x-forwarded-headers stripped by spring security from version 9.0 and onwards #9954
Description
Current Behavior
Api listeners are not listing x-headers, even though they are enumerated in the headerparam property.
Other custom headers are shown as usual.
problem has been traced to implementation of new spring security filter in 9.+ where x-headers are filtered out by "ForwardedHeaderFilter".
Expected Behavior
i'd like to have the x-headers available.
Environment Information
FF! 9.0.4-20251113.095828: ibis4salesforce_task
Running on ibis4salesforce-task-app-tst using Apache Tomcat/10.1.39
Java Version: OpenJDK Runtime Environment (17.0.16+8-LTS)
Heap size: 430.4 MiB, total JVM memory: 991.5 MiB
Free memory: 561.1 MiB, max memory: 991.5 MiB
Free disk space: 8.6 GiB, total disk space: 14.9 GiB
Up since: 2025-11-19 05:12:47 (5h), timezone: Europe/Amsterdam
Steps To Reproduce
No response
Configuration
<Receiver name="GetTasksReceiver">
<ApiListener name="GetTasksListener" uriPattern="tasks" authenticationMethod="AUTHROLE" authenticationRoles="IbisWebService" produces="JSON"
headerParams="X-NN-ProcessId,X-NN-RequestId,X-JWT-Assertion,X-Forwarded-Host,X-NN-Application-Name"/>
</Receiver>Input
see picture above
What database are you using?
No response
What browsers are you seeing the problem on?
No response
Relevant Log Output
Anything else?
No response
Metadata
Metadata
Assignees
Type
Projects
Status