Spring-boot: Consider using ForwardedHeaderFilter

Created on 13 Apr 2016  路  10Comments  路  Source: spring-projects/spring-boot

Spring 4.3 added ForwardedHeaderFilter which provides a cross container independent way to support X-Forwarded-* headers.

This is nice because not all containers provide the same support. For example, Tomcat does not support X-Forwarded-Host. Another benefit is that ForwardedHeaderFilter allows overriding the context root of the application in the event the proxy uses a different context root than the application. This is helpful to ensure links are rendered correctly.

enhancement
Source
picture rwinch

Most helpful comment

We've decided to reconsider this option and allow this use case with a enum, as suggested by @kakawait.
We should probably deprecate the existing server.use-forward-headers option and only use the enum option.

picture bclozel on 16 Jan 2019
👍4

All 10 comments

I'm not sure that we should change the current server.use-forward-headers property to use the filter. Since it's currently supported for Tomcat, Undertow and Jetty I'd rather just see the Tomcat bug fixed.

philwebb picture philwebb on 15 Apr 2016

@philwebb Thanks for the feedback. I think there are a few advantages to using Spring's ForwardedHeaderFilter:

  • You can support overriding the context root. I have seen this requirement for quite a few Pivotal Labs clients. (I have also experienced this need in the past)
  • It will be available right away
  • I'm guessing it will simplify the codebase since you can do the same thing for every container rather than having to adapt to each container specific implementation
rwinch picture rwinch on 15 Apr 2016

@rwinch Are there any downsides? Filter ordering for example? or performance?

philwebb picture philwebb on 15 Apr 2016

I doubt that performance would be an issue.

The only limitation I can think of is that a Filter would not wrap a ServletRequestListener. However, we already have lots of limitations around listeners.

rwinch picture rwinch on 15 Apr 2016

I am against this, for now at least. When Undertow's native support is used, the HttpServerExchange is marked as secure which has the knock-on effect of marking the request as secure. Anything in Undertow that looks at the exchange will get the wrong answer if we move to the filter-based approach.

wilkinsona picture wilkinsona on 23 Apr 2016

@wilkinsona What is looking at the HttpExchange vs the HttpServletRequest (which is correctly overridden)?

rwinch picture rwinch on 25 Apr 2016

Nothing in Undertow itself, other than its MarkSecureHandler which marks every request as secure by configuring an attachment on the exchange. The problem is that we have no way of knowing what other code might be looking in the "wrong" place. For that code, moving to ForwardedHeaderFilter would be a breaking change.

wilkinsona picture wilkinsona on 25 Apr 2016

Sorry, but we feel the current approach is probably better overall.

philwebb picture philwebb on 19 May 2016

Why not adding server.use-forward-headers-strategy with Enum (can find better name for value) like NATIVE (or CONTAINER), FILTER? As @rwinch explain ForwardedHeaderFilter can be useful for some use cases.

kakawait picture kakawait on 16 Jun 2016
👍4

We've decided to reconsider this option and allow this use case with a enum, as suggested by @kakawait.
We should probably deprecate the existing server.use-forward-headers option and only use the enum option.

bclozel picture bclozel on 16 Jan 2019
👍4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

igormukhin picture igormukhin  路  55Comments
bonigarcia picture bonigarcia  路  35Comments
dsyer picture dsyer  路  32Comments
philwebb picture philwebb  路  42Comments
philwebb picture philwebb  路  45Comments