You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by mi...@apache.org on 2019/07/09 20:00:59 UTC
[tomcat] 01/01: BZ 63556: Mark request as forwarded in
RemoteIpValve and RemoteIpFilter
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch mark-forwarded-request/9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit db6e8222c7717c4443fcdebe479e9417c5deaa46
Author: Michael Osipov <mi...@apache.org>
AuthorDate: Tue Jul 9 14:59:09 2019 +0200
BZ 63556: Mark request as forwarded in RemoteIpValve and RemoteIpFilter
---
java/org/apache/catalina/Globals.java | 9 +++++++
.../apache/catalina/filters/RemoteIpFilter.java | 4 +++
java/org/apache/catalina/valves/RemoteIpValve.java | 4 +++
.../catalina/filters/TestRemoteIpFilter.java | 23 +++++++++++++++++
.../apache/catalina/valves/TestRemoteIpValve.java | 30 ++++++++++++++++++++++
webapps/docs/changelog.xml | 8 ++++++
6 files changed, 78 insertions(+)
diff --git a/java/org/apache/catalina/Globals.java b/java/org/apache/catalina/Globals.java
index 8801724..b25ee32 100644
--- a/java/org/apache/catalina/Globals.java
+++ b/java/org/apache/catalina/Globals.java
@@ -199,6 +199,15 @@ public final class Globals {
org.apache.coyote.Constants.REMOTE_ADDR_ATTRIBUTE;
+ /**
+ * The request attribute that is set to the value of {@code Boolean.TRUE}
+ * by the RemoteIpFilter, RemoteIpValve (and other similar components) that identifies
+ * a request which been forwarded via one or more proxies.
+ */
+ public static final String REQUEST_FORWARDED_ATTRIBUTE =
+ "org.apache.tomcat.request.forwarded";
+
+
public static final String ASYNC_SUPPORTED_ATTR =
"org.apache.catalina.ASYNC_SUPPORTED";
diff --git a/java/org/apache/catalina/filters/RemoteIpFilter.java b/java/org/apache/catalina/filters/RemoteIpFilter.java
index 5c04858..1afe033 100644
--- a/java/org/apache/catalina/filters/RemoteIpFilter.java
+++ b/java/org/apache/catalina/filters/RemoteIpFilter.java
@@ -82,6 +82,8 @@ import org.apache.tomcat.util.res.StringManager;
* <code>protocolHeaderHttpsValue</code> configuration parameter (default <code>https</code>) then <code>request.isSecure = true</code>,
* <code>request.scheme = https</code> and <code>request.serverPort = 443</code>. Note that 443 can be overwritten with the
* <code>$httpsServerPort</code> configuration parameter.</li>
+ * <li>Mark the request with the attribute {@link Globals#REQUEST_FORWARDED_ATTRIBUTE} and value {@code Boolean.TRUE} to indicate
+ * that this request has been forwarded by one or more proxies.</li>
* </ul>
* <table border="1">
* <caption>Configuration parameters</caption>
@@ -820,6 +822,8 @@ public class RemoteIpFilter extends GenericFilter {
}
}
+ request.setAttribute(Globals.REQUEST_FORWARDED_ATTRIBUTE, Boolean.TRUE);
+
if (log.isDebugEnabled()) {
log.debug("Incoming request " + request.getRequestURI() + " with originalRemoteAddr '" + request.getRemoteAddr()
+ "', originalRemoteHost='" + request.getRemoteHost() + "', originalSecure='" + request.isSecure()
diff --git a/java/org/apache/catalina/valves/RemoteIpValve.java b/java/org/apache/catalina/valves/RemoteIpValve.java
index 145b095..cd08cc7 100644
--- a/java/org/apache/catalina/valves/RemoteIpValve.java
+++ b/java/org/apache/catalina/valves/RemoteIpValve.java
@@ -64,6 +64,8 @@ import org.apache.tomcat.util.http.MimeHeaders;
* <code>protocolHeaderHttpsValue</code> configuration parameter (default <code>https</code>) then <code>request.isSecure = true</code>,
* <code>request.scheme = https</code> and <code>request.serverPort = 443</code>. Note that 443 can be overwritten with the
* <code>$httpsServerPort</code> configuration parameter.</li>
+ * <li>Mark the request with the attribute {@link Globals#REQUEST_FORWARDED_ATTRIBUTE} and value {@code Boolean.TRUE} to indicate
+ * that this request has been forwarded by one or more proxies.</li>
* </ul>
* <table border="1">
* <caption>Configuration parameters</caption>
@@ -651,6 +653,8 @@ public class RemoteIpValve extends ValveBase {
}
}
