You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by rj...@apache.org on 2014/11/30 22:37:28 UTC
svn commit: r1642606 - in /tomcat/trunk: java/org/apache/catalina/valves/
test/org/apache/catalina/valves/ webapps/docs/config/
Author: rjung
Date: Sun Nov 30 21:37:27 2014
New Revision: 1642606
URL: http://svn.apache.org/r1642606
Log:
kkolinko review on i1642564 and 1642595:
- addLocalPort => addConnectorPort
- separator "," => ";"
- expose addConnectorPort and invalidAuthenticationWhenDeny
via JMX
- add complete example to docs
Bonus: replace deprecated request.setContext() in unit test.
Modified:
tomcat/trunk/java/org/apache/catalina/valves/RemoteAddrValve.java
tomcat/trunk/java/org/apache/catalina/valves/RemoteHostValve.java
tomcat/trunk/java/org/apache/catalina/valves/mbeans-descriptors.xml
tomcat/trunk/test/org/apache/catalina/valves/TestRequestFilterValve.java
tomcat/trunk/webapps/docs/config/valve.xml
Modified: tomcat/trunk/java/org/apache/catalina/valves/RemoteAddrValve.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/valves/RemoteAddrValve.java?rev=1642606&r1=1642605&r2=1642606&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/valves/RemoteAddrValve.java (original)
+++ tomcat/trunk/java/org/apache/catalina/valves/RemoteAddrValve.java Sun Nov 30 21:37:27 2014
@@ -28,7 +28,7 @@ import org.apache.catalina.connector.Res
/**
* Concrete implementation of <code>RequestFilterValve</code> that filters
* based on the string representation of the remote client's IP address
- * optionally combined with the server port number.
+ * optionally combined with the server connector port number.
*
* @author Craig R. McClanahan
*/
@@ -37,34 +37,34 @@ public final class RemoteAddrValve exten
// ----------------------------------------------------- Instance Variables
/**
- * Flag deciding whether we add the server port to the property
+ * Flag deciding whether we add the server connector port to the property
* compared in the filtering method. The port will be appended
- * using a "," as a separator.
+ * using a ";" as a separator.
*/
- protected volatile boolean addLocalPort = false;
+ protected volatile boolean addConnectorPort = false;
// ------------------------------------------------------------- Properties
/**
- * Get the flag deciding whether we add the server port to the
+ * Get the flag deciding whether we add the server connector port to the
* property compared in the filtering method. The port will be appended
- * using a "," as a separator.
+ * using a ";" as a separator.
*/
- public boolean getAddLocalPort() {
- return addLocalPort;
+ public boolean getAddConnectorPort() {
+ return addConnectorPort;
}
/**
- * Set the flag deciding whether we add the server port to the
+ * Set the flag deciding whether we add the server connector port to the
* property compared in the filtering method. The port will be appended
- * using a "," as a separator.
+ * using a ";" as a separator.
*
- * @param addLocalPort The new flag
+ * @param addConnectorPort The new flag
*/
- public void setAddLocalPort(boolean addLocalPort) {
- this.addLocalPort = addLocalPort;
+ public void setAddConnectorPort(boolean addConnectorPort) {
+ this.addConnectorPort = addConnectorPort;
}
@@ -87,8 +87,8 @@ public final class RemoteAddrValve exten
throws IOException, ServletException {
String property;
- if (addLocalPort) {
- property = request.getRequest().getRemoteAddr() + "," + request.getConnector().getPort();
+ if (addConnectorPort) {
+ property = request.getRequest().getRemoteAddr() + ";" + request.getConnector().getPort();
} else {
property = request.getRequest().getRemoteAddr();
}
Modified: tomcat/trunk/java/org/apache/catalina/valves/RemoteHostValve.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/valves/RemoteHostValve.java?rev=1642606&r1=1642605&r2=1642606&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/valves/RemoteHostValve.java (original)
+++ tomcat/trunk/java/org/apache/catalina/valves/RemoteHostValve.java Sun Nov 30 21:37:27 2014
@@ -28,7 +28,7 @@ import org.apache.catalina.connector.Res
/**
* Concrete implementation of <code>RequestFilterValve</code> that filters
* based on the remote client's host name optionally combined with the
- * server port number.
+ * server connector port number.
*
* @author Craig R. McClanahan
*/
@@ -37,34 +37,34 @@ public final class RemoteHostValve exten
// ----------------------------------------------------- Instance Variables
/**
- * Flag deciding whether we add the server port to the property
+ * Flag deciding whether we add the server connector port to the property
* compared in the filtering method. The port will be appended
- * using a "," as a separator.
+ * using a ";" as a separator.
*/
- protected volatile boolean addLocalPort = false;
+ protected volatile boolean addConnectorPort = false;
// ------------------------------------------------------------- Properties
/**
- * Get the flag deciding whether we add the server port to the
+ * Get the flag deciding whether we add the server connector port to the
* property compared in the filtering method. The port will be appended
- * using a "," as a separator.
+ * using a ";" as a separator.
*/
- public boolean getAddLocalPort() {
- return addLocalPort;
+ public boolean getAddConnectorPort() {
+ return addConnectorPort;
}
/**
- * Set the flag deciding whether we add the server port to the
+ * Set the flag deciding whether we add the server connector port to the
* property compared in the filtering method. The port will be appended
- * using a "," as a separator.
+ * using a ";" as a separator.
*
- * @param addLocalPort The new flag
+ * @param addConnectorPort The new flag
*/
- public void setAddLocalPort(boolean addLocalPort) {
- this.addLocalPort = addLocalPort;
+ public void setAddConnectorPort(boolean addConnectorPort) {
+ this.addConnectorPort = addConnectorPort;
}
@@ -87,8 +87,8 @@ public final class RemoteHostValve exten
throws IOException, ServletException {
String property;
- if (addLocalPort) {
- property = request.getRequest().getRemoteHost() + "," + request.getConnector().getPort();
+ if (addConnectorPort) {
+ property = request.getRequest().getRemoteHost() + ";" + request.getConnector().getPort();
} else {
property = request.getRequest().getRemoteHost();
}
Modified: tomcat/trunk/java/org/apache/catalina/valves/mbeans-descriptors.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/valves/mbeans-descriptors.xml?rev=1642606&r1=1642605&r2=1642606&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/valves/mbeans-descriptors.xml (original)
+++ tomcat/trunk/java/org/apache/catalina/valves/mbeans-descriptors.xml Sun Nov 30 21:37:27 2014
@@ -329,11 +329,16 @@
</mbean>
<mbean name="RemoteAddrValve"
- description="Concrete implementation of RequestFilterValve that filters based on the string representation of the remote client's IP address"
+ description="Concrete implementation of RequestFilterValve that filters based on the string representation of the remote client's IP address"
domain="Catalina"
group="Valve"
type="org.apache.catalina.valves.RemoteAddrValve">
+ <attribute name="addConnectorPort"
+ description="Append the server connector port to the client IP separated by a semicolon"
+ is="true"
+ type="boolean"/>
+
<attribute name="allow"
description="The allow expression"
type="java.lang.String"/>
@@ -349,12 +354,12 @@
is="true"
type="boolean"/>
- <attribute name="className"
+ <attribute name="className"
description="Fully qualified class name of the managed object"
type="java.lang.String"
writeable="false"/>
- <attribute name="deny"
+ <attribute name="deny"
description="The deny expression"
type="java.lang.String"/>
@@ -368,6 +373,11 @@
type="boolean"
writeable="false"/>
+ <attribute name="invalidAuthenticationWhenDeny"
+ description="Send an invalid authentication header instead of deny"
+ is="true"
+ type="boolean"/>
+
<attribute name="stateName"
