Sets correct remote address in WebAuthenticationDetails

Author: clzola

web/src/main/java/org/springframework/security/web/authentication/WebAuthenticationDetails.java

@@ -29,6 +29,7 @@
  *
  * @author Ben Alex
  * @author Luke Taylor
+ * @author Lazar Radinović
  */
 public class WebAuthenticationDetails implements Serializable {
 
@@ -44,7 +45,7 @@ public class WebAuthenticationDetails implements Serializable {
 	 * @param request that the authentication request was received from
 	 */
 	public WebAuthenticationDetails(HttpServletRequest request) {
-		this(request.getRemoteAddr(), extractSessionId(request));
+		this(getClientIp(request), extractSessionId(request));
 	}
 
 	/**
@@ -58,6 +59,20 @@ public WebAuthenticationDetails(String remoteAddress, String sessionId) {
 		this.sessionId = sessionId;
 	}
 
+	private static String getClientIp(HttpServletRequest request) {
+		String ip = request.getHeader("X-Forwarded-For");
+		if (ip != null && !ip.isBlank()) {
+			// Take the first IP (original client)
+			return ip.split(",")[0].trim();
+		}
+
+		// Alternative proxy header
+		ip = request.getHeader("X-Real-IP");
+
+		// Fallback to direct client ip
+		return (ip != null && !ip.isBlank()) ? ip : request.getRemoteAddr();
+	}
+
 	private static String extractSessionId(HttpServletRequest request) {
 		HttpSession session = request.getSession(false);
 		return (session != null) ? session.getId() : null;