You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2014/03/02 13:46:25 UTC
svn commit: r1573294 - in /tomcat/tc6.0.x/trunk: ./
java/org/apache/catalina/valves/SSLValve.java webapps/docs/changelog.xml
webapps/docs/config/valve.xml
Author: kkolinko
Date: Sun Mar 2 12:46:24 2014
New Revision: 1573294
URL: http://svn.apache.org/r1573294
Log:
CTR: docs
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56093
Provide documentation for SSLValve.
Backport of r1073184, r1568921
Modified:
tomcat/tc6.0.x/trunk/ (props changed)
tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml
Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1073184,1568921
Merged /tomcat/tc7.0.x/trunk:r1568922
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java?rev=1573294&r1=1573293&r2=1573294&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java Sun Mar 2 12:46:24 2014
@@ -32,22 +32,35 @@ import org.apache.catalina.connector.Res
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
-/*
- * Valve to fill the SSL informations in the request
- * mod_header is used to fill the headers and the valve
- * will fill the parameters of the request.
+/**
+ * When using mod_proxy_http, the client SSL information is not included in the
+ * protocol (unlike mod_jk and mod_proxy_ajp). To make the client SSL
+ * information available to Tomcat, some additional configuration is required.
+ * In httpd, mod_headers is used to add the SSL information as HTTP headers. In
+ * Tomcat, this valve is used to read the information from the HTTP headers and
+ * insert it into the request.<p>
+ *
+ * <b>Note: Ensure that the headers are always set by httpd for all requests to
+ * prevent a client spoofing SSL information by sending fake headers. </b><p>
+ *
* In httpd.conf add the following:
- * <IfModule ssl_module>
+ * <pre>
+ * <IfModule ssl_module>
* RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
* RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
* RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
* RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"
- * </IfModule>
- *
- * @author Jean-Frederic Clere
+ * </IfModule>
+ * </pre>
*
+ * In server.xml, configure this valve under the Engine element in server.xml:
+ * <pre>
+ * <Engine ...>
+ * <Valve className="org.apache.catalina.valves.SSLValve" />
+ * <Host ... />
+ * </Engine>
+ * </pre>
*/
-
public class SSLValve extends ValveBase {
private static final Log log = LogFactory.getLog(SSLValve.class);
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1573294&r1=1573293&r2=1573294&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun Mar 2 12:46:24 2014
@@ -44,6 +44,13 @@
General, Catalina, Coyote, Jasper, Cluster, Web applications, Other
-->
<section name="Tomcat 6.0.40" rtext="">
+ <subsection name="Web applications">
+ <changelog>
+ <add>
+ <bug>56093</bug>: Documentation for SSLValve. (markt/kkolinko)
+ </add>
+ </changelog>
+ </subsection>
<subsection name="Other">
<changelog>
<scode>
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml?rev=1573294&r1=1573293&r2=1573294&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml Sun Mar 2 12:46:24 2014
@@ -964,7 +964,48 @@
</section>
+<section name="SSL Valve">
+ <subsection name="Introduction">
+
+ <p>When using mod_proxy_http, the client SSL information is not included in
+ the protocol (unlike mod_jk and mod_proxy_ajp). To make the client SSL
+ information available to Tomcat, some additional configuration is required.
+ In httpd, mod_headers is used to add the SSL information as HTTP headers. In
+ Tomcat, this valve is used to read the information from the HTTP headers and
+ insert it into the request.</p>
+
+ <p>Note: Ensure that the headers are always set by httpd for all requests to
+ prevent a client spoofing SSL information by sending fake headers.</p>
+
+ <p>To configure httpd to set the necessary headers, add the following:</p>
+<source><IfModule ssl_module>
+ RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
+ RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
+ RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
+ RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"
+</IfModule></source>
+
+ </subsection>
+
+ <subsection name="Attributes">
+
+ <p>The <strong>SSL Valve</strong> supports the following configuration
+ attribute:</p>
+
+ <attributes>
+
+ <attribute name="className" required="true">
+ <p>Java class name of the implementation to use. This MUST be set to
+ <strong>org.apache.catalina.valves.SSLValve</strong>.
+ </p>
+ </attribute>
+
+ </attributes>
+
+ </subsection>
+
+</section>
</body>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org