Skip to content

Add an option to allow passing X-Forwarded headers to the application#9955

Merged
nielsm5 merged 8 commits intorelease/9.0from
issue/9.0/9954_XForwardHeadersMissing
Nov 25, 2025
Merged

Add an option to allow passing X-Forwarded headers to the application#9955
nielsm5 merged 8 commits intorelease/9.0from
issue/9.0/9954_XForwardHeadersMissing

Conversation

@tnleeuw
Copy link
Contributor

@tnleeuw tnleeuw commented Nov 20, 2025

Changes

Add an option to allow passing X-Forwarded headers to the application and pipelines. By default this is true for this version, for backwards compatibility, but in future this should default to false for security.

Pull Request Checklist

Title

  • Title expresses the business value (who benefits + what outcome)

Issues

  • Relevant issues linked

Backports

  • Backport PRs created (if needed) and linked

Documentation

  • FF! Doc updated (user-facing behavior/config)
  • FF! Manual updated (if applicable)
  • Javadoc updated/generated (developer-facing APIs)

Tests

  • Unit tests added/updated
  • E2E/Integration tests added/updated (if applicable)

Breaking changes

  • Breaking change recorded in markdown file
  • Migration notes included (if needed)

@tnleeuw tnleeuw requested a review from nielsm5 November 20, 2025 10:17
@tnleeuw tnleeuw self-assigned this Nov 20, 2025
@tnleeuw tnleeuw linked an issue Nov 20, 2025 that may be closed by this pull request
x-forwarded-headers stripped by spring security from version 9.0 and onwards #9954
Closed
nielsm5
nielsm5 reviewed Nov 20, 2025
View reviewed changes
security/src/main/java/org/frankframework/lifecycle/servlets/AbstractServletAuthenticator.java Outdated
// This filter converts x-forwarded headers to their corresponding `normal` headers. Eg. `X-Forwarded-Proto` sets HttpServletRequest.isSecure to `true`.
http.addFilterBefore(new ForwardedHeaderFilter(), SecurityContextHolderFilter.class);
if (!allowForwardedHeadersPassthrough) {
// This filter removes x-forwarded headers and converts them to their corresponding `normal` headers. Eg. `X-Forwarded-Proto` sets HttpServletRequest.isSecure to `true`.
Copy link
Member

@nielsm5 nielsm5 Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The filter does more than just blocking the headers. It manipulates the request, it will use the 'forwarded' information as scheme, secure, host, post, remote-address fields.

nielsm5
nielsm5 reviewed Nov 21, 2025
View reviewed changes
...ity/src/main/java/org/frankframework/lifecycle/servlets/CustomizedForwardedHeaderFilter.java
* @see <a href="https://tools.ietf.org/html/rfc7239">https://tools.ietf.org/html/rfc7239</a>
* @see <a href="https://docs.spring.io/spring-framework/reference/web/webmvc/filters.html#filters-forwarded-headers">Forwarded Headers</a>
*/
public class CustomizedForwardedHeaderFilter extends OncePerRequestFilter {
Copy link
Member

@nielsm5 nielsm5 Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Misschien hier //NOSONAR zetten?

Copy link
Member

@nielsm5 nielsm5 Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

En of de issues fixen??

@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 24, 2025

Quality Gate Failed Quality Gate failed

Failed conditions
7.5% Coverage on New Code (required ≥ 65%)

See analysis details on SonarQube Cloud

@nielsm5 nielsm5 merged commit ee0a69a into release/9.0 Nov 25, 2025
16 of 18 checks passed
@nielsm5 nielsm5 deleted the issue/9.0/9954_XForwardHeadersMissing branch November 25, 2025 19:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nielsm5 nielsm5 nielsm5 approved these changes

Assignees

@tnleeuw tnleeuw

Labels

9.0 HTTP Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

x-forwarded-headers stripped by spring security from version 9.0 and onwards

2 participants

@tnleeuw @nielsm5