Class ForwardedHeaderFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.web.filter.OncePerRequestFilter
org.springframework.web.filter.ForwardedHeaderFilter
All Implemented Interfaces:
jakarta.servlet.Filter, Aware, BeanNameAware, DisposableBean, InitializingBean, EnvironmentAware, EnvironmentCapable, ServletContextAware
public class ForwardedHeaderFilter extends OncePerRequestFilter
Extract values from "Forwarded" and "X-Forwarded-*" headers, wrap the request and response, and make they reflect the client-originated protocol and address in the following methods:
  • getServerName()
  • getServerPort()
  • getScheme()
  • isSecure()
  • sendRedirect(String).

There are security considerations for forwarded headers since an application cannot know if the headers were added by a proxy, as intended, or by a malicious client. This is why a proxy at the boundary of trust should be configured to remove untrusted Forwarded headers that come from the outside.

You can also configure the ForwardedHeaderFilter with removeOnly, in which case it removes but does not use the headers.

Since:
4.3
Author:
Rossen Stoyanchev, EddĂș MelĂ©ndez, Rob Winch, Brian Clozel, Mengqi Xu
See Also:

  • Constructor Details

    • ForwardedHeaderFilter

      public ForwardedHeaderFilter()

  • Method Details

    • setRemoveOnly

      public void setRemoveOnly(boolean removeOnly)
      Enables mode in which any "Forwarded" or "X-Forwarded-*" headers are removed only and the information in them ignored.
      Parameters:
      removeOnly - whether to discard and ignore forwarded headers
      Since:
      4.3.9

    • setRelativeRedirects

      public void setRelativeRedirects(boolean relativeRedirects)
      Use this property to enable relative redirects as explained in RelativeRedirectFilter, and also using the same response wrapper as that filter does, or if both are configured, only one will wrap.

      By default, if this property is set to false, in which case calls to HttpServletResponse.sendRedirect(String) are overridden in order to turn relative into absolute URLs, also taking into account forwarded headers.

      Parameters:
      relativeRedirects - whether to use relative redirects
      Since:
      4.3.10

    • shouldNotFilter

      protected boolean shouldNotFilter(jakarta.servlet.http.HttpServletRequest request)
      Description copied from class: OncePerRequestFilter
      Can be overridden in subclasses for custom filtering control, returning true to avoid filtering of the given request.

      The default implementation always returns false.

      Overrides:
      shouldNotFilter in class OncePerRequestFilter
      Parameters:
      request - current HTTP request
      Returns:
      whether the given request should not be filtered

    • shouldNotFilterAsyncDispatch

      protected boolean shouldNotFilterAsyncDispatch()
      Description copied from class: OncePerRequestFilter
      The dispatcher type jakarta.servlet.DispatcherType.ASYNC means a filter can be invoked in more than one thread over the course of a single request. Some filters only need to filter the initial thread (for example, request wrapping) while others may need to be invoked at least once in each additional thread for example for setting up thread locals or to perform final processing at the very end.

      Note that although a filter can be mapped to handle specific dispatcher types via web.xml or in Java through the ServletContext, servlet containers may enforce different defaults with respect to dispatcher types. This flag enforces the design intent of the filter.

      The default return value is "true", which means the filter will not be invoked during subsequent async dispatches. If "false", the filter will be invoked during async dispatches with the same guarantees of being invoked only once during a request within a single thread.

      Overrides:
      shouldNotFilterAsyncDispatch in class OncePerRequestFilter

    • shouldNotFilterErrorDispatch

      protected boolean shouldNotFilterErrorDispatch()
      Description copied from class: OncePerRequestFilter
      Whether to filter error dispatches such as when the servlet container processes and error mapped in web.xml. The default return value is "true", which means the filter will not be invoked in case of an error dispatch.
      Overrides:
      shouldNotFilterErrorDispatch in class OncePerRequestFilter

    • doFilterInternal

      protected void doFilterInternal(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) throws jakarta.servlet.ServletException, IOException
      Description copied from class: OncePerRequestFilter
      Same contract as for doFilter, but guaranteed to be just invoked once per request within a single request thread. See OncePerRequestFilter.shouldNotFilterAsyncDispatch() for details.

      Provides HttpServletRequest and HttpServletResponse arguments instead of the default ServletRequest and ServletResponse ones.

      Specified by:
      doFilterInternal in class OncePerRequestFilter
      Throws:
      jakarta.servlet.ServletException
      IOException

    • formatRequest

      protected String formatRequest(jakarta.servlet.http.HttpServletRequest request)
      Format the request for logging purposes including HTTP method and URL.
      Parameters:
      request - the request to format
      Returns:
      the String to display, never empty or null

    • doFilterNestedErrorDispatch

      protected void doFilterNestedErrorDispatch(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) throws jakarta.servlet.ServletException, IOException
      Description copied from class: OncePerRequestFilter
      Typically an ERROR dispatch happens after the REQUEST dispatch completes, and the filter chain starts anew. On some servers however the ERROR dispatch may be nested within the REQUEST dispatch, for example, as a result of calling sendError on the response. In that case we are still in the filter chain, on the same thread, but the request and response have been switched to the original, unwrapped ones.

      Sub-classes may use this method to filter such nested ERROR dispatches and re-apply wrapping on the request or response. ThreadLocal context, if any, should still be active as we are still nested within the filter chain.

      Overrides:
      doFilterNestedErrorDispatch in class OncePerRequestFilter
      Throws:
      jakarta.servlet.ServletException
      IOException