Test remote addr in logs (#17)

openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml

@@ -100,6 +100,8 @@
 
 	<oauth:web-expression-handler id="oauthWebExpressionHandler" />
 
+	<bean id="mdcFilter" class="org.mitre.mdc.MultiMDCFilter"/>
+
 	<!-- Spring Security configuration -->
 
 	<oauth:resource-server id="resourceServerFilter" token-services-ref="defaultOAuth2ProviderTokenService" stateless="false" />
@@ -117,6 +119,7 @@
 		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
 		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+		<security:custom-filter ref="mdcFilter" before="FIRST"/>
 		<security:access-denied-handler ref="oauthAccessDeniedHandler" />
 		<security:csrf disabled="true"/>
 	</security:http>
@@ -125,11 +128,13 @@
 	<security:http pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
 		<security:intercept-url pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+		<security:custom-filter ref="mdcFilter" before="FIRST"/>
 		<security:csrf disabled="true"/>
 	</security:http>
 	<security:http pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
 		<security:intercept-url pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+		<security:custom-filter ref="mdcFilter" before="FIRST"/>
 		<security:csrf disabled="true"/>
 	</security:http>
 
@@ -137,6 +142,7 @@
 	<security:http pattern="/resources/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
 		<security:intercept-url pattern="/resources/**" access="permitAll"/>
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+		<security:custom-filter ref="mdcFilter" before="FIRST"/>
 		<security:csrf disabled="true"/>
 	</security:http>
 	
@@ -144,6 +150,7 @@
 	<security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+		<security:custom-filter ref="mdcFilter" before="FIRST"/>
 		<security:expression-handler ref="oauthWebExpressionHandler" />
 		<security:intercept-url pattern="/register/**" access="permitAll"/>
 		<security:csrf disabled="true"/>
@@ -152,6 +159,7 @@
 	<security:http pattern="/#{T(org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+		<security:custom-filter ref="mdcFilter" before="FIRST"/>
 		<security:expression-handler ref="oauthWebExpressionHandler" />
 		<security:intercept-url pattern="/resource/**" access="permitAll"/>
 		<security:csrf disabled="true"/>
@@ -160,12 +168,14 @@
 	<security:http pattern="/#{T(org.mitre.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+		<security:custom-filter ref="mdcFilter" before="FIRST"/>
 		<security:expression-handler ref="oauthWebExpressionHandler" />
 		<security:csrf disabled="true"/>
 	</security:http>
 
  	<security:http pattern="/#{T(org.mitre.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+		<security:custom-filter ref="mdcFilter" before="FIRST"/>
 		<security:expression-handler ref="oauthWebExpressionHandler" />
 		<security:csrf disabled="true"/>
 	</security:http>
@@ -180,6 +190,7 @@
 		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
 		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+		<security:custom-filter ref="mdcFilter" before="FIRST"/>
 		<security:access-denied-handler ref="oauthAccessDeniedHandler" />
 		<security:csrf disabled="true"/>
 	</security:http>
@@ -194,6 +205,7 @@
 		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
+		<security:custom-filter ref="mdcFilter" before="FIRST"/>
 		<security:csrf disabled="true"/>
 	</security:http>
 
@@ -207,6 +219,7 @@
 		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
+		<security:custom-filter ref="mdcFilter" before="FIRST"/>
 		<security:csrf disabled="true"/>
 	</security:http>
 

openid-connect-server-webapp/src/main/webapp/WEB-INF/user-context.xml

@@ -52,6 +52,7 @@
 			<security:frame-options policy="DENY" />
 		</security:headers>
 		<security:csrf />
+		<security:custom-filter ref="mdcFilter" before="FIRST"/>
 	</security:http>	
 
 </beans>

openid-connect-server/src/main/java/org/mitre/mdc/MultiMDCFilter.java

@@ -0,0 +1,37 @@
+package org.mitre.mdc;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.slf4j.MDC;
+import org.springframework.web.filter.GenericFilterBean;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import java.io.IOException;
+
+public class MultiMDCFilter extends GenericFilterBean {
+
+    private static final Logger log = LoggerFactory.getLogger(MultiMDCFilter.class);
+
+    private final RemoteAddressMDCFilter remoteAddressMDCFilter;
+    private final SessionIdMDCFilter sessionIdMDCFilter;
+
+    public MultiMDCFilter() {
+        this.remoteAddressMDCFilter = new RemoteAddressMDCFilter();
+        this.sessionIdMDCFilter = new SessionIdMDCFilter();
+    }
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
+            throws IOException, ServletException
+    {
+        log.info("--- Initialized MultiMDCFilter ---");
+        remoteAddressMDCFilter.doFilter(servletRequest);
+        sessionIdMDCFilter.doFilter(servletRequest);
+        filterChain.doFilter(servletRequest, servletResponse);
+        MDC.clear();
+    }
+
+}

openid-connect-server/src/main/java/org/mitre/mdc/RemoteAddressMDCFilter.java

@@ -0,0 +1,44 @@
+package org.mitre.mdc;
+
+import org.slf4j.MDC;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.http.HttpServletRequest;
+
+public class RemoteAddressMDCFilter {
+
+    private static final String[] IP_HEADER_CANDIDATES = {
+            "X-Forwarded-For",
+            "Proxy-Client-IP",
+            "WL-Proxy-Client-IP",
+            "HTTP_X_FORWARDED_FOR",
+            "HTTP_X_FORWARDED",
+            "HTTP_X_CLUSTER_CLIENT_IP",
+            "HTTP_CLIENT_IP",
+            "HTTP_FORWARDED_FOR",
+            "HTTP_FORWARDED",
+            "HTTP_VIA",
+            "REMOTE_ADDR"
+    };
+
+    private static final String REMOTE_ADDR = "remoteAddr";
+
+    public void doFilter(ServletRequest servletRequest) {
+        MDC.put(REMOTE_ADDR, getRemoteAddr((HttpServletRequest) servletRequest));
+    }
+
+    private String getRemoteAddr(HttpServletRequest request) {
+        if (request.getRemoteAddr() != null) {
+            return request.getRemoteAddr();
+        }
+
+        for (String header: IP_HEADER_CANDIDATES) {
+            String ipList = request.getHeader(header);
+            if (ipList != null && ipList.length() != 0 && !"unknown".equalsIgnoreCase(ipList)) {
+                return ipList.split(",")[0];
+            }
+        }
+        return "";
+    }
+
+}

openid-connect-server/src/main/java/org/mitre/mdc/SessionIdMDCFilter.java

@@ -0,0 +1,24 @@
+package org.mitre.mdc;
+
+import org.slf4j.MDC;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.http.HttpServletRequest;
+
+public class SessionIdMDCFilter {
+
+    private static final int SIZE = 12;
+    private static final String SESSION_ID = "sessionID";
+
+    public void doFilter(ServletRequest servletRequest) {
+        HttpServletRequest req = (HttpServletRequest) servletRequest;
+        if (req.getSession() != null) {
+            String id = req.getSession().getId();
+            if (id != null && id.length() > SIZE) {
+                id = id.substring(0, SIZE);
+            }
+            MDC.put(SESSION_ID, id);
+        }
+    }
+
+}