英文:
Spring Security - Token authentication with request host name
问题
我有一个使用Spring Boot实现的应用程序,在其中使用Spring Security进行身份验证。我已经实现了基于令牌的身份验证,客户端需要检索令牌,然后在后续请求中使用该令牌进行身份验证。
我想增强这个功能,使得令牌可以限制在特定的主机名上使用,以便仅用于来自该主机的请求。这类似于谷歌地图API使用其API密钥的方式,可以通过IP或主机名进行限制。
以下是我已经实现的代码,用于尝试检索请求的主机名:
public String getClientHostName(HttpServletRequest request) {
String hostName = null;
// 获取请求的IP地址
String clientAddress = httpRequest.getRemoteAddr();
String xfHeader = httpRequest.getHeader("X-Forwarded-For");
if (xfHeader != null) {
clientAddress = xfHeader.split(",")[0];
}
// 尝试从IP地址解析主机名
try {
InetAddress address = InetAddress.getByName(clientAddress);
hostName = address.getHostName();
} catch (UnknownHostException e) {
logger.error("无法从请求的远程地址获取主机名。", e);
}
return hostName;
}
我目前存在两个问题:
-
这段代码并不总是能够成功检索主机名。有时它只返回IP地址。我理解这可能与InetAddress类执行的某些IP欺骗检查有关。
-
在从不同主机测试请求时,我并不总是得到预期的IP地址。我经常得到转发请求的另一个主机的IP地址(我原以为通过检查"X-Forwarded-For"可以解决这个问题)。这让我怀疑如何获取发起请求的真实原始主机的IP。
是否有一种可靠的方法来检查请求发起者的主机名?
英文:
I have an application implemented with Spring Boot, where I use Spring Security for authentication. I already have "token based" authentication in place, where clients are required to retrieve a token, and then use that token to authenticate in subsequent requests.
I would like to enhance this so that a token could be restricted to a specific hostname, so that is can only be used for requests from that host. This is similar to what the google maps API does with its API keys, where it is possible to restrict them by IP or host name.
Here is the code I have implemented to try to retrieve the request's host name
public String getClientHostName(HttpServletRequest request) {
String hostName = null;
// get the request's IP address
String clientAddress = httpRequest.getRemoteAddr();
String xfHeader = httpRequest.getHeader("X-Forwarded-For");
if (xfHeader != null) {
clientAddress = xfHeader.split(",")[0];
}
// try to resolve the host name from the IP address
try {
InetAddress address = InetAddress.getByName(clientAddress);
hostName = address.getHostName();
} catch (UnknownHostException e) {
logger.error("Failed to get the host name from the request's remote address. ", e);
}
return hostName;
}
I have 2 issues right now:
-
This code does not always manage to retrieve the hostname. Sometimes it just returns the IP address. I understand this may be down to some IP spoofing check the InetAddress class does.
-
When testing requests from different hosts, I do not always get the IP address I am expecting. I often get the IP of another host that is forwarding the request (which I thought would be solved by checking "X-Forwarded-For"). This makes me wonder how to even retrieve the IP of the host that is the real originator of the request.
Is there a reliable way to check the host name of the originator of a request?
答案1
得分: 0
你尝试过通过以下代码获取主机名吗? String referrer = request.getHeader("referer"); ?
此外,在客户端,您还可以添加一小段代码以在请求头中查找主机名。
或者您可以提供以下代码,将其添加到客户端,然后在服务器端可以读取域的值,该值将返回主机名。
<input type="button" value="Register" onClick="call()"/>
<script>
function call(){
var domain=window.location.hostname;
window.open('http://<your-hostname>/register?domain='+domain,'_self');
}
</script>
英文:
have you tried getting hostname by String referrer = request.getHeader("referer"); ?
Also, on client side also you can add a snippet to find out the hostname in the headers.
Or you can provide below code to be added on client side and on server you can read the value of domain which will return hostname
<input type="button" value="Register" onClick="call()"/>
<script>
function call(){
var domain=window.location.hostname;
window.open('http://<your-hostname>/register?domain='+domain,'_self');
}
</script>
专注分享java语言的经验与见解,让所有开发者获益!
评论