java servlet中能否准确判断客户端的IP地址 [英] Is it possible to accurately determine the IP address of a client in java servlet

问题描述

我想在我的网络中配置一台机器，以接受来自特定机器的所有呼叫而无需身份验证.为此，我计划使用客户端计算机的 IP 地址作为允许未经检查的身份验证所需的信任因素.

I want to configure a machine in my network to accept all calls from a specific machine without authentication. For this I am planning to use the IP address of the client machine as the required trust factor to allow unchecked authentication.

我担心的是，是否可以在 java servlet 中准确确定客户端的 IP 地址?是否有可能通过某种黑客机制更改我在 servlet 中获得的 IP，使我的服务器相信它是受信任的 IP?

My concern is that is it possible to accurately determine the IP address of a client in a java servlet? Is it possible that the IP which I get in the servlet can be changed by some hacking mechanism to made my server to believe that it is the trusted IP?

例如，如果我的服务器机器配置为信任 192.168.0.1，那么 192.168.0.1 以外的其他客户端是否有可能伪装成 192.168.0.1 并欺骗我的身份验证机制?

For example if my server machine is configured to trust 192.168.0.1, then is it possible by some other client other than 192.168.0.1 to pretend as 192.168.0.1 and fool my authentication mechanism?

推荐答案

您可以使用 HttpServletRequest 类中的 getRemoteAddr() 方法来获取 IP 地址.不过要小心.如果您的客户端位于代理服务器(甚至 NATting 防火墙)之后，您将获得代理 IP 地址.

You can use the getRemoteAddr() method from the HttpServletRequest class to obtain the IP address. Be careful, though. If your client is behind a proxy server (or even a NATting firewall), you'll get the proxy IP address instead.

因此，您还可以查找 X-Forwarded-For HTTP 标头(用于识别 HTTP 代理背后的客户端的源 IP 地址的标准).在维基百科上查看更多信息.不过要小心.如果您的客户端不在代理后面，您可以获得空 XFF 标头.因此，如果您要遵循此路径，您应该混合使用 servlet 方法和 XFF 标头评估.但是，不能保证代理会将标头转发给您.

So, you can also look for the X-Forwarded-For HTTP header (standard for identifying the source IP address of a client behind an HTTP proxy). See more on Wikipedia. Be careful, though. If your client is NOT behind a proxy, you can get a null XFF header. So, if you are to follow this path, you should use a mix of the servlet methods and XFF header evaluation. There is no guarantee, though, that the proxy will forward you the header.

但请注意，任何恶意客户端都可以轻松更改或伪造源 IP 地址.我真的建议使用某种客户端身份验证(例如证书).网络应用无法准确确定客户端 IP 地址.

But be aware that the source IP address can be easily changed or faked by any malicious client. I really recommend using some sort of client authentication (a certificate, for example). There is no way for a web app to accurately determine the client IP address.

这篇关于java servlet中能否准确判断客户端的IP地址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！