0

I want to support ip based whitelisting in one of the java web-service. To implement that i have written a servlet filter in which i am verifying if the remote-machine-ip belong to the whitelisted ips. To determine the remote-machine-ip i am using the following code :-
String ipAddress = httpServletRequest.getRemoteAddr();
I want to know if there is way by which remote-machine-ip can be impersonated by the attacker without going inside the remote machine. if yes then is there a better secure way to determine the remote ip ?

LiorH
  • 18,524
  • 17
  • 70
  • 98
vaibhav.g
  • 729
  • 1
  • 9
  • 28

1 Answers1

2

There is a way, however, it's not an easy way, see this answer for more details.

Remember that httpServletRequest.getRemoteAddr() will be no good if you deploy your app behind a proxy or a CDN. In that case, you'd have to check the X-FORWARDED-FOR header and then it's easy to forge that.

LiorH
  • 18,524
  • 17
  • 70
  • 98