spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

IpAddressServerWebExchangeMatcher throws NullPointerException with framework forward-headers-strategy

Open dsbecker opened this issue 3 years ago • 1 comments
trafficstars

Describe the bug When server.forward-headers-strategy=framework is used in a WebFlux project that makes use of an IpAddressServerWebExchangeMatcher a NullPointerException is thrown when a Forwarded or X-Forwarded-For header is present because the remoteAddress created by ForwardedHeaderTransformer is unresolved.

To Reproduce

  1. Create a sample WebFlux project and set server.forward-headers-strategy=framework
  2. Define a SecurityWebFilterChain bean that calls an IpAddressServerWebExchangeMatcher
  3. Submit a request with a Forwarded or X-Forwarded-For header

Expected behavior The IpAddressServerWebExchangeMatcher should execute as normal with no exception thrown.

Sample server.forward-headers-strategy=framework

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity httpSecurity) {
        return httpSecurity
                .authorizeExchange(auth -> auth
                        .pathMatchers("/**")
                            .access((authentication, authorizationContext) ->
                                new IpAddressServerWebExchangeMatcher("255.255.255.255")
                                        .matches(authorizationContext.getExchange())
                                        .map(matchResult -> new AuthorizationDecision(matchResult.isMatch()))))
                .build();
    }

dsbecker avatar Sep 21 '22 16:09 dsbecker

Submitted PR to fix this: https://github.com/spring-projects/spring-security/pull/11889

dsbecker avatar Sep 21 '22 16:09 dsbecker

Closed in 2b426872a32d9120d4834780ed2e1e9e7a6dde12

jzheaux avatar Oct 24 '22 22:10 jzheaux