I have some concerns regarding the authentication process solely relying on the hasIpAddress configuration in Spring Security. When I configure the X-Forwarded-For header in both Tomcat and Undertow, I notice that they take the first value and place it into the remoteAddr of the servlet.
However, considering that the X-Forwarded-For header can be spoofed, I'm wondering if relying solely on this configuration for authentication is secure. Additionally, I'm curious why Spring Security continues to maintain this configuration despite being aware of this vulnerability.