Get Client IP from a Server JSP [Security]

I want to know security issue using jsp method request.getRemoteAddr();.

I want to filter some client IP (I can't use firewall :-().

I was wondering in this way an attacker can chang开发者_StackOverflow中文版e the ip source of HTTP Request?

Or the client ip is build from layer 3?

I want to check the security of this method against forging of HTTP Request (similar to ip spoofing that instead is based on layer 3 IP).

Thanks to all,

Andrea

---

The "client" IP address of an HTTP request is actually the IP of the last HTTP proxy. The client can't spoof it, but if the client uses a proxy (and many do) then the IP address won't be much help in identifying the source of the request.

---

I want just to be sure that the all the request come to my server through a proxy, and I don't want that a client can change this information in order to let the server think that is coming from a proxy while it's not...

It is theoretically possible for a client to spoof the IP address of the proxy, but it is not easy.