How to get Client IP Address using Java

In the following tutorial we will show you how you can get the client IP address using servlet specification. We discuss what you can do if your client is behind a proxy or gateway. We explain why this IP address is not always secure to use.

Client IP Address

In java you can access the client IP address through servlet’s request.getRemoteAddr().

String ipAddress = request.getRemoteAddr();

But this answer is far from complete and is quite complicated.

Proxies, Gateways … reliable, Secure?

If your application is running on a webserver that is located behind a reverse proxy or load balancer, then that proxy can be configured to inject the requested IP address in a request header. Different reverse proxies can inject different headers. Consult the documentation for your proxy server. We listed a couple of the most used in our example below but this is by no means a complete list.

  • When your client uses a (forward) proxy, then it might insert headers to say what the client IP addres is. Or it might not. And the IP address inserded here might be incorrect.
  • This means that the value you get by calling request.getRemoteAddr() is the IP address of the immediate upstream source of the request.
  • As we said, there are many headers for different proxies in use, but x-forwareded-for is most likely to be inserted by a proxy.

As a last note, even if you get an IP address either from the header or from request.getRemoteAddr() it is not guarenteed to be the client IP address. e.g.: if your proxy does not include the IP address of the client then you’ll get the IP address of the proxy or load balancer. If your client works on a private network and connect to the internet via a NAT gateway, then the IP address in the HTTP request will be an address of the NAT server. Or even for a hacker it is quite easy to inject a header with a different IP address. So this means that you cannot reliably find out the IP address of the system that the request originated from.

Get Client IP Address

Warning: Be careful if you are implementing security, as all of these headers are easy to fake.
private static final String[] IP_HEADER_CANDIDATES = { 
    "X-Forwarded-For",
    "Proxy-Client-IP",
    "WL-Proxy-Client-IP",
    "HTTP_X_FORWARDED_FOR",
    "HTTP_X_FORWARDED",
    "HTTP_X_CLUSTER_CLIENT_IP",
    "HTTP_CLIENT_IP",
    "HTTP_FORWARDED_FOR",
    "HTTP_FORWARDED",
    "HTTP_VIA",
    "REMOTE_ADDR" };

public static String getClientIpAddress(HttpServletRequest request) {
    for (String header : IP_HEADER_CANDIDATES) {
        String ip = request.getHeader(header);
        if (ip != null && ip.length() != 0 && !"unknown".equalsIgnoreCase(ip)) {
            return ip;
        }
    }
    return request.getRemoteAddr();
}

You may also like...

  • anonymous

    Thank you !