authentication - Is it possible to accurately determine the IP address of a client in java servlet

Question

I want to configure a machine in my network to accept all calls from a specific machine without authentication. For this I am planning to use the IP address of the client machine as the required trust factor to allow unchecked authentication.

My concern is that is it possible to accurately determine the IP address of a client in a java servlet? Is it possible that the IP which I get in the servlet can be changed by some hacking mechanism to made my server to believe that it is the trusted IP?

For example if my server machine is configured to trust 192.168.0.1, then is it possible by some other client other than 192.168.0.1 to pretend as 192.168.0.1 and fool my authentication mechanism?

Answer 1

You can use the getRemoteAddr() method from the HttpServletRequest class to obtain the IP address. Be careful, though. If your client is behind a proxy server (or even a NATting firewall), you'll get the proxy IP address instead.

So, you can also look for the X-Forwarded-For HTTP header (standard for identifying the source IP address of a client behind an HTTP proxy). See more on Wikipedia. Be careful, though. If your client is NOT behind a proxy, you can get a null XFF header. So, if you are to follow this path, you should use a mix of the servlet methods and XFF header evaluation. There is no guarantee, though, that the proxy will forward you the header.

But be aware that the source IP address can be easily changed or faked by any malicious client. I really recommend using some sort of client authentication (a certificate, for example). There is no way for a web app to accurately determine the client IP address.