You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by rj...@apache.org on 2012/12/05 21:21:01 UTC
svn commit: r1417624 [12/38] - in /tomcat/site/trunk/docs/tomcat-8.0-doc: ./
api/ appdev/ appdev/sample/ appdev/sample/docs/ appdev/sample/src/
appdev/sample/src/mypackage/ appdev/sample/web/ appdev/sample/web/WEB-INF/
appdev/sample/web/images/ archite...
Added: tomcat/site/trunk/docs/tomcat-8.0-doc/config/filter.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/tomcat-8.0-doc/config/filter.html?rev=1417624&view=auto
==============================================================================
--- tomcat/site/trunk/docs/tomcat-8.0-doc/config/filter.html (added)
+++ tomcat/site/trunk/docs/tomcat-8.0-doc/config/filter.html Wed Dec 5 20:20:35 2012
@@ -0,0 +1,1226 @@
+<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tomcat 8 Configuration Reference (8.0.0-dev) - Container Provided Filters</title><style type="text/css" media="print">
+ .noPrint {display: none;}
+ td#mainBody {width: 100%;}
+ </style><style type="text/css">
+ code {background-color:rgb(224,255,255);padding:0 0.1em;}
+ code.attributeName, code.propertyName {background-color:transparent;}
+ </style><style type="text/css">
+ .wrapped-source code { display: block; background-color: transparent; }
+ .wrapped-source div { margin: 0 0 0 1.25em; }
+ .wrapped-source p { margin: 0 0 0 1.25em; text-indent: -1.25em; }
+ </style><style type="text/css">
+ p.notice {
+ border: 1px solid rgb(255, 0, 0);
+ background-color: rgb(238, 238, 238);
+ color: rgb(0, 51, 102);
+ padding: 0.5em;
+ margin: 1em 2em 1em 1em;
+ }
+ </style></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table border="0" width="100%" cellspacing="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img src="../images/tomcat.gif" align="right" alt="
+ The Apache Tomcat Servlet/JSP Container
+ " border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 8</font></h1><font face="arial,helvetica,sanserif">Version 8.0.0-dev, Dec 5 2012</font></td><td><!--APACHE LOGO--><a href="http://www.apache.org/"><img src="../images/asf-logo.gif" align="right" alt="Apache Logo" border="0"></a></td></tr></table><table border="0" width="100%" cellspacing="4"><!--HEADER SEPARATOR--><tr><td colspan="2"><hr noshade size="1"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td width="20%" valign="top" nowrap class="noPrint"><p><strong>Links</strong></p><ul><li><a href="../index.html">Docs Home</a></li><li><a href="index.html">Config Ref. Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a href="#comments_section">User Comments</a></li></ul><p><strong>Top Level Elements</strong></p><ul><li><a href="server.html">Server</a></li><li><a href="service.html">Service</a></li></ul><p><strong>Executors</strong></p><ul><li><a href="executor.html">Executo
r</a></li></ul><p><strong>Connectors</strong></p><ul><li><a href="http.html">HTTP</a></li><li><a href="ajp.html">AJP</a></li></ul><p><strong>Containers</strong></p><ul><li><a href="context.html">Context</a></li><li><a href="engine.html">Engine</a></li><li><a href="host.html">Host</a></li><li><a href="cluster.html">Cluster</a></li></ul><p><strong>Nested Components</strong></p><ul><li><a href="globalresources.html">Global Resources</a></li><li><a href="jar-scanner.html">JarScanner</a></li><li><a href="listeners.html">Listeners</a></li><li><a href="loader.html">Loader</a></li><li><a href="manager.html">Manager</a></li><li><a href="realm.html">Realm</a></li><li><a href="resources.html">Resources</a></li><li><a href="valve.html">Valve</a></li></ul><p><strong>Cluster Elements</strong></p><ul><li><a href="cluster.html">Cluster</a></li><li><a href="cluster-manager.html">Manager</a></li><li><a href="cluster-channel.html">Channel</a></li><li><a href="cluster-membership.html">Channel/M
embership</a></li><li><a href="cluster-sender.html">Channel/Sender</a></li><li><a href="cluster-receiver.html">Channel/Receiver</a></li><li><a href="cluster-interceptor.html">Channel/Interceptor</a></li><li><a href="cluster-valve.html">Valve</a></li><li><a href="cluster-deployer.html">Deployer</a></li><li><a href="cluster-listener.html">ClusterListener</a></li></ul><p><strong>Other</strong></p><ul><li><a href="filter.html">Filter</a></li><li><a href="systemprops.html">System properties</a></li></ul></td><!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left" id="mainBody"><h1>Container Provided Filters</h1><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Table of Contents"><!--()--></a><a name="Table_of_Contents"><strong>Table of Contents</strong></a></font></td></tr><tr><td><blockquote>
+<ul><li><a href="#Introduction">Introduction</a></li><li><a href="#Add_Default_Character_Set_Filter">Add Default Character Set Filter</a><ol><li><a href="#Add_Default_Character_Set_Filter/Introduction">Introduction</a></li><li><a href="#Add_Default_Character_Set_Filter/Filter_Class_Name">Filter Class Name</a></li><li><a href="#Add_Default_Character_Set_Filter/Initialisation_parameters">Initialisation parameters</a></li></ol></li><li><a href="#CSRF_Prevention_Filter">CSRF Prevention Filter</a><ol><li><a href="#CSRF_Prevention_Filter/Introduction">Introduction</a></li><li><a href="#CSRF_Prevention_Filter/Filter_Class_Name">Filter Class Name</a></li><li><a href="#CSRF_Prevention_Filter/Initialisation_parameters">Initialisation parameters</a></li></ol></li><li><a href="#Expires_Filter">Expires Filter</a><ol><li><a href="#Expires_Filter/Introduction">Introduction</a></li><li><a href="#Basic_configuration_sample">Basic configuration sample</a></li><li><a href="#Alternate_Syntax">A
lternate Syntax</a></li><li><a href="#Expiration_headers_generation_eligibility">Expiration headers generation eligibility</a></li><li><a href="#Expiration_configuration_selection">Expiration configuration selection</a></li><li><a href="#Expires_Filter/Filter_Class_Name">Filter Class Name</a></li><li><a href="#Expires_Filter/Initialisation_parameters">Initialisation parameters</a></li><li><a href="#Troubleshooting">Troubleshooting</a></li></ol></li><li><a href="#Remote_Address_Filter">Remote Address Filter</a><ol><li><a href="#Remote_Address_Filter/Introduction">Introduction</a></li><li><a href="#Remote_Address_Filter/Filter_Class_Name">Filter Class Name</a></li><li><a href="#Remote_Address_Filter/Initialisation_parameters">Initialisation parameters</a></li><li><a href="#Example">Example</a></li></ol></li><li><a href="#Remote_Host_Filter">Remote Host Filter</a><ol><li><a href="#Remote_Host_Filter/Introduction">Introduction</a></li><li><a href="#Remote_Host_Filter/Filter_Clas
s_Name">Filter Class Name</a></li><li><a href="#Remote_Host_Filter/Initialisation_parameters">Initialisation parameters</a></li></ol></li><li><a href="#Remote_IP_Filter">Remote IP Filter</a><ol><li><a href="#Remote_IP_Filter/Introduction">Introduction</a></li><li><a href="#Remote_IP_Filter/Filter_Class_Name">Filter Class Name</a></li><li><a href="#Basic_configuration_to_handle_'x-forwarded-for'">Basic configuration to handle 'x-forwarded-for'</a></li><li><a href="#Basic_configuration_to_handle_'x-forwarded-for'_and_'x-forwarded-proto'">Basic configuration to handle 'x-forwarded-for' and 'x-forwarded-proto'</a></li><li><a href="#Advanced_configuration_with_internal_proxies">Advanced configuration with internal proxies</a></li><li><a href="#Advanced_configuration_with_trusted_proxies">Advanced configuration with trusted proxies</a></li><li><a href="#Advanced_configuration_with_internal_and_trusted_proxies">Advanced configuration with internal and trusted proxies</a></li><li><a
href="#Advanced_configuration_with_an_untrusted_proxy">Advanced configuration with an untrusted proxy</a></li><li><a href="#Remote_IP_Filter/Initialisation_parameters">Initialisation parameters</a></li></ol></li><li><a href="#Request_Dumper_Filter">Request Dumper Filter</a><ol><li><a href="#Request_Dumper_Filter/Introduction">Introduction</a></li><li><a href="#Request_Dumper_Filter/Filter_Class_Name">Filter Class Name</a></li><li><a href="#Request_Dumper_Filter/Initialisation_parameters">Initialisation parameters</a></li><li><a href="#Sample_Configuration">Sample Configuration</a></li></ol></li><li><a href="#Set_Character_Encoding_Filter">Set Character Encoding Filter</a><ol><li><a href="#Set_Character_Encoding_Filter/Introduction">Introduction</a></li><li><a href="#Set_Character_Encoding_Filter/Filter_Class_Name">Filter Class Name</a></li><li><a href="#Set_Character_Encoding_Filter/Initialisation_parameters">Initialisation parameters</a></li></ol></li><li><a href="#WebDAV_
Fix_Filter">WebDAV Fix Filter</a><ol><li><a href="#WebDAV_Fix_Filter/Introduction">Introduction</a></li><li><a href="#WebDAV_Fix_Filter/Filter_Class_Name">Filter Class Name</a></li><li><a href="#WebDAV_Fix_Filter/Initialisation_parameters">Initialisation parameters</a></li></ol></li><li><a href="#Failed_Request_Filter">Failed Request Filter</a><ol><li><a href="#Failed_Request_Filter/Introduction">Introduction</a></li><li><a href="#Failed_Request_Filter/Filter_Class_Name">Filter Class Name</a></li><li><a href="#Failed_Request_Filter/Initialisation_parameters">Initialisation parameters</a></li></ol></li></ul>
+</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>Tomcat provides a number of <strong>Filters</strong> which may be
+ configured for use with all web applications using
+ <code>$CATALINA_BASE/conf/web.xml</code> or may be configured for individual
+ web applications by configuring them in the application's
+ <code>WEB-INF/web.xml</code>. Each filter is described below.</p>
+
+ <blockquote><em>
+ <p>This description uses the variable name $CATALINA_BASE to refer the
+ base directory against which most relative paths are resolved. If you have
+ not configured Tomcat for multiple instances by setting a CATALINA_BASE
+ directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME,
+ the directory into which you have installed Tomcat.</p>
+ </em></blockquote>
+
+</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Add Default Character Set Filter"><!--()--></a><a name="Add_Default_Character_Set_Filter"><strong>Add Default Character Set Filter</strong></a></font></td></tr><tr><td><blockquote>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Add Default Character Set Filter/Introduction"><!--()--></a><a name="Add_Default_Character_Set_Filter/Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The HTTP specification is clear that if no character set is specified for
+ media sub-types of the "text" media type, the ISO-8859-1 character set must
+ be used. However, browsers may attempt to auto-detect the character set.
+ This may be exploited by an attacker to perform an XSS attack. Internet
+ Explorer has this behaviour by default. Other browsers have an option to
+ enable it.</p>
+
+ <p>This filter prevents the attack by explicitly setting a character set.
+ Unless the provided character set is explicitly overridden by the user the
+ browser will adhere to the explicitly set character set, thus preventing the
+ XSS attack.</p>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Add Default Character Set Filter/Filter Class Name"><!--()--></a><a name="Add_Default_Character_Set_Filter/Filter_Class_Name"><strong>Filter Class Name</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The filter class name for the Add Default Character Set Filter is
+ <strong><code>org.apache.catalina.filters.AddDefaultCharsetFilter</code>
+ </strong>.</p>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Add Default Character Set Filter/Initialisation parameters"><!--()--></a><a name="Add_Default_Character_Set_Filter/Initialisation_parameters"><strong>Initialisation parameters</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The Add Default Character Set Filter supports the following initialization
+ parameters:</p>
+
+ <table border="1" cellpadding="5"><tr><th width="15%" bgcolor="#023264"><font color="#ffffff">Attribute</font></th><th width="85%" bgcolor="#023264"><font color="#ffffff">Description</font></th></tr><tr><td align="left" valign="center"><code class="attributeName">encoding</code></td><td align="left" valign="center">
+ <p>Name of the character set which should be set, if no other character set
+ was set explicitly by a Servlet. This parameter has two special values
+ <code>default</code> and <code>system</code>. A value of <code>system</code>
+ uses the JVM wide default character set, which is usually set by locale.
+ A value of <code>default</code> will use <strong>ISO-8859-1</strong>.</p>
+ </td></tr></table>
+
+ </blockquote></td></tr></table>
+
+</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="CSRF Prevention Filter"><!--()--></a><a name="CSRF_Prevention_Filter"><strong>CSRF Prevention Filter</strong></a></font></td></tr><tr><td><blockquote>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="CSRF Prevention Filter/Introduction"><!--()--></a><a name="CSRF_Prevention_Filter/Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>This filter provides basic CSRF protection for a web application. The
+ filter assumes that it is mapped to <code>/*</code> and that all URLs
+ returned to the client are encoded via a call to
+ <code>HttpServletResponse#encodeRedirectURL(String)</code> or
+ <code>HttpServletResponse#encodeURL(String)</code>.</p>
+
+ <p>This filter prevents CSRF by generating a nonce and storing it in the
+ session. URLs are also encoded with the same nonce. When the next request is
+ received the nonce in the request is compared to the nonce in the session
+ and only if they are the same is the request allowed to continue.</p>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="CSRF Prevention Filter/Filter Class Name"><!--()--></a><a name="CSRF_Prevention_Filter/Filter_Class_Name"><strong>Filter Class Name</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The filter class name for the CSRF Prevention Filter is
+ <strong><code>org.apache.catalina.filters.CsrfPreventionFilter</code>
+ </strong>.</p>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="CSRF Prevention Filter/Initialisation parameters"><!--()--></a><a name="CSRF_Prevention_Filter/Initialisation_parameters"><strong>Initialisation parameters</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The CSRF Prevention Filter supports the following initialisation
+ parameters:</p>
+
+ <table border="1" cellpadding="5"><tr><th width="15%" bgcolor="#023264"><font color="#ffffff">Attribute</font></th><th width="85%" bgcolor="#023264"><font color="#ffffff">Description</font></th></tr><tr><td align="left" valign="center"><code class="attributeName">denyStatus</code></td><td align="left" valign="center">
+ <p>HTTP response status code that is used when rejecting denied
+ request. The default value is <code>403</code>.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">entryPoints</code></td><td align="left" valign="center">
+ <p>A comma separated list of URLs that will not be tested for the
+ presence of a valid nonce. They are used to provide a way to navigate
+ back to a protected application after having navigated away from it.
+ Entry points will be limited to HTTP GET requests and should not trigger
+ any security sensitive actions.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">nonceCacheSize</code></td><td align="left" valign="center">
+ <p>The number of previously issued nonces that will be cached on a LRU
+ basis to support parallel requests, limited use of the refresh and back
+ in the browser and similar behaviors that may result in the submission
+ of a previous nonce rather than the current one. If not set, the default
+ value of 5 will be used.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">randomClass</code></td><td align="left" valign="center">
+ <p>The name of the class to use to generate nonces. The class must be an
+ instance of <code>java.util.Random</code>. If not set, the default value
+ of <code>java.security.SecureRandom</code> will be used.</p>
+ </td></tr></table>
+
+ </blockquote></td></tr></table>
+
+</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Expires Filter"><!--()--></a><a name="Expires_Filter"><strong>Expires Filter</strong></a></font></td></tr><tr><td><blockquote>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Expires Filter/Introduction"><!--()--></a><a name="Expires_Filter/Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>
+ ExpiresFilter is a Java Servlet API port of <a href="http://httpd.apache.org/docs/2.2/mod/mod_expires.html">Apache
+ mod_expires</a>.
+ This filter controls the setting of the <code>Expires</code> HTTP header and the
+ <code>max-age</code> directive of the <code>Cache-Control</code> HTTP header in
+ server responses. The expiration date can set to be relative to either the
+ time the source file was last modified, or to the time of the client access.
+ </p>
+
+ <p>
+ These HTTP headers are an instruction to the client about the document's
+ validity and persistence. If cached, the document may be fetched from the
+ cache rather than from the source until this time has passed. After that, the
+ cache copy is considered "expired" and invalid, and a new copy must
+ be obtained from the source.
+ </p>
+ <p>
+ To modify <code>Cache-Control</code> directives other than <code>max-age</code> (see
+ <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9">RFC
+ 2616 section 14.9</a>), you can use other servlet filters or <a href="http://httpd.apache.org/docs/2.2/mod/mod_headers.html">Apache Httpd
+ mod_headers</a> module.
+ </p>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Basic configuration sample"><!--()--></a><a name="Basic_configuration_sample"><strong>Basic configuration sample</strong></a></font></td></tr><tr><td><blockquote>
+ <p>
+ Basic configuration to add '<code>Expires</code>' and '<code>Cache-Control: max-age=</code>'
+ headers to images, css and javascript.
+ </p>
+
+ <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+<filter>
+ <filter-name>ExpiresFilter</filter-name>
+ <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
+ <init-param>
+ <param-name>ExpiresByType image</param-name>
+ <param-value>access plus 10 minutes</param-value>
+ </init-param>
+ <init-param>
+ <param-name>ExpiresByType text/css</param-name>
+ <param-value>access plus 10 minutes</param-value>
+ </init-param>
+ <init-param>
+ <param-name>ExpiresByType application/javascript</param-name>
+ <param-value>access plus 10 minutes</param-value>
+ </init-param>
+</filter>
+...
+<filter-mapping>
+ <filter-name>ExpiresFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ <dispatcher>REQUEST</dispatcher>
+</filter-mapping>
+
+ </pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Alternate Syntax"><!--()--></a><a name="Alternate_Syntax"><strong>Alternate Syntax</strong></a></font></td></tr><tr><td><blockquote>
+ <p>
+ The <code>ExpiresDefault</code> and <code>ExpiresByType</code> directives can also be
+ defined in a more readable syntax of the form:
+ </p>
+
+ <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+<init-param>
+ <param-name>ExpiresDefault</param-name>
+ <param-value><base> [plus] {<num> <type>}*</param-value>
+</init-param>
+
+<init-param>
+ <param-name>ExpiresByType type</param-name>
+ <param-value><base> [plus] {<num> <type>}*</param-value>
+</init-param>
+
+<init-param>
+ <param-name>ExpiresByType type;encoding</param-name>
+ <param-value><base> [plus] {<num> <type>}*</param-value>
+</init-param>
+ </pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+ <p>
+ where <code><base></code> is one of:
+ <ul>
+ <li><code>access</code></li>
+ <li><code>now</code> (equivalent to '<code>access</code>')</li>
+ <li><code>modification</code></li>
+ </ul>
+ </p>
+ <p>
+ The <code>plus</code> keyword is optional. <code><num></code> should be an
+ integer value (acceptable to <code>Integer.parseInt()</code>), and
+ <code><type></code> is one of:
+ <ul>
+ <li><code>years</code></li>
+ <li><code>months</code></li>
+ <li><code>weeks</code></li>
+ <li><code>days</code></li>
+ <li><code>hours</code></li>
+ <li><code>minutes</code></li>
+ <li><code>seconds</code></li>
+ </ul>
+ For example, any of the following directives can be used to make documents
+ expire 1 month after being accessed, by default:
+ </p>
+
+ <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+<init-param>
+ <param-name>ExpiresDefault</param-name>
+ <param-value>access plus 1 month</param-value>
+</init-param>
+
+<init-param>
+ <param-name>ExpiresDefault</param-name>
+ <param-value>access plus 4 weeks</param-value>
+</init-param>
+
+<init-param>
+ <param-name>ExpiresDefault</param-name>
+ <param-value>access plus 30 days</param-value>
+</init-param>
+</pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+<p>
+The expiry time can be fine-tuned by adding several '
+<code><num> <type></code>' clauses:
+</p>
+
+<div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+<init-param>
+ <param-name>ExpiresByType text/html</param-name>
+ <param-value>access plus 1 month 15 days 2 hours</param-value>
+</init-param>
+
+<init-param>
+ <param-name>ExpiresByType image/gif</param-name>
+ <param-value>modification plus 5 hours 3 minutes</param-value>
+</init-param>
+ </pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+ <p>
+ Note that if you use a modification date based setting, the <code>Expires</code>
+ header will <strong>not</strong> be added to content that does not come from
+ a file on disk. This is due to the fact that there is no modification time
+ for such content.
+ </p>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Expiration headers generation eligibility"><!--()--></a><a name="Expiration_headers_generation_eligibility"><strong>Expiration headers generation eligibility</strong></a></font></td></tr><tr><td><blockquote>
+ <p>
+ A response is eligible to be enriched by <code>ExpiresFilter</code> if :
+ <ol>
+ <li>no expiration header is defined (<code>Expires</code> header or the
+ <code>max-age</code> directive of the <code>Cache-Control</code> header),</li>
+ <li>the response status code is not excluded by the directive
+ <code>ExpiresExcludedResponseStatusCodes</code>,</li>
+ <li>the <code>Content-Type</code> of the response matches one of the types
+ defined the in <code>ExpiresByType</code> directives or the
+ <code>ExpiresDefault</code> directive is defined.</li>
+ </ol>
+ </p>
+ <p>
+ Note : If <code>Cache-Control</code> header contains other directives than
+ <code>max-age</code>, they are concatenated with the <code>max-age</code> directive
+ that is added by the <code>ExpiresFilter</code>.
+ </p>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Expiration configuration selection"><!--()--></a><a name="Expiration_configuration_selection"><strong>Expiration configuration selection</strong></a></font></td></tr><tr><td><blockquote>
+ <p>
+ The expiration configuration if elected according to the following algorithm:
+ <ol>
+ <li><code>ExpiresByType</code> matching the exact content-type returned by
+ <code>HttpServletResponse.getContentType()</code> possibly including the charset
+ (e.g. '<code>text/xml;charset=UTF-8</code>'),</li>
+ <li><code>ExpiresByType</code> matching the content-type without the charset if
+ <code>HttpServletResponse.getContentType()</code> contains a charset (e.g. '
+ <code>text/xml;charset=UTF-8</code>' -> '<code>text/xml</code>'),</li>
+ <li><code>ExpiresByType</code> matching the major type (e.g. substring before
+ '<code>/</code>') of <code>HttpServletResponse.getContentType()</code>
+ (e.g. '<code>text/xml;charset=UTF-8</code>' -> '<code>text</code>
+ '),</li>
+ <li><code>ExpiresDefault</code></li>
+ </ol>
+ </p>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Expires Filter/Filter Class Name"><!--()--></a><a name="Expires_Filter/Filter_Class_Name"><strong>Filter Class Name</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The filter class name for the Expires Filter is
+ <strong><code>org.apache.catalina.filters.ExpiresFilter</code>
+ </strong>.</p>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Expires Filter/Initialisation parameters"><!--()--></a><a name="Expires_Filter/Initialisation_parameters"><strong>Initialisation parameters</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The <strong>Expires Filter</strong> supports the following
+ initialisation parameters:</p>
+
+ <table border="1" cellpadding="5"><tr><th width="15%" bgcolor="#023264"><font color="#ffffff">Attribute</font></th><th width="85%" bgcolor="#023264"><font color="#ffffff">Description</font></th></tr><tr><td align="left" valign="center"><code class="attributeName">ExpiresExcludedResponseStatusCodes</code></td><td align="left" valign="center">
+ <p>
+ This directive defines the http response status codes for which the
+ <code>ExpiresFilter</code> will not generate expiration headers. By default, the
+ <code>304</code> status code ("<code>Not modified</code>") is skipped. The
+ value is a comma separated list of http status codes.
+ </p>
+ <p>
+ This directive is useful to ease usage of <code>ExpiresDefault</code> directive.
+ Indeed, the behavior of <code>304 Not modified</code> (which does specify a
+ <code>Content-Type</code> header) combined with <code>Expires</code> and
+ <code>Cache-Control:max-age=</code> headers can be unnecessarily tricky to
+ understand.
+ </p>
+ <p><i>See sample below the table</i></p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">ExpiresByType <content-type></code></td><td align="left" valign="center">
+ <p>
+ This directive defines the value of the <code>Expires</code> header and the
+ <code>max-age</code> directive of the <code>Cache-Control</code> header generated for
+ documents of the specified type (<i>e.g.</i>, <code>text/html</code>). The second
+ argument sets the number of seconds that will be added to a base time to
+ construct the expiration date. The <code>Cache-Control: max-age</code> is
+ calculated by subtracting the request time from the expiration date and
+ expressing the result in seconds.
+ </p>
+ <p>
+ The base time is either the last modification time of the file, or the time
+ of the client's access to the document. Which should be used is
+ specified by the <code><code></code> field; <code>M</code> means that the
+ file's last modification time should be used as the base time, and
+ <code>A</code> means the client's access time should be used. The duration
+ is expressed in seconds. <code>A2592000</code> stands for
+ <code>access plus 30 days</code> in alternate syntax.
+ </p>
+ <p>
+ The difference in effect is subtle. If <code>M</code> (<code>modification</code> in
+ alternate syntax) is used, all current copies of the document in all caches
+ will expire at the same time, which can be good for something like a weekly
+ notice that's always found at the same URL. If <code>A</code> (
+ <code>access</code> or <code>now</code> in alternate syntax) is used, the date of
+ expiration is different for each client; this can be good for image files
+ that don't change very often, particularly for a set of related
+ documents that all refer to the same images (<i>i.e.</i>, the images will be
+ accessed repeatedly within a relatively short timespan).
+ </p>
+ <p>
+ <strong>Note:</strong> When the content type includes a charset (e.g.
+ <code>'ExpiresByType text/xml;charset=utf-8'</code>), Tomcat removes blank chars
+ between the '<code>;</code>' and the '<code>charset</code>' keyword. Due to this,
+ configuration of an expiration with a charset must <strong>not</strong> include
+ such a space character.
+ </p>
+ <p><i>See sample below the table</i></p>
+ <p>
+ It overrides, for the specified MIME type <i>only</i>, any
+ expiration date set by the <code>ExpiresDefault</code> directive.
+ </p>
+ <p>
+ You can also specify the expiration time calculation using an alternate
+ syntax, described earlier in this document.
+ </p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">ExpiresDefault</code></td><td align="left" valign="center">
+ <p>
+ This directive sets the default algorithm for calculating the
+ expiration time for all documents in the affected realm. It can be
+ overridden on a type-by-type basis by the <code>ExpiresByType</code> directive. See the
+ description of that directive for details about the syntax of the
+ argument, and the "alternate syntax"
+ description as well.
+ </p>
+ </td></tr></table>
+
+ <p><i>Sample : exclude response status codes 302, 500 and 503</i></p>
+
+<div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+<init-param>
+ <param-name>ExpiresExcludedResponseStatusCodes</param-name>
+ <param-value>302, 500, 503</param-value>
+</init-param>
+</pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+
+ <p><i>Sample for ExpiresByType initialization parameter</i></p>
+
+ <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+<init-param>
+ <param-name>ExpiresByType text/html</param-name>
+ <param-value>access plus 1 month 15 days 2 hours</param-value>
+</init-param>
+
+<init-param>
+ <!-- 2592000 seconds = 30 days -->
+ <param-name>ExpiresByType image/gif</param-name>
+ <param-value>A2592000</param-value>
+</init-param>
+ </pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Troubleshooting"><strong>Troubleshooting</strong></a></font></td></tr><tr><td><blockquote>
+ <p>
+ To troubleshoot, enable logging on the
+ <code>org.apache.catalina.filters.ExpiresFilter</code>.
+ </p>
+ <p>
+ Extract of logging.properties
+ </p>
+
+ <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+org.apache.catalina.filters.ExpiresFilter.level = FINE
+ </pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+ <p>
+ Sample of initialization log message:
+ </p>
+
+ <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+Mar 26, 2010 2:01:41 PM org.apache.catalina.filters.ExpiresFilter init
+FINE: Filter initialized with configuration ExpiresFilter[
+ excludedResponseStatusCode=[304],
+ default=null,
+ byType={
+ image=ExpiresConfiguration[startingPoint=ACCESS_TIME, duration=[10 MINUTE]],
+ text/css=ExpiresConfiguration[startingPoint=ACCESS_TIME, duration=[10 MINUTE]],
+ text/javascript=ExpiresConfiguration[startingPoint=ACCESS_TIME, duration=[10 MINUTE]]}]
+ </pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+ <p>
+ Sample of per-request log message where <code>ExpiresFilter</code> adds an
+ expiration date is below. The message is on one line and is wrapped here
+ for better readability.
+ </p>
+
+ <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+Mar 26, 2010 2:09:47 PM org.apache.catalina.filters.ExpiresFilter onBeforeWriteResponseBody
+FINE: Request "/tomcat.gif" with response status "200"
+ content-type "image/gif", set expiration date 3/26/10 2:19 PM
+ </pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+ <p>
+ Sample of per-request log message where <code>ExpiresFilter</code> does not add
+ an expiration date:
+ </p>
+
+ <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+Mar 26, 2010 2:10:27 PM org.apache.catalina.filters.ExpiresFilter onBeforeWriteResponseBody
+FINE: Request "/docs/config/manager.html" with response status "200"
+ content-type "text/html", no expiration configured
+ </pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+ </blockquote></td></tr></table>
+
+</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Remote Address Filter"><!--()--></a><a name="Remote_Address_Filter"><strong>Remote Address Filter</strong></a></font></td></tr><tr><td><blockquote>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Remote Address Filter/Introduction"><!--()--></a><a name="Remote_Address_Filter/Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The <strong>Remote Address Filter</strong> allows you to compare the
+ IP address of the client that submitted this request against one or more
+ <em>regular expressions</em>, and either allow the request to continue
+ or refuse to process the request from this client. </p>
+
+ <p>The syntax for <em>regular expressions</em> is different than that for
+ 'standard' wildcard matching. Tomcat uses the <code>java.util.regex</code>
+ package. Please consult the Java documentation for details of the
+ expressions supported.</p>
+
+ <p><strong>Note:</strong> There is a caveat when using this filter with
+ IPv6 addresses. Format of the IP address that this valve is processing
+ depends on the API that was used to obtain it. If the address was obtained
+ from Java socket using Inet6Address class, its format will be
+ <code>x:x:x:x:x:x:x:x</code>. That is, the IP address for localhost
+ will be <code>0:0:0:0:0:0:0:1</code> instead of the more widely used
+ <code>::1</code>. Consult your access logs for the actual value.</p>
+
+ <p>See also: <a href="#Remote_Host_Filter">Remote Host Filter</a>.</p>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Remote Address Filter/Filter Class Name"><!--()--></a><a name="Remote_Address_Filter/Filter_Class_Name"><strong>Filter Class Name</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The filter class name for the Remote Address Filter is
+ <strong><code>org.apache.catalina.filters.RemoteAddrFilter</code>
+ </strong>.</p>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Remote Address Filter/Initialisation parameters"><!--()--></a><a name="Remote_Address_Filter/Initialisation_parameters"><strong>Initialisation parameters</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The <strong>Remote Address Filter</strong> supports the following
+ initialisation parameters:</p>
+
+ <table border="1" cellpadding="5"><tr><th width="15%" bgcolor="#023264"><font color="#ffffff">Attribute</font></th><th width="85%" bgcolor="#023264"><font color="#ffffff">Description</font></th></tr><tr><td align="left" valign="center"><code class="attributeName">allow</code></td><td align="left" valign="center">
+ <p>A regular expression (using <code>java.util.regex</code>) that the
+ remote client's IP address is compared to. If this attribute
+ is specified, the remote address MUST match for this request to be
+ accepted. If this attribute is not specified, all requests will be
+ accepted UNLESS the remote address matches a <code>deny</code>
+ pattern.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">deny</code></td><td align="left" valign="center">
+ <p>A regular expression (using <code>java.util.regex</code>) that the
+ remote client's IP address is compared to. If this attribute
+ is specified, the remote address MUST NOT match for this request to be
+ accepted. If this attribute is not specified, request acceptance is
+ governed solely by the <code>accept</code> attribute.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">denyStatus</code></td><td align="left" valign="center">
+ <p>HTTP response status code that is used when rejecting denied
+ request. The default value is <code>403</code>. For example,
+ it can be set to the value <code>404</code>.</p>
