Posted inBlog

ServerHttpRequest#getURI() changed after Spring Boot 3.4.2. How to get the old behavior?

No Comments
Server Http Request getURI changed after Spring Boot 3.4.2

In Spring Boot 3.4.2, the behavior of ServerHttpRequest#getURI() has changed, particularly in how it processes X-Forwarded-* headers. This change is due to an update in Reactor Netty, which now supports the X-Forwarded-Prefix header. As a result, ServerHttpRequest#getURI() may return the external URI, including the prefix specified by the X-Forwarded-Prefix header, rather than the internal URI.

Understanding the Change:

Previously, Reactor Netty did not process the X-Forwarded-Prefix header, so ServerHttpRequest#getURI() returned the internal URI as received by your application. With the update, Reactor Netty incorporates the X-Forwarded-Prefix header into the URI, reflecting the external request’s original path.

Solution:

To revert to the previous behavior and have ServerHttpRequest#getURI() return the internal URI, you can configure your application to ignore the X-Forwarded-Prefix header. This can be achieved by setting the server.forward-headers-strategy property to none in your application.properties or application.yml file:

server.forward-headers-strategy=none

By setting this property, your application will not process any X-Forwarded-* headers, and ServerHttpRequest#getURI() will return the internal URI as it did prior to the update.

Considerations:

  • Trusting Proxies: If your application is behind a trusted proxy (like Kong) and you want to respect the X-Forwarded-* headers to reconstruct the original request URI, you should set server.forward-headers-strategy to framework. This setting allows Spring to process these headers appropriately.
  • Security Implications: Be cautious when trusting X-Forwarded-* headers, especially if your application is accessible directly without a proxy. Malicious clients can spoof these headers, potentially leading to security vulnerabilities. Ensure that you only trust these headers when they are set by a trusted proxy.

For more detailed information on this change, you can refer to the Reactor Netty issue discussion:

By adjusting the server.forward-headers-strategy property, you can control how your application processes forwarded headers and maintain the desired behavior of ServerHttpRequest#getURI().

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *