Associating an `AuthenticationFailureBadCredential

2019-08-01 11:17发布

问题:

So I wrote this ...

@Component
class AuthenticationFailureListener : ApplicationListener<AuthenticationFailureBadCredentialsEvent>{

    private val bruteForceProtection : BruteForceProtection

    @Inject
    constructor(bruteForceProtection: BruteForceProtection){
        this.bruteForceProtection = bruteForceProtection
    }

    override fun onApplicationEvent(event: AuthenticationFailureBadCredentialsEvent) {
        val webDetails = event.authentication.details as WebAuthenticationDetails
        val remoteAddress = webDetails.remoteAddress

        bruteForceProtection.recordFailedAttempt(remoteAddress)
    }
}

Then realised I have no idea if Spring accounts for X-Forwarded-For headers when setting the remote address in the security context.

Does it?

Or how would I associate the AuthenticationFailureBadCredentialsEvent with the remote address it originated from?

回答1:

From Spring Security#15.4 Proxy Server Configuration:

When using a proxy server it is important to ensure that you have configured your application properly. For example, many applications will have a load balancer that responds to request for https://example.com/ by forwarding the request to an application server at https://192.168.1:8080 Without proper configuration, the application server will not know that the load balancer exists and treat the request as though https://192.168.1:8080 was requested by the client.

To fix this you can use RFC 7239 to specify that a load balancer is being used. To make the application aware of this, you need to either configure your application server aware of the X-Forwarded headers. For example Tomcat uses the RemoteIpValve and Jetty uses ForwardedRequestCustomizer. Alternatively, Spring 4.3+ users can leverage ForwardedHeaderFilter.

Neither Spring framework nor Spring Security itself do anything special about X-Forwarded* headers.

So our options to apply such information are:

  • exposing the ForwardedHeaderFilter
  • configuring the server

Unfortunately ForwardedHeaderFilter does not inspect X-Forwarded-For header as of 5.1.7.RELEASE.

So the option left is to configure server.

Since you're using tomcat you can supply a server.tomcat.remote-ip-header property to take the header into account.

See also ServerProperties

application.yml:

server:
  tomcat:
    remote-ip-header: X-Forwarded-For

then getRemoteAddr will return the ip address present in X-Forwarded-For header which is used by WebAuthenticationDetails itself

WebAuthenticationDetails.java

public WebAuthenticationDetails(HttpServletRequest request) {
    this.remoteAddress = request.getRemoteAddr();

    HttpSession session = request.getSession(false);
    this.sessionId = (session != null) ? session.getId() : null;
}

Here is a test a simple test:

IpController.kt:

@RestController
class IpController {
    @GetMapping("/ip")
    fun getIp(request: HttpServletRequest) = mapOf("ip" to request.remoteAddr)
}

IpControllerTest.kt

@SpringBootTest(properties = ["server.tomcat.remote-ip-header=X-Forwarded-For"],
        webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
class IpControllerTest {
    @Autowired
    private lateinit var testRestTemplate: TestRestTemplate

    @Test
    fun `uses ip from x-forwarded-for`() {
        val httpHeaders = HttpHeaders()
        httpHeaders["X-Forwarded-For"] = "8.8.8.8"
        val httpEntity = HttpEntity<Any>(httpHeaders)
        val map = testRestTemplate.exchange<Map<String, *>>("/ip", HttpMethod.GET, httpEntity)
                .body!!
        assertEquals("8.8.8.8", map["ip"])
    }
}