Hi, folks.
We have a scenario in which a user trying to launch the GlassFish
admin console - on the same host where GF is running - specifies the
full host name (rather than localhost) in the address. Further, the
browser is set up to use a proxy (apparently without excluding
localhost).
It seems that in this case request.getRemoteHost returns a value that
is not detected as the local system, so GlassFish treats this as a
remote request (and therefore imposes more stringent security
requirements).
Is there a reliable and trustworthy way for an HTTP server to detect
the true origin of the request, even if has passed through a proxy
which makes the request appear remote, and so to find out if the
request actually came from the same host where the HTTP server is
running?
If the server tried to do this, is that opening up a potential
security risk whereby a client could find out where the server really
is running and then falsify HTTP headers to make a remote request look
like it came from the same system where the server is running?
Thanks.
- Tim