chore: improve DebugWindow connection denied log message (#23454) (#23462)

vaadin-bot · mcollovati · web-flow · commit 0afba809f006 · 2026-02-10T13:19:05.000+01:00
Splits the message so that the exact cause of the problem is shown
instead of presenting both the cases.

Log the denied address and allowed hosts list at each rejection
point in isAllowedDevToolsHost, so users can diagnose why their
debug window connection was refused.

Co-authored-by: Marco Collovati &lt;marco@vaadin.com&gt;
diff --git a/flow-server/src/main/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandler.java b/flow-server/src/main/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandler.java
@@ -438,13 +438,23 @@ static boolean isAllowedDevToolsHost(AbstractConfiguration configuration,
                 && !hostsAllowedFromCfg.isBlank()) ? hostsAllowedFromCfg : null;
 
         if (!isAllowedDevToolsHost(remoteAddress, hostsAllowed, true)) {
+            getLogger().debug(
+                    "Dev tools access denied for remote address '{}'. Allowed hosts: [{}]",
+                    remoteAddress, hostsAllowed);
             return false;
         }
         String remoteHeaderIp = configuration.getStringProperty(
                 SERVLET_PARAMETER_DEVMODE_REMOTE_ADDRESS_HEADER, null);
         if (remoteHeaderIp != null) {
-            return isAllowedDevToolsHost(request.getHeader(remoteHeaderIp),
-                    hostsAllowed, false);
+            String headerValue = request.getHeader(remoteHeaderIp);
+            boolean allowed = isAllowedDevToolsHost(headerValue, hostsAllowed,
+                    false);
+            if (!allowed) {
+                getLogger().debug(
+                        "Dev tools access denied for address '{}' from header '{}'. Allowed hosts: [{}]",
+                        headerValue, remoteHeaderIp, hostsAllowed);
+            }
+            return allowed;
         }
 
         Enumeration<String> allForwardedForHeaders = request
@@ -461,18 +471,35 @@ static boolean isAllowedDevToolsHost(AbstractConfiguration configuration,
                 // Validate all hops
                 String[] hops = forwardedFor.split(",");
                 if (hops.length > 0) {
-                    return Stream.of(hops).map(String::trim)
+                    boolean allAllowed = Stream.of(hops).map(String::trim)
                             .allMatch(ip -> isAllowedDevToolsHost(ip,
                                     hostsAllowed, false));
+                    if (!allAllowed) {
+                        getLogger().debug(
+                                "Dev tools access denied. Not all X-Forwarded-For addresses are allowed."
+                                        + " X-Forwarded-For: '{}'. Allowed hosts: [{}]",
+                                forwardedFor, hostsAllowed);
+                    }
+                    return allAllowed;
                 } else {
                     // Potential fake header with no addresses, e.g.
                     // 'X-Forwarded-For: ,,,'
+                    getLogger().debug(
+                            "Dev tools access denied because of empty or invalid X-Forwarded-For header");
                     return false;
                 }
 
             } else {
-                return isAllowedDevToolsHost(forwardedFor.trim(), hostsAllowed,
-                        false);
+                String trimmedForwardedFor = forwardedFor.trim();
+                boolean allowed = isAllowedDevToolsHost(trimmedForwardedFor,
+                        hostsAllowed, false);
+                if (!allowed) {
+                    getLogger().debug(
+                            "Dev tools access denied for X-Forwarded-For address '{}'."
+                                    + " Allowed hosts: [{}]",
+                            trimmedForwardedFor, hostsAllowed);
+                }
+                return allowed;
             }
         }
 
diff --git a/vaadin-dev-server/src/main/java/com/vaadin/base/devserver/DebugWindowConnection.java b/vaadin-dev-server/src/main/java/com/vaadin/base/devserver/DebugWindowConnection.java
@@ -191,12 +191,17 @@ protected DevToolsInterface getDevToolsInterface(
 
     @Override
     public void onConnect(AtmosphereResource resource) {
-        if (DevToolsToken.getToken()
-                .equals(resource.getRequest().getParameter("token"))) {
+        String requestToken = resource.getRequest().getParameter("token");
+        if (DevToolsToken.getToken().equals(requestToken)) {
             handleConnect(resource);
         } else {
-            getLogger().debug(
-                    "Connection denied because of a missing or invalid token. Either the host is not on the 'vaadin.devmode.hosts-allowed' list or it is using an outdated token");
+            if (requestToken == null) {
+                getLogger().debug(
+                        "Connection denied because the host is not on the 'vaadin.devmode.hosts-allowed' list");
+            } else {
+                getLogger().debug(
+                        "Connection denied because of an invalid or outdated security token.");
+            }
             try {
                 resource.close();
             } catch (IOException e) {
