected void doFilterNestedErrorDispatch(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException Description copied from class:OncePerRequestFilter
Typically an ERROR dispatch happens after the REQUEST dispatch completes, and the filter chain starts anew. On some servers however the ERROR dispatch may be nested within the REQUEST dispatch, e.g. as a result of callingsendError
on the response. In that case we are still in the filter chain, on the same thread, but the request and response have been switched to the original, unwrapped ones.Sub-classes may use this method to filter such nested ERROR dispatches and re-apply wrapping on the request or response.
ThreadLocal
context, if any, should still be active as we are still nested within the filter chain.- Overrides:
doFilterNestedErrorDispatch
in classOncePerRequestFilter
- Throws:
ServletException
IOException
-