description="The name of the LifecycleState that this component is currently in"
type="java.lang.String"
@@ -389,6 +399,11 @@
group="Valve"
type="org.apache.catalina.valves.RemoteHostValve">
+ <attribute name="addConnectorPort"
+ description="Append the server connector port to the client IP separated by a semicolon"
+ is="true"
+ type="boolean"/>
+
<attribute name="allow"
description="The allow expression"
type="java.lang.String"/>
@@ -404,12 +419,12 @@
is="true"
type="boolean"/>
- <attribute name="className"
+ <attribute name="className"
description="Fully qualified class name of the managed object"
type="java.lang.String"
writeable="false"/>
- <attribute name="deny"
+ <attribute name="deny"
description="The deny expression"
type="java.lang.String"/>
@@ -423,6 +438,11 @@
type="boolean"
writeable="false"/>
+ <attribute name="invalidAuthenticationWhenDeny"
+ description="Send an invalid authentication header instead of deny"
+ is="true"
+ type="boolean"/>
+
<attribute name="stateName"
description="The name of the LifecycleState that this component is currently in"
type="java.lang.String"
Modified: tomcat/trunk/test/org/apache/catalina/valves/TestRequestFilterValve.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/valves/TestRequestFilterValve.java?rev=1642606&r1=1642605&r2=1642606&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/valves/TestRequestFilterValve.java (original)
+++ tomcat/trunk/test/org/apache/catalina/valves/TestRequestFilterValve.java Sun Nov 30 21:37:27 2014
@@ -56,8 +56,8 @@ public class TestRequestFilterValve {
private static final String HOST_NO_ALLOW_NO_DENY = "host.example.com";
private static final int PORT = 8080;
- private static final String PORT_MATCH_PATTERN = ",\\d*";
- private static final String PORT_NO_MATCH_PATTERN = ",8081";
+ private static final String PORT_MATCH_PATTERN = ";\\d*";
+ private static final String PORT_NO_MATCH_PATTERN = ";8081";
static class TerminatingValve extends ValveBase {
@@ -81,7 +81,7 @@ public class TestRequestFilterValve {
}
private void oneTest(String allow, String deny, boolean denyStatus,
- boolean addLocalPort, boolean auth,
+ boolean addConnectorPort, boolean auth,
String property, String type, boolean allowed) {
// PREPARE
RequestFilterValve valve = null;
@@ -94,7 +94,7 @@ public class TestRequestFilterValve {
connector.setPort(PORT);
request.setConnector(connector);
- request.setContext(context);
+ request.getMappingData().context = context;
request.setCoyoteRequest(new org.apache.coyote.Request());
if (type == null) {
@@ -130,15 +130,15 @@ public class TestRequestFilterValve {
expected = CUSTOM;
}
}
- if (addLocalPort) {
+ if (addConnectorPort) {
if (valve instanceof RemoteAddrValve) {
- ((RemoteAddrValve)valve).setAddLocalPort(true);
+ ((RemoteAddrValve)valve).setAddConnectorPort(true);
} else if (valve instanceof RemoteHostValve) {
- ((RemoteHostValve)valve).setAddLocalPort(true);
+ ((RemoteHostValve)valve).setAddConnectorPort(true);
} else {
- fail("Can only set 'addLocalPort' for RemoteAddrValve and RemoteHostValve");
+ fail("Can only set 'addConnectorPort' for RemoteAddrValve and RemoteHostValve");
}
- msg.append(" addLocalPort='true'");
+ msg.append(" addConnectorPort='true'");
}
if (auth) {
context.setPreemptiveAuthentication(true);
@@ -193,7 +193,7 @@ public class TestRequestFilterValve {
oneTest(apat, dpat, true, false, auth, OnlyDeny, type, false);
oneTest(apat, dpat, true, false, auth, AllowAndDeny, type, false);
- // Test with port in pattern but forgotten "addLocalPort"
+ // Test with port in pattern but forgotten "addConnectorPort"
apat = allow_pat + PORT_MATCH_PATTERN;
dpat = deny_pat + PORT_MATCH_PATTERN;
oneTest(null, null, false, false, auth, AllowAndDeny, type, false);
