What would be the best approach to detect if a web application is accessed locally? I am interested in checking this in a filter (javax.servlet.Filter
). I could check the ServletRequest#getRemoteAddr()
if it is 127.0.0.1
, but if it is running in a IPv6 machine, the address would be 0:0:0:0:0:0:0:1
.
Are there any other pitfalls I should be aware of, or if I just check for these 2 string patterns, I would be OK?
In theory, the following ought to be sufficient.
if (request.getRemoteAddr().equals(request.getLocalAddr())) {
// Locally accessed.
} else {
// Remotely accessed.
}
Update as per the comments, request.getLocalAddr()
seems to return 0.0.0.0
which can indeed happen when the server is behind a proxy.
You may instead want to compare it against the addresses as resolved by InetAddress
.
private Set<String> localAddresses = new HashSet<String>();
@Override
public void init(FilterConfig config) throws ServletException {
try {
localAddresses.add(InetAddress.getLocalHost().getHostAddress());
for (InetAddress inetAddress : InetAddress.getAllByName("localhost")) {
localAddresses.add(inetAddress.getHostAddress());
}
} catch (IOException e) {
throw new ServletException("Unable to lookup local addresses");
}
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException, IOException {
if (localAddresses.contains(request.getRemoteAddr())) {
// Locally accessed.
} else {
// Remotely accessed.
}
}
In my case, the localAddresses
contains the following:
[192.168.1.101, 0:0:0:0:0:0:0:1, 127.0.0.1]