DEVHIDE
Login Or Sign up

Cross Origin whitelisted IP is not applying even after defining using @CrossOrigin annotation on Springboot project

954 Views Asked by At

I followed https://spring.io/guides/gs/rest-service-cors/ and added a random IP like this, to one of my API end points - 

@Produces(MediaType.APPLICATION_JSON)
    @CrossOrigin(origins = "116.206.111.61")
    public XAmount getBalance(@Context SecurityContext security) {
        String customer = null;
        .. API code goes here ..
        }
    }

I am expecting only requests from this IP to be accepted via this API now, so expecting requests from my client to fail. However, it is not happening.

I am able to request from another server, with IP, let's say IP1. Here is request log, after making the change - 

2020-06-05 09:36:57,407 283453 [XNIO-3 task-1] INFO  [LoggingFilter.java:155] - 1 * Server has received a request on thread XNIO-3 task-1
1 > GET http://sandbox-server.com/service/v2/api
1 > Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
1 > Accept-Encoding: gzip
1 > Authorization: Bearer <token>
1 > Cache-Control: no-cache
1 > Connection: close
1 > Content-Type: application/x-www-form-urlencoded; charset=UTF-8
1 > Host: <domain of API>
1 > Pragma: no-cache
1 > User-Agent: Java/1.7.0_79
1 > X-Forwarded-For: <IP - source server from which API call is made>, <some other IP>, <yet another IP>, <yet another IP>
1 > X-Forwarded-Host: <domain of API>
1 > X-Forwarded-Port: 443
1 > X-Forwarded-Proto: https
1 > X-Forwarded-Server: <domain of API>

As can be seen, I get the IP of the server from which I made the request in the first IP listed under X-Forwarded-For. The rest of the IPs seem to be the servers via which it is routed. I added a different IP in the @CrossOrigin -> origins, but still the request is working fine. What else needs to be done?

This is our sandbox server, by the way. I checked the same API logs on production, without making this change. There, I don't see the X-Forwarded-For. Instead, I see Client-IP header - 

2019-06-13 07:04:13,357 248327 [XNIO-3 task-17] INFO  [LoggingFilter.java:155] - 47 * Server has received a request on thread XNIO-3 task-17
47 > GET domain-of-api/service/v2/api
47 > Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
47 > Accept-Encoding: gzip
47 > Authorization: Bearer <token>
47 > Cache-Control: no-cache
47 > Client-IP: <IP of an internal server via which traffic is routed>
47 > Connection: Close
47 > Content-Type: application/x-www-form-urlencoded; charset=UTF-8
47 > Host: <domain of API>
47 > Pragma: no-cache
47 > User-Agent: Java/1.7.0_111

Whatever change I make, I need to be able to test on sandbox.

java spring-boot cross-domain access-control clientip
Original Q&A
0

There are 0 best solutions below

Related Questions in JAVA

Related Questions in SPRING-BOOT

Related Questions in CROSS-DOMAIN

Related Questions in ACCESS-CONTROL

Related Questions in CLIENTIP

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.