Tomcat version 7.0.82 | Windows
We have a requirement such that admins(tomcat users) need to login remotely to the machine where Tomcat is hosted and access tomcat webapp to perform certain action or see certain pages . These pages or actions are not permitted if users login remotely Initially thought *request.getRemoteAddr* can be used determine actual client ip is local or not but looks like based *X-Forwarded-For* header it is easy to spoof *request.getRemoteAddr* . The spoofing is possible even from trusted internal proxies So thought *request.getServerName* is reliable than *request.getRemoteAddr* But *HOST* header can be spoofed to reflect *request.getServerName* Strangely Tomcat honors HOST header to update request. getServerName . I strongly feel this is a tomcat issue or let us know how can we reliably determine if the request is originated from local or this is something not possible Thanks in advance, Vasanth