Spring Security Support X-Forwarded-For for audit events

Summary

I have a listener that listens to AuditApplicationEvent. In the fields that I get about various events (in particular - authentication failures), there's the "remoteAddress" field. Unfortunately, it is the IP address of the load balancer/proxy, rather than the original address, which would be interesting in this situation.

Actual Behavior

WebAuthenticationDetails constructor takes an HttpServletRequest and simply calls request.getRemoteAddr()

Expected Behavior

There should be a configuration option which, if specified, lets WebAuthenticationDetails to fetch the X-Forwarded-For header instead of the remoteAddr.

Alternatively, all the request headers should be part of the WebAuthenticationDetails object.

Version

5.0.0.M5

Comment From: dsteegen

It would be nice if this was indeed supported out of the box by Spring Security. When checking the audit events in the Spring Boot Admin server, the IP address that is displayed is not the actual user's IP but the one of the proxy server (Traefik in our case).

Comment From: jzheaux

The preferred way to configure this is to add ForwardedHeaderFilter into the filter chain. This wraps the HttpServletRequest so that getRemoteAddr reflects the X-Forwarded-For header.

The reason this is preferred is so that Spring Security doesn't end up adding configurations for X-Forwarded-For in multiple places in addition to WebAuthenticationDetails.