从服务器JSP获取客户端IP [安全性]
[英]Get Client IP from a Server JSP [Security]
问题描述
I want to know security issue using jsp method request.getRemoteAddr();. 
我想知道使用jsp方法request.getRemoteAddr();的安全性问题。
I want to filter some client IP (I can't use firewall :-(). 我想过滤一些客户端IP(我不能使用防火墙:-()。
I was wondering in this way an attacker can change the ip source of HTTP Request? 我想知道攻击者是否可以通过这种方式更改HTTP请求的IP源?
Or the client ip is build from layer 3? 还是客户端IP是从第3层构建的?
I want to check the security of this method against forging of HTTP Request (similar to ip spoofing that instead is based on layer 3 IP). 我想检查此方法的安全性,以防伪造HTTP请求(类似于基于第三层IP的ip欺骗)。
Thanks to all, 谢谢大家,
Andrea 安德里亚
1 个解决方案
解决方案1
1 已采纳 2011-09-28 08:04:26
The "client" IP address of an HTTP request is actually the IP of the last HTTP proxy. HTTP请求的“客户端” IP地址实际上是最后一个HTTP代理的IP。 The client can't spoof it, but if the client uses a proxy (and many do) then the IP address won't be much help in identifying the source of the request. 客户端无法欺骗它,但是如果客户端使用代理(很多代理使用),则IP地址在识别请求源方面不会有太大帮助。
I want just to be sure that the all the request come to my server through a proxy, and I don't want that a client can change this information in order to let the server think that is coming from a proxy while it's not...
It is theoretically possible for a client to spoof the IP address of the proxy, but it is not easy. 从理论上讲,客户端可以欺骗代理的IP地址,但这并不容易。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.