Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it possible to accurately determine the IP address of a client in java servlet

Tags:

java

authentication

networking

ip

I want to configure a machine in my network to accept all calls from a specific machine without authentication. For this I am planning to use the IP address of the client machine as the required trust factor to allow unchecked authentication.

My concern is that is it possible to accurately determine the IP address of a client in a java servlet? Is it possible that the IP which I get in the servlet can be changed by some hacking mechanism to made my server to believe that it is the trusted IP?

For example if my server machine is configured to trust 192.168.0.1, then is it possible by some other client other than 192.168.0.1 to pretend as 192.168.0.1 and fool my authentication mechanism?

like image 348
Ashish Avatar asked Feb 17 '12 09:02

Ashish

2 Answers

You can use the getRemoteAddr() method from the HttpServletRequest class to obtain the IP address. Be careful, though. If your client is behind a proxy server (or even a NATting firewall), you'll get the proxy IP address instead.

So, you can also look for the X-Forwarded-For HTTP header (standard for identifying the source IP address of a client behind an HTTP proxy). See more on Wikipedia. Be careful, though. If your client is NOT behind a proxy, you can get a null XFF header. So, if you are to follow this path, you should use a mix of the servlet methods and XFF header evaluation. There is no guarantee, though, that the proxy will forward you the header.

But be aware that the source IP address can be easily changed or faked by any malicious client. I really recommend using some sort of client authentication (a certificate, for example). There is no way for a web app to accurately determine the client IP address.

like image 193
Viccari Avatar answered Nov 02 '22 23:11

Viccari

Your service could be vulnerable to IP Spoofing. It's easy to forge packets that appear to be from a different IP address. The thing about spoofing, though, is that the attacker won't be able to receive any response packets. Therefore, if calling your services doesn't cause an internal change of state (i.e. it's read only), then you should be okay. If, however, the calls to your service will issue writes, then you shouldn't rely simply on IP address because a spoofed packet will be enough to change the internal state of your system.

like image 29
stevevls Avatar answered Nov 02 '22 23:11

stevevls
Sign in to Comment

Related questions

IntelliJ: Could not target platform: 'Java SE 12' using tool chain: 'JDK 11 (11)'
Garbage collection behavior with isolated cyclic references?
Is there a rule of thumb for when to code a static method vs an instance method?
Why is Java on Server and C# on Client a popular choice?
Remove boilerplate from db code
Why are Runtime Exceptions "unchecked" in Java?
Use Java drawString to achieve the following Text alignment
Is there an easy way to copy an iterator into a list in Java?
Need Help With N Queens Program ( checking diagonals )
Java for Software Developers [closed]
EJB's and Threading
java interface input argument extends from a base class
Iteration of List<String> with modyfing String
How to generate a hash code from three longs
selectonemenu with the error java.lang.String cannot be cast to javax.faces.model.SelectItem
Class name conflict importing new package (java)
Android: customizing the look of Tabs using TabHost & TabWidget
Java: Printing LinkedList without square brackets?
How to get user's browser id using JSF?
java - ignore expired ssl certificate

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!