@@ -215,7 +215,7 @@ public class TestRequestFilterValve {
oneTest(apat, dpat, true, false, auth, OnlyDeny, type, false);
oneTest(apat, dpat, true, false, auth, AllowAndDeny, type, false);
- // Test with "addLocalPort" but port not in pattern
+ // Test with "addConnectorPort" but port not in pattern
apat = allow_pat;
dpat = deny_pat;
oneTest(null, null, false, true, auth, AllowAndDeny, type, false);
@@ -237,7 +237,7 @@ public class TestRequestFilterValve {
oneTest(apat, dpat, true, true, auth, OnlyDeny, type, false);
oneTest(apat, dpat, true, true, auth, AllowAndDeny, type, false);
- // Test "addLocalPort" and with port matching in both patterns
+ // Test "addConnectorPort" and with port matching in both patterns
apat = allow_pat + PORT_MATCH_PATTERN;
dpat = deny_pat + PORT_MATCH_PATTERN;
oneTest(null, null, false, true, auth, AllowAndDeny, type, false);
@@ -259,7 +259,7 @@ public class TestRequestFilterValve {
oneTest(apat, dpat, true, true, auth, OnlyDeny, type, false);
oneTest(apat, dpat, true, true, auth, AllowAndDeny, type, false);
- // Test "addLocalPort" and with port not matching in both patterns
+ // Test "addConnectorPort" and with port not matching in both patterns
apat = allow_pat + PORT_NO_MATCH_PATTERN;
dpat = deny_pat + PORT_NO_MATCH_PATTERN;
oneTest(null, null, false, true, auth, AllowAndDeny, type, false);
@@ -281,7 +281,7 @@ public class TestRequestFilterValve {
oneTest(apat, dpat, true, true, auth, OnlyDeny, type, false);
oneTest(apat, dpat, true, true, auth, AllowAndDeny, type, false);
- // Test "addLocalPort" and with port matching only in allow
+ // Test "addConnectorPort" and with port matching only in allow
apat = allow_pat + PORT_MATCH_PATTERN;
dpat = deny_pat + PORT_NO_MATCH_PATTERN;
oneTest(null, null, false, true, auth, AllowAndDeny, type, false);
@@ -303,7 +303,7 @@ public class TestRequestFilterValve {
oneTest(apat, dpat, true, true, auth, OnlyDeny, type, false);
oneTest(apat, dpat, true, true, auth, AllowAndDeny, type, true);
- // Test "addLocalPort" and with port matching only in deny
+ // Test "addConnectorPort" and with port matching only in deny
apat = allow_pat + PORT_NO_MATCH_PATTERN;
dpat = deny_pat + PORT_MATCH_PATTERN;
oneTest(null, null, false, true, auth, AllowAndDeny, type, false);
Modified: tomcat/trunk/webapps/docs/config/valve.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/valve.xml?rev=1642606&r1=1642605&r2=1642606&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/trunk/webapps/docs/config/valve.xml Sun Nov 30 21:37:27 2014
@@ -473,8 +473,8 @@
package. Please consult the Java documentation for details of the
expressions supported.</p>
- <p>Optionally one can append the local server port separated with a
- comma (",") to allow different expressions for each connector.</p>
+ <p>Optionally one can append the server connector port separated with a
+ comma (";") to allow different expressions for each connector.</p>
<p>The behavior when a request is refused can be changed
to not deny but instead set an invalid <code>authentication</code>
@@ -528,11 +528,11 @@
it can be set to the value <code>404</code>.</p>
</attribute>
- <attribute name="addLocalPort" required="false">
- <p>Append the local server port to the client IP address separated
- with a comma (","). If this is set to <code>true</code>, the
+ <attribute name="addConnectorPort" required="false">
+ <p>Append the server connector port to the client IP address separated
+ with a semicolon (";"). If this is set to <code>true</code>, the
expressions configured with <code>allow</code> and
- <code>deny</code> is compared against <code>ADDRESS-PORT</code>
+ <code>deny</code> is compared against <code>ADDRESS;PORT</code>
