In version 5.1.x, the ServletUriComponentsBuilder methods changed to remove the usage of forwarded headers: * code change: 4da43de; https://github.com/spring-projects/spring-framework/issues/21209 * docs clarifications: bb5c8ed); https://github.com/spring-projects/spring-framework/issues/21850

However, the method and class documentation in MvcUriComponentsBuilder was not updated and still indicates the forwarded headers are used. (see instances of Note: in the javadocs) Yet MvcUriComponentsBuilder internally uses ServletUriComponentsBuilder for URI components resolution:

https://github.com/spring-projects/spring-framework/blob/a0763d13c5032c9042bb56b1e6f899c0a6661991/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/MvcUriComponentsBuilder.java#L560-L564

This affects 5.1.x -> 7.0.x.


Simple test:

@Test
void testMvcUriComponentsBuilder() {
    MockHttpServletRequest request = new MockHttpServletRequest();
    request.setServerName("localhost");
    request.setServerPort(8080);
    request.setScheme("http");

    request.addHeader("X-Forwarded-Proto", "https");
    request.addHeader("X-Forwarded-Host", "test.example.com");
    request.addHeader("X-Forwarded-Port", "443");

    RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request, new MockHttpServletResponse()));

    @Controller
    @RequestMapping("/test")
    class InnerController {}

    String expected = MvcUriComponentsBuilder.fromController(InnerController.class).toUriString();
    assertEquals(expected, "https://test.example.com");
}

Error:

expected: <http://localhost:8080/test> but was: <https://test.example.com>

Comment From: rstoyanchev

Thanks for pointing this out.

Comment From: dforrest-es

@rstoyanchev Not a problem. Note that each method's javadocs also has this problem, not just the class level.