Is it possible to accurately determine the IP address of a client in java servlet

Question

I want to configure a machine in my network to accept all calls from a specific machine without authentication. For this I am planning to use the IP address of the client machine as the required trust factor to allow unchecked authentication.

My concern is that is it possible to accurately determine the IP address of a client in a java servlet? Is it possible that the IP which I get in the servlet can be changed by some hacking mechanism to made my server to believe that it is the trusted IP?

For example if my server machine is configured to trust 192.168.0.1, then is it possible by some other client other than 192.168.0.1 to pretend as 192.168.0.1 and fool my authentication mechanism?

Answer 1

You can use the getRemoteAddr() method from the HttpServletRequest class to obtain the IP address. Be careful, though. If your client is behind a proxy server (or even a NATting firewall), you'll get the proxy IP address instead.

So, you can also look for the X-Forwarded-For HTTP header (standard for identifying the source IP address of a client behind an HTTP proxy). See more on Wikipedia . Be careful, though. If your client is NOT behind a proxy, you can get a null XFF header. So, if you are to follow this path, you should use a mix of the servlet methods and XFF header evaluation. There is no guarantee, though, that the proxy will forward you the header.

But be aware that the source IP address can be easily changed or faked by any malicious client. I really recommend using some sort of client authentication (a certificate, for example). There is no way for a web app to accurately determine the client IP address.

Answer 2

Your service could be vulnerable to IP Spoofing . It's easy to forge packets that appear to be from a different IP address. The thing about spoofing, though, is that the attacker won't be able to receive any response packets. Therefore, if calling your services doesn't cause an internal change of state (ie it's read only ), then you should be okay. If, however, the calls to your service will issue writes , then you shouldn't rely simply on IP address because a spoofed packet will be enough to change the internal state of your system.

Answer 3

You could be locally susepitable to ARP Spoofing . Where a malicious machine convinces the router to associate the IP address with it's MAC address.

The level and mechanism of trust really depends on the sensitivity of the server/service you are trying to protect and the environment you are operating in.

It looks to me that this is a local arrangement given the private IP address 192.168 range. If this server is not public facing, not critical and you are operating in a relatively secure LAN environment that's well shut off from the public and other private LANS then you should be OK. Otherwise you should look at other security options at a higher level.

Answer 4

My concern is that is it possible to accurately determine the IP address of a client in a java servlet?

No it is not possible. There are a number of scenarios where you won't see the real client IP address due to either the actions of the user, or other reasons that are outside the user's control.

In the latter cases, IP-based identification ends up causing head-aches for your honest customers; ie the customers that you really want to keep.

If you really need to limit access to specific set of computers, you should consider using something like SSL/TLS with client certificates as your first line of defence. TLS with client certificates is described here .

Answer 5

IP可以像电子邮件发件人一样轻易伪造，我强烈建议不要仅仅依赖它们。