where <code>ADDRESS</code> is the client IP address and
<code>PORT</code> is the Tomcat connector port which received the
request. The default value is <code>false</code>.</p>
@@ -545,8 +545,8 @@
set. An already existing <code>authentication</code> header will not be
overwritten. In effect this will trigger authentication instead of deny
even if the application does not have a security constraint configured.</p>
- <p>This can be combined with <code>addLocalPort</code> to trigger authentication
- depending on the client and the port that is used to access an application.</p>
+ <p>This can be combined with <code>addConnectorPort</code> to trigger authentication
+ depending on the client and the connector that is used to access an application.</p>
</attribute>
</attributes>
@@ -563,8 +563,22 @@
<p>To allow unrestricted access for the clients connecting from localhost
but for all other clients only to port 8443:</p>
<source><![CDATA[<Valve className="org.apache.catalina.valves.RemoteAddrValve"
- addLocalPort="true"
- allow="127\.\d+\.\d+\.\d+,\d*|::1,\d*|0:0:0:0:0:0:0:1,\d*|.*,8443"/>]]></source>
+ addConnectorPort="true"
+ allow="127\.\d+\.\d+\.\d+;\d*|::1;\d*|0:0:0:0:0:0:0:1;\d*|.*;8443"/>]]></source>
+ </subsection>
+
+ <subsection name="Example">
+ <p>To allow unrestricted access to port 8009, but trigger basic
+ authentication if the application is access on another port:</p>
+<source><![CDATA[<Context>
+ ...
+ <Valve className="org.apache.catalina.valves.RemoteAddrValve"
+ addConnectorPort="true"
+ invalidAuthenticationWhenDeny="true"
+ allow=".*;8009"/>
+ <Valve className="org.apache.catalina.authenticator.BasicAuthenticator" />
+ ...
+</Context>]]></source>
</subsection>
</subsection>
@@ -588,8 +602,8 @@
package. Please consult the Java documentation for details of the
expressions supported.</p>
- <p>Optionally one can append the local server port separated with a
- comma (",") to allow different expressions for each connector.</p>
+ <p>Optionally one can append the server connector port separated with a
+ comma (";") to allow different expressions for each connector.</p>
<p>The behavior when a request is refused can be changed
to not deny but instead set an invalid <code>authentication</code>
@@ -640,11 +654,11 @@
it can be set to the value <code>404</code>.</p>
</attribute>
- <attribute name="addLocalPort" required="false">
- <p>Append the local server port to the client hostname separated
- with a comma (","). If this is set to <code>true</code>, the
+ <attribute name="addConnectorPort" required="false">
+ <p>Append the server connector port to the client hostname separated
+ with a comma (";"). If this is set to <code>true</code>, the
expressions configured with <code>allow</code> and
- <code>deny</code> is compared against <code>HOSTNAME-PORT</code>
+ <code>deny</code> is compared against <code>HOSTNAME;PORT</code>
where <code>HOSTNAME</code> is the client hostname and
<code>PORT</code> is the Tomcat connector port which received the
request. The default value is <code>false</code>.</p>
@@ -657,8 +671,8 @@
set. An already existing <code>authentication</code> header will not be
overwritten. In effect this will trigger authentication instead of deny
even if the application does not have a security constraint configured.</p>
- <p>This can be combined with <code>addLocalPort</code> to trigger authentication
- depending on the client and the port that is used to access an application.</p>
+ <p>This can be combined with <code>addConnectorPort</code> to trigger authentication
+ depending on the client and the connector that is used to access an application.</p>
</attribute>
</attributes>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org