In our application we use ForwardedHeaderFilter (forward-headers-strategy = FRAMEWORK). In most of requests it is a great feature. But in some of requests we want to check all the chain of IPs in X-Forwarded-For header. Current problem is:
1. ForwardedHeaderFilter hides original X-Forwarded-For header
2. UriComponentsBuilder#parseForwardedFor takes only first IP from this header
So looks like we cannot use FRAMEWORK strategy.
Possible solution can be: do not hide this headers. To do that we should extend removeOnly property to some enum maybe:
- remove only
- remove and handle headers
- handle headers but do not remove them
Comment From: bclozel
I think we're only parsing the first one, because that's the only part we need to implement the HttpServletRequestWrapper contract after all. By design, and for security reasons, original headers should be removed as this could create problems down the line. If request header are somehow reused for creating a client request, this could make the application vulnerable.
In your case, I'd suggest adding another filter before ForwardedHeaderFilter (or subclassing it if possible) and copying those values as a well-known request attribute so they can be reused by the infrastructure that needs it.