Earlier processing of forwarded headers

Forwarded headers are now processed before ServerWebExchange is created
through ForwardedHeaderTransformer which has the same logic as the
ForwardedHeaderFilter but works on the request only.

ForwardedHeaderFilter is deprecated as of 5.1 but if registered it is
removed from the list of filters and ForwardedHeaderTransformer is used
instead.

Issue: SPR-17072

Author: rstoyanchev

spring-web/src/main/java/org/springframework/web/filter/reactive/ForwardedHeaderFilter.java

@@ -16,115 +16,42 @@
 
 package org.springframework.web.filter.reactive;
 
-import java.net.URI;
-import java.util.LinkedHashSet;
-import java.util.Set;
-
 import reactor.core.publisher.Mono;
 
-import org.springframework.http.HttpHeaders;
 import org.springframework.http.server.reactive.ServerHttpRequest;
-import org.springframework.lang.Nullable;
 import org.springframework.web.server.ServerWebExchange;
 import org.springframework.web.server.WebFilter;
 import org.springframework.web.server.WebFilterChain;
-import org.springframework.web.util.UriComponentsBuilder;
+import org.springframework.web.server.adapter.ForwardedHeaderTransformer;
 
 /**
- * Extract values from "Forwarded" and "X-Forwarded-*" headers, and use them to
- * override {@link ServerHttpRequest#getURI()} to reflect the client-originated
- * protocol and address.
+ * Extract values from "Forwarded" and "X-Forwarded-*" headers to override the
+ * request URI (i.e. {@link ServerHttpRequest#getURI()}) so it reflects the
+ * client-originated protocol and address.
  *
- * <p>This filter can also be used in a {@link #setRemoveOnly removeOnly} mode
- * where "Forwarded" and "X-Forwarded-*" headers are eliminated, and not used.
+ * <p>Alternatively if {@link #setRemoveOnly removeOnly} is set to "true", then
+ * "Forwarded" and "X-Forwarded-*" headers are only removed, and not used.
  *
  * @author Arjen Poutsma
  * @author Rossen Stoyanchev
+ * @deprecated as of 5.1 this filter is deprecated in favor of using
+ * {@link ForwardedHeaderTransformer} which can be declared as a bean with the
+ * name "forwardedHeaderTransformer" or registered explicitly in
+ * {@link org.springframework.web.server.adapter.WebHttpHandlerBuilder
+ * WebHttpHandlerBuilder}.
  * @since 5.0
  * @see <a href="https://tools.ietf.org/html/rfc7239">https://tools.ietf.org/html/rfc7239</a>
  */
-public class ForwardedHeaderFilter implements WebFilter {
-
-	static final Set<String> FORWARDED_HEADER_NAMES = new LinkedHashSet<>(5);
-
-	static {
-		FORWARDED_HEADER_NAMES.add("Forwarded");
-		FORWARDED_HEADER_NAMES.add("X-Forwarded-Host");
-		FORWARDED_HEADER_NAMES.add("X-Forwarded-Port");
-		FORWARDED_HEADER_NAMES.add("X-Forwarded-Proto");
-		FORWARDED_HEADER_NAMES.add("X-Forwarded-Prefix");
-		FORWARDED_HEADER_NAMES.add("X-Forwarded-Ssl");
-	}
-
-
-	private boolean removeOnly;
-
-
-	/**
-	 * Enables mode in which any "Forwarded" or "X-Forwarded-*" headers are
-	 * removed only and the information in them ignored.
-	 * @param removeOnly whether to discard and ignore forwarded headers
-	 */
-	public void setRemoveOnly(boolean removeOnly) {
-		this.removeOnly = removeOnly;
-	}
-
+@Deprecated
+public class ForwardedHeaderFilter extends ForwardedHeaderTransformer implements WebFilter {
 
