Drop protocolHeader and remoteIpHeader defaults

The `protocolHeader` and `remoteIpHeader` no longer have default values and must be opt-in. Fixes gh-1624
10 years ago · 0dc46a2fe7
parent 72ef1d6554
commit 0dc46a2fe7
2 changed files with 8 additions and 2 deletions
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java
@ -207,9 +207,9 @@ public class ServerProperties implements EmbeddedServletContainerCustomizer {
 				+ "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16
 				+ "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"; // 127/8

-		private String protocolHeader = "x-forwarded-proto";
+		private String protocolHeader;

-		private String remoteIpHeader = "x-forwarded-for";
+		private String remoteIpHeader;

 		private File basedir;

--- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java
+++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java
@ -147,6 +147,12 @@ public class ServerPropertiesTests {

 	@Test
 	public void defaultTomcatRemoteIpValve() throws Exception {
+		Map<String, String> map = new HashMap<String, String>();
+		// Since 1.1.7 you need to specify at least the protocol and ip properties
+		map.put("server.tomcat.protocol_header", "x-forwarded-proto");
+		map.put("server.tomcat.remote_ip_header", "x-forwarded-for");
+		bindProperties(map);
+
 		TomcatEmbeddedServletContainerFactory container = new TomcatEmbeddedServletContainerFactory();
 		this.properties.customize(container);