Skip to content

Centralize handling of "Forwarded" headers to ForwardedHeaderFilter [SPR-16668] #21209

Closed
Closed
Centralize handling of "Forwarded" headers to ForwardedHeaderFilter [SPR-16668]#21209
Assignees
rstoyanchev
Labels
in: webIssues in web modules (web, webmvc, webflux, websocket)type: taskA general task
Milestone
5.1 RC1
@spring-projects-issues

Description

@spring-projects-issues
spring-projects-issues
opened on Mar 29, 2018

Rossen Stoyanchev opened SPR-16668 and commented

Currently "Forwarded" headers are consumed indirectly when building links with ServletUriComponentsBuilder, MvcUriComponentsBuilder or in CORS checks. While the behavior is documented, it can be overlooked, and it would be better to differ the treatment of such headers to the ForwadedHeaderFilter which requires an explicit choice, handles such headers more efficiently (once per request), is more comprehensive as a solution (e.g. applies to redirects too), and provides a removeOnly flag which can discard such headers when the application is not behind a trusted proxy.

On the implementation level we would keep the current UriComponentsBuilder.fromHttpRequest which encapsulates the actual handling of such headers, and switch the above to use UriComponentsBuilder.fromUri instead.

In the mean time, applications can use the ForwadedHeaderFilter which removes those headers (by wrapping the request), either consuming or ignoring them, and thus providing a single point of handling.

Affects: 5.0.4

Issue Links:

Referenced from: commits 4da43de

0 votes, 6 watchers

Metadata

Metadata

Assignees

Labels

in: webIssues in web modules (web, webmvc, webflux, websocket)type: taskA general task

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions