在Java Web服务中支持基于IP的白名单
[英]Supporting Ip based whitelisting in Java web-service
问题描述
I want to support ip based whitelisting in one of the java web-service. 
我想在Java Web服务之一中支持基于IP的白名单。 To implement that i have written a servlet filter in which i am verifying if the remote-machine-ip belong to the whitelisted ips. 为了实现这一点,我编写了一个servlet过滤器,在其中我正在验证remote-machine-ip是否属于列入白名单的ips。 To determine the remote-machine-ip i am using the following code :- 要确定远程机器的IP,我正在使用以下代码:-
String ipAddress = httpServletRequest.getRemoteAddr();
I want to know if there is way by which remote-machine-ip can be impersonated by the attacker without going inside the remote machine. 我想知道是否有一种方法可以使攻击者无需进入远程计算机就可以模仿远程IP。 if yes then is there a better secure way to determine the remote ip ? 如果是,那么是否有更好的安全方法来确定远程IP?
1 个解决方案
解决方案1
2 已采纳 2018-12-03 18:28:32
There is a way, however, it's not an easy way, see this answer for more details. 有一种方法,但是,这不是一个简单的方法,有关更多详细信息,请参见此答案 。
Remember that httpServletRequest.getRemoteAddr() will be no good if you deploy your app behind a proxy or a CDN. 请记住,如果将应用程序部署在代理或CDN后面,那么httpServletRequest.getRemoteAddr()会很不好。 In that case, you'd have to check the X-FORWARDED-FOR header and then it's easy to forge that. 在这种情况下,您必须检查X-FORWARDED-FOR标头,然后很容易进行伪造。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.