+ request.setAttribute(Globals.REQUEST_FORWARDED_ATTRIBUTE, Boolean.TRUE);
+
if (log.isDebugEnabled()) {
log.debug("Incoming request " + request.getRequestURI() + " with originalRemoteAddr '" + originalRemoteAddr
+ "', originalRemoteHost='" + originalRemoteHost + "', originalSecure='" + originalSecure + "', originalScheme='"
diff --git a/test/org/apache/catalina/filters/TestRemoteIpFilter.java b/test/org/apache/catalina/filters/TestRemoteIpFilter.java
index f7f2093..956bbf1 100644
--- a/test/org/apache/catalina/filters/TestRemoteIpFilter.java
+++ b/test/org/apache/catalina/filters/TestRemoteIpFilter.java
@@ -42,6 +42,7 @@ import org.junit.Test;
import org.apache.catalina.AccessLog;
import org.apache.catalina.Context;
+import org.apache.catalina.Globals;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Connector;
import org.apache.catalina.connector.Request;
@@ -624,6 +625,28 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
actualRequest.getAttribute(AccessLog.REMOTE_HOST_ATTRIBUTE));
}
+ @Test
+ public void testRequestForwarded() throws Exception {
+ // PREPARE
+ FilterDef filterDef = new FilterDef();
+ filterDef.addInitParameter("protocolHeader", "x-forwarded-proto");
+ filterDef.addInitParameter("remoteIpHeader", "x-my-forwarded-for");
+ filterDef.addInitParameter("httpServerPort", "8080");
+
+ MockHttpServletRequest request = new MockHttpServletRequest();
+ request.setRemoteAddr("192.168.0.10");
+ request.setHeader("x-my-forwarded-for", "140.211.11.130");
+ request.setHeader("x-forwarded-proto", "http");
+
+ // TEST
+ HttpServletRequest actualRequest = testRemoteIpFilter(filterDef, request).getRequest();
+
+ // VERIFY
+ Assert.assertEquals("org.apache.tomcat.request.forwarded",
+ Boolean.TRUE,
+ actualRequest.getAttribute(Globals.REQUEST_FORWARDED_ATTRIBUTE));
+ }
+
/*
* Test {@link RemoteIpFilter} in Tomcat standalone server
*/
diff --git a/test/org/apache/catalina/valves/TestRemoteIpValve.java b/test/org/apache/catalina/valves/TestRemoteIpValve.java
index 5d93d84..8ab03b4 100644
--- a/test/org/apache/catalina/valves/TestRemoteIpValve.java
+++ b/test/org/apache/catalina/valves/TestRemoteIpValve.java
@@ -27,6 +27,7 @@ import org.junit.Assert;
import org.junit.Test;
import org.apache.catalina.AccessLog;
+import org.apache.catalina.Globals;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
@@ -985,6 +986,35 @@ public class TestRemoteIpValve {
request.getAttribute(AccessLog.REMOTE_HOST_ATTRIBUTE));
}
+ @Test
+ public void testRequestForwarded() throws Exception {
+
+ // PREPARE
+ RemoteIpValve remoteIpValve = new RemoteIpValve();
+ remoteIpValve.setRemoteIpHeader("x-forwarded-for");
+ remoteIpValve.setProtocolHeader("x-forwarded-proto");
+ RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();
+ remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
+
+ Request request = new MockRequest();
+ request.setCoyoteRequest(new org.apache.coyote.Request());
+ // client ip
+ request.setRemoteAddr("192.168.0.10");
+ request.setRemoteHost("192.168.0.10");
+ request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130");
+ // protocol
+ request.setServerPort(8080);
+ request.getCoyoteRequest().scheme().setString("http");
+
+ // TEST
+ remoteIpValve.invoke(request, null);
+
+ // VERIFY
+ Assert.assertEquals("org.apache.tomcat.request.forwarded",
+ Boolean.TRUE,
+ request.getAttribute(Globals.REQUEST_FORWARDED_ATTRIBUTE));
+ }
+
private void assertArrayEquals(String[] expected, String[] actual) {
if (expected == null) {
Assert.assertNull(actual);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index bcc5a0c..2e7a08b 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -45,6 +45,14 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 9.0.23 (markt)" rtext="in development">
+ <subsection name="Catalina">
+ <changelog>
+ <add>
+ <bug>63556</bug>: Mark request as forwarded in RemoteIpValve and
+ RemoteIpFilter (michaelo)
+ </add>
+ </changelog>
+ </subsection>
<subsection name="Coyote">
<changelog>
<scode>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org