 	@Override
 	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
 		ServerHttpRequest request = exchange.getRequest();
-		if (!hasForwardedHeaders(request)) {
-			return chain.filter(exchange);
-		}
-
-		ServerWebExchange mutatedExchange;
-		if (this.removeOnly) {
-			mutatedExchange = exchange.mutate().request(this::removeForwardedHeaders).build();
-		}
-		else {
-			mutatedExchange = exchange.mutate()
-					.request(builder -> {
-						URI uri = UriComponentsBuilder.fromHttpRequest(request).build().toUri();
-						builder.uri(uri);
-						String prefix = getForwardedPrefix(request);
-						if (prefix != null) {
-							builder.path(prefix + uri.getPath());
-							builder.contextPath(prefix);
-						}
-						removeForwardedHeaders(builder);
-					})
-					.build();
-		}
-
-		return chain.filter(mutatedExchange);
-	}
-
-	private boolean hasForwardedHeaders(ServerHttpRequest request) {
-		HttpHeaders headers = request.getHeaders();
-		for (String headerName : FORWARDED_HEADER_NAMES) {
-			if (headers.containsKey(headerName)) {
-				return true;
-			}
+		if (hasForwardedHeaders(request)) {
+			exchange = exchange.mutate().request(apply(request)).build();
 		}
-		return false;
-	}
-
-	@Nullable
-	private static String getForwardedPrefix(ServerHttpRequest request) {
-		HttpHeaders headers = request.getHeaders();
-		String prefix = headers.getFirst("X-Forwarded-Prefix");
-		if (prefix != null) {
-			int endIndex = prefix.length();
-			while (endIndex > 1 && prefix.charAt(endIndex - 1) == '/') {
-				endIndex--;
-			}
-			prefix = (endIndex != prefix.length() ? prefix.substring(0, endIndex) : prefix);
-		}
-		return prefix;
-	}
-
-	private ServerHttpRequest.Builder removeForwardedHeaders(ServerHttpRequest.Builder builder) {
-		return builder.headers(map -> FORWARDED_HEADER_NAMES.forEach(map::remove));
+		return chain.filter(exchange);
 	}
 
 }

spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java

@@ -0,0 +1,131 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.web.server.adapter;
+
+import java.net.URI;
+import java.util.LinkedHashSet;
+import java.util.Set;
+import java.util.function.Function;
+
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.server.reactive.ServerHttpRequest;
+import org.springframework.lang.Nullable;
+import org.springframework.web.util.UriComponentsBuilder;
+
+/**
+ * Extract values from "Forwarded" and "X-Forwarded-*" headers to override the
+ * request URI (i.e. {@link ServerHttpRequest#getURI()}) so it reflects the
+ * client-originated protocol and address.
+ *
+ * <p>Alternatively if {@link #setRemoveOnly removeOnly} is set to "true", then
+ * "Forwarded" and "X-Forwarded-*" headers are only removed, and not used.
+ *
+ * @author Rossen Stoyanchev
+ * @since 5.1
+ * @see <a href="https://tools.ietf.org/html/rfc7239">https://tools.ietf.org/html/rfc7239</a>
+ */
+public class ForwardedHeaderTransformer implements Function<ServerHttpRequest, ServerHttpRequest> {
+
+	static final Set<String> FORWARDED_HEADER_NAMES = new LinkedHashSet<>(5);
+
+	static {
+		FORWARDED_HEADER_NAMES.add("Forwarded");
+		FORWARDED_HEADER_NAMES.add("X-Forwarded-Host");
+		FORWARDED_HEADER_NAMES.add("X-Forwarded-Port");
+		FORWARDED_HEADER_NAMES.add("X-Forwarded-Proto");
+		FORWARDED_HEADER_NAMES.add("X-Forwarded-Prefix");
+		FORWARDED_HEADER_NAMES.add("X-Forwarded-Ssl");
+	}
+
+
+	private boolean removeOnly;
+
+
+	/**
+	 * Enables mode in which any "Forwarded" or "X-Forwarded-*" headers are
+	 * removed only and the information in them ignored.
+	 * @param removeOnly whether to discard and ignore forwarded headers
+	 */
+	public void setRemoveOnly(boolean removeOnly) {
+		this.removeOnly = removeOnly;
+	}
+
+	/**
+	 * Whether the "remove only" mode is on.
+	 */
+	public boolean isRemoveOnly() {
+		return this.removeOnly;
+	}
+
+
+	/**
+	 * Apply and remove, or remove Forwarded type headers.
+	 * @param request the request
+	 */
+	@Override
+	public ServerHttpRequest apply(ServerHttpRequest request) {
+
+		if (hasForwardedHeaders(request)) {
+			ServerHttpRequest.Builder builder = request.mutate();
+			if (!this.removeOnly) {
+				URI uri = UriComponentsBuilder.fromHttpRequest(request).build().toUri();
+				builder.uri(uri);
+				String prefix = getForwardedPrefix(request);
+				if (prefix != null) {
+					builder.path(prefix + uri.getPath());
+					builder.contextPath(prefix);
+				}
+			}
+			removeForwardedHeaders(builder);
+			request = builder.build();
+		}
+
+		return request;
+	}
+
+	/**
+	 * Whether the request has any Forwarded headers.
+	 * @param request the request
+	 */
+	protected boolean hasForwardedHeaders(ServerHttpRequest request) {
+		HttpHeaders headers = request.getHeaders();
+		for (String headerName : FORWARDED_HEADER_NAMES) {
+			if (headers.containsKey(headerName)) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	private void removeForwardedHeaders(ServerHttpRequest.Builder builder) {
+		builder.headers(map -> FORWARDED_HEADER_NAMES.forEach(map::remove));
+	}
+
+	@Nullable
+	private static String getForwardedPrefix(ServerHttpRequest request) {
+		HttpHeaders headers = request.getHeaders();
+		String prefix = headers.getFirst("X-Forwarded-Prefix");
+		if (prefix != null) {
+			int endIndex = prefix.length();
+			while (endIndex > 1 && prefix.charAt(endIndex - 1) == '/') {
+				endIndex--;
+			}
+			prefix = (endIndex != prefix.length() ? prefix.substring(0, endIndex) : prefix);
+		}
+		return prefix;
+	}
+
+}

