Class ForwardedHeaderTransformer
java.lang.Object
org.springframework.web.server.adapter.ForwardedHeaderTransformer
- All Implemented Interfaces:
Function<ServerHttpRequest,
ServerHttpRequest>
public class ForwardedHeaderTransformer
extends Object
implements Function<ServerHttpRequest,ServerHttpRequest>
Extract values from "Forwarded" and "X-Forwarded-*" headers to override
the request URI (i.e.
HttpRequest.getURI()
) so it reflects
the client-originated protocol and address.
An instance of this class is typically declared as a bean with the name
"forwardedHeaderTransformer" and detected by
WebHttpHandlerBuilder.applicationContext(ApplicationContext)
, or it
can also be registered directly via
WebHttpHandlerBuilder.forwardedHeaderTransformer(ForwardedHeaderTransformer)
.
There are security considerations for forwarded headers since an application cannot know if the headers were added by a proxy, as intended, or by a malicious client. This is why a proxy at the boundary of trust should be configured to remove untrusted Forwarded headers that come from the outside.
You can also configure the ForwardedHeaderFilter with removeOnly
,
in which case it removes but does not use the headers.
- Since:
- 5.1
- Author:
- Rossen Stoyanchev
- See Also:
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionapply
(ServerHttpRequest request) Apply and remove, or remove Forwarded type headers.protected boolean
hasForwardedHeaders
(ServerHttpRequest request) Whether the request has any Forwarded headers.boolean
Whether the "remove only" mode is on.void
setRemoveOnly
(boolean removeOnly) Enable mode in which any "Forwarded" or "X-Forwarded-*" headers are removed only and the information in them ignored.
-
Constructor Details
-
ForwardedHeaderTransformer
public ForwardedHeaderTransformer()
-
-
Method Details
-
setRemoveOnly
public void setRemoveOnly(boolean removeOnly) Enable mode in which any "Forwarded" or "X-Forwarded-*" headers are removed only and the information in them ignored.- Parameters:
removeOnly
- whether to discard and ignore forwarded headers
-
isRemoveOnly
public boolean isRemoveOnly()Whether the "remove only" mode is on.- See Also:
-
apply
Apply and remove, or remove Forwarded type headers.- Specified by:
apply
in interfaceFunction<ServerHttpRequest,
ServerHttpRequest> - Parameters:
request
- the request
-
hasForwardedHeaders
Whether the request has any Forwarded headers.- Parameters:
request
- the request
-