Fixed
Pinned fields
Click on the next to a field label to start pinning.
Details
Components
Assignee
Rodrigo PastranaRodrigo PastranaReporter
Tim KlemmTim KlemmPriority
MinorCompatibility
MinorAffects versions
Details
Details
Components
Assignee
Rodrigo Pastrana
Rodrigo PastranaReporter
Tim Klemm
Tim KlemmPriority
MinorCompatibility
Minor
Affects versions
Created August 25, 2016 at 7:03 PM
Updated November 29, 2016 at 8:09 AM
Resolved November 17, 2016 at 6:52 PM
Extend HttpPropertyType enumeration to support two additional value types with the getProp method:
1. A named HTTP header
2. An unnamed socket endpoint address
Some users of the secure context make decisions based upon the contents of the "x-forwarded-for" header and the socket address. The secure user peer, which is currently available in security manager plugins, is derived from these values but is insufficient.
A security manager which restricts access based on the originating IP address may choose to bypass this restriction for requests originating on the local host. A derived peer that is a local host address is not proof that the request originated locally - the local host address could be a result of a spoofed header. The socket address alone is also not proof, as the request could be forwarded from a proxy running on the local host. A socket endpoint that is a local host combined with the absence of a forwarding header provides greater confidence of local origination.