spring-web/src/main/java/org/springframework/web/server/adapter/HttpWebHandlerAdapter.java

@@ -92,6 +92,9 @@ public class HttpWebHandlerAdapter extends WebHandlerDecorator implements HttpHa
 
 	private LocaleContextResolver localeContextResolver = new AcceptHeaderLocaleContextResolver();
 
+	@Nullable
+	private ForwardedHeaderTransformer forwardedHeaderTransformer;
+
 	@Nullable
 	private ApplicationContext applicationContext;
 
@@ -169,6 +172,27 @@ public LocaleContextResolver getLocaleContextResolver() {
 		return this.localeContextResolver;
 	}
 
+	/**
+	 * Enable processing of forwarded headers, either extracting and removing,
+	 * or remove only.
+	 * <p>By default this is not set.
+	 * @param transformer the transformer to use
+	 * @since 5.1
+	 */
+	public void setForwardedHeaderTransformer(ForwardedHeaderTransformer transformer) {
+		Assert.notNull(transformer, "ForwardedHeaderTransformer is required");
+		this.forwardedHeaderTransformer = transformer;
+	}
+
+	/**
+	 * Return the configured {@link ForwardedHeaderTransformer}.
+	 * @since 5.1
+	 */
+	@Nullable
+	public ForwardedHeaderTransformer getForwardedHeaderTransformer() {
+		return this.forwardedHeaderTransformer;
+	}
+
 	/**
 	 * Configure the {@code ApplicationContext} associated with the web application,
 	 * if it was initialized with one via
@@ -208,6 +232,10 @@ public void afterPropertiesSet() {
 	@Override
 	public Mono<Void> handle(ServerHttpRequest request, ServerHttpResponse response) {
 
+		if (this.forwardedHeaderTransformer != null) {
+			request = this.forwardedHeaderTransformer.apply(request);
+		}
+
 		ServerWebExchange exchange = createExchange(request, response);
 		logExchange(exchange);