开发者

Rest - how get IP address of caller

问答 作者:

I am writing a Java Rest Web Service and need the caller's IP Address. I thought I saw this in the cookie once but now I don't see it. Is there a consistent place to get this information开发者_如何学Python?

I saw one example of using an "OperationalContext" to get it but that was not in java.

Inject a HttpServletRequest into your Rest Service as such:

import javax.servlet.http.HttpServletRequest;

@GET
@Path("/yourservice")
@Produces("text/xml")
public String activate(@Context HttpServletRequest req,@Context SecurityContext context){

   String ipAddressRequestCameFrom = requestContext.getRemoteAddr();
   // header name is case insensitive
   String xForwardedForIP = req.getHeader("X-Forwarded-For");

   // if xForwardedForIP is populated use it, else return ipAddressRequestCameFrom 
   String ip = xForwardedForIP != null ? xForwardedForIP : ipAddressRequestCameFrom;
   System.out.println("IP is "+ip);


   // get the host name the client contacted. If the header `Host` is populated the `Host` header is automatically returned.
   // An AWS ALB populated the Host header for you.
   String hostNameRequestCameFrom = req.getServerName();
   System.out.println("Host is "+hostNameRequestCameFrom);

   
   //Also if security is enabled
   Principal principal = context.getUserPrincipal();
   String userName = principal.getName();

}

As @Hemant Nagpal mentions, you can also check the X-Forwarded-For header to determine the real source if a load balancer inserts this into the request. According to this answer, the getHeader() call is case insensitive.

You can also get the servername that the client contacted. This is either the DNS name or the value set in the Host header with an OSI layer 7 load balancer can populate.

1. Example: no headers are populated

curl "http://127.0.0.1:8080/"

returns

IP is 127.0.0.1
Host is 127.0.0.1

2. Example: X-Forwarded-For and Host headers are populated

curl --header "X-Forwarded-For: 1.2.3.4" --header "Host: bla.bla.com:8443" "http://127.0.0.1:8080/"

returns

IP is 1.2.3.4
Host is bla.bla.com

I think you can get the IP through the request object.

If I'm not mistaken, request.getRemoteAddr() or so.

You could do something like this:

@WebService
public class YourService {

   @Resource
   WebServiceContext webServiceContext; 

   @WebMethod 
   public String myMethod() { 

      MessageContext messageContext = webServiceContext.getMessageContext();
      HttpServletRequest request = (HttpServletRequest) messageContext.get(MessageContext.SERVLET_REQUEST); 
      String callerIpAddress = request.getRemoteAddr();

      System.out.println("Caller IP = " + callerIpAddress); 

   }
}

Assuming you are making your "web service" with servlets, the rather simple method call .getRemoteAddr() on the request object will give you the callers IP address.

If your application is running on a webserver that is located behind a reverse proxy or load balancer, then that proxy can be configured to inject the requested IP address in a request header. Different reverse proxies can inject different headers. Consult the documentation for your proxy server. We listed a couple of the most used in our example below but this is by no means a complete list. When your client uses a (forward) proxy, then it might insert headers to say what the client IP addres is. Or it might not. And the IP address inserded here might be incorrect. This means that the value you get by calling request.getRemoteAddr() is the IP address of the immediate upstream source of the request. As we said, there are many headers for different proxies in use, but x-forwareded-for is most likely to be inserted by a proxy. As a last note, even if you get an IP address either from the header or from request.getRemoteAddr() it is not guarenteed to be the client IP address. e.g.: if your proxy does not include the IP address of the client then you’ll get the IP address of the proxy or load balancer. If your client works on a private network and connect to the internet via a NAT gateway, then the IP address in the HTTP request will be an address of the NAT server. Or even for a hacker it is quite easy to inject a header with a different IP address. So this means that you cannot reliably find out the IP address of the system that the request originated from.

 private static final String[] IP_HEADER_CANDIDATES = { 
        "X-Forwarded-For",
        "Proxy-Client-IP",
        "WL-Proxy-Client-IP",
        "HTTP_X_FORWARDED_FOR",
        "HTTP_X_FORWARDED",
        "HTTP_X_CLUSTER_CLIENT_IP",
        "HTTP_CLIENT_IP",
        "HTTP_FORWARDED_FOR",
        "HTTP_FORWARDED",
        "HTTP_VIA",
        "REMOTE_ADDR" };

    public static String getClientIpAddress(HttpServletRequest request) {
        for (String header : IP_HEADER_CANDIDATES) {
            String ip = request.getHeader(header);
            if (ip != null && ip.length() != 0 && !"unknown".equalsIgnoreCase(ip)) {
                return ip;
            }
        }
        return request.getRemoteAddr();
    }

继续阅读:jax-rsrestrestful-authenticationweb-services

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9