Expected Behavior
expect open Constructor org.springframework.security.web.authentication.WebAuthenticationDetails#WebAuthenticationDetails(java.lang.String, java.lang.String)
Current Behavior
org.springframework.security.web.authentication.WebAuthenticationDetails#remoteAddress is request.getRemoteAddr() ,
at nginx not real IP
Context
Comment From: jgrandja
@houkunlin The constructor WebAuthenticationDetails(java.lang.String, java.lang.String) was provided to support Jackson2 as indicated in the javadoc: "Constructor to add Jackson2 serialize/deserialize support". There is no plan to expose this constructor. Can you provide more details on why you need this exposed?
Comment From: houkunlin
https://www.digitalocean.com/community/questions/how-do-i-forward-client-ip-instead-of-proxy-ip-in-nginx-reverse-proxy.amp
nginx add header X-Real-IP ,I want WebAuthenticationDetails#remoteAddress use http header X-Real-IP value ,already WebAuthenticationDetails(java.lang.String, java.lang.String) ,so I want to use it
Comment From: jgrandja
@houkunlin You can provide a custom AuthenticationDetailsSource as most of the Filter's expose a setter setAuthenticationDetailsSource().
For example, the default AuthenticationDetailsSource for the UsernamePasswordAuthenticationFilter is WebAuthenticationDetailsSource. You can either override this by supplying a complete custom AuthenticationDetailsSource<HttpServletRequest, ?> OR extend WebAuthenticationDetailsSource and override buildDetails() and wrap the HttpServletRequest using HttpServletRequestWrapper before passing into WebAuthenticationDetails. You would need to override HttpServletRequestWrapper.getRemoteAddr() to return the header X-Real-IP.
I don't see a need to expose WebAuthenticationDetails(java.lang.String, java.lang.String), as the solution provided will work. If you choose to implement a custom AuthenticationDetailsSource, then it would be fairly simple to implement something similar to WebAuthenticationDetailsSource with minimal code duplication.