+ </td></tr></table>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Example"><strong>Example</strong></a></font></td></tr><tr><td><blockquote>
+ <p>To allow access only for the clients connecting from localhost:</p>
+<div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+ <filter>
+ <filter-name>Remote Address Filter</filter-name>
+ <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
+ <init-param>
+ <param-name>allow</param-name>
+ <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
+ </init-param>
+ </filter>
+ <filter-mapping>
+ <filter-name>Remote Address Filter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+</pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+ </blockquote></td></tr></table>
+
+</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Remote Host Filter"><!--()--></a><a name="Remote_Host_Filter"><strong>Remote Host Filter</strong></a></font></td></tr><tr><td><blockquote>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Remote Host Filter/Introduction"><!--()--></a><a name="Remote_Host_Filter/Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The <strong>Remote Host Filter</strong> allows you to compare the
+ hostname of the client that submitted this request against one or more
+ <em>regular expressions</em>, and either allow the request to continue
+ or refuse to process the request from this client. </p>
+
+ <p>The syntax for <em>regular expressions</em> is different than that for
+ 'standard' wildcard matching. Tomcat uses the <code>java.util.regex</code>
+ package. Please consult the Java documentation for details of the
+ expressions supported.</p>
+
+ <p><strong>Note:</strong> This filter processes the value returned by
+ method <code>ServletRequest.getRemoteHost()</code>. To allow the method
+ to return proper host names, you have to enable "DNS lookups" feature on
+ a <strong>Connector</strong>.</p>
+
+ <p>See also: <a href="#Remote_Address_Filter">Remote Address Filter</a>,
+ <a href="http.html">HTTP Connector</a> configuration.</p>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Remote Host Filter/Filter Class Name"><!--()--></a><a name="Remote_Host_Filter/Filter_Class_Name"><strong>Filter Class Name</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The filter class name for the Remote Address Filter is
+ <strong><code>org.apache.catalina.filters.RemoteHostFilter</code>
+ </strong>.</p>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Remote Host Filter/Initialisation parameters"><!--()--></a><a name="Remote_Host_Filter/Initialisation_parameters"><strong>Initialisation parameters</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The <strong>Remote Host Filter</strong> supports the following
+ initialisation parameters:</p>
+
+ <table border="1" cellpadding="5"><tr><th width="15%" bgcolor="#023264"><font color="#ffffff">Attribute</font></th><th width="85%" bgcolor="#023264"><font color="#ffffff">Description</font></th></tr><tr><td align="left" valign="center"><code class="attributeName">allow</code></td><td align="left" valign="center">
+ <p>A regular expression (using <code>java.util.regex</code>) that the
+ remote client's hostname is compared to. If this attribute
+ is specified, the remote hostname MUST match for this request to be
+ accepted. If this attribute is not specified, all requests will be
+ accepted UNLESS the remote hostname matches a <code>deny</code>
+ pattern.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">deny</code></td><td align="left" valign="center">
+ <p>A regular expression (using <code>java.util.regex</code>) that the
+ remote client's hostname is compared to. If this attribute
+ is specified, the remote hostname MUST NOT match for this request to be
+ accepted. If this attribute is not specified, request acceptance is
+ governed solely by the <code>accept</code> attribute.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">denyStatus</code></td><td align="left" valign="center">
+ <p>HTTP response status code that is used when rejecting denied
+ request. The default value is <code>403</code>. For example,
+ it can be set to the value <code>404</code>.</p>
+ </td></tr></table>
+
+ </blockquote></td></tr></table>
+
+</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Remote IP Filter"><!--()--></a><a name="Remote_IP_Filter"><strong>Remote IP Filter</strong></a></font></td></tr><tr><td><blockquote>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Remote IP Filter/Introduction"><!--()--></a><a name="Remote_IP_Filter/Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>Tomcat port of
+ <a href="http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html">mod_remoteip</a>,
+ this filter replaces the apparent client remote IP address and hostname for
+ the request with the IP address list presented by a proxy or a load balancer
+ via a request headers (e.g. "X-Forwarded-For").</p>
+
+ <p>Another feature of this filter is to replace the apparent scheme
+ (http/https), server port and <code>request.secure</code> with the scheme presented
+ by a proxy or a load balancer via a request header
+ (e.g. "X-Forwarded-Proto").</p>
+
+ <p>If used in conjunction with Remote Address/Host filters then this filter
+ should be defined first to ensure that the correct client IP address is
+ presented to the Remote Address/Host filters.</p>
+
+ <p><strong>Note:</strong> By default this filter has no effect on the
+ values that are written into access log. The original values are restored
+ when request processing leaves the filter and that always happens earlier
+ than access logging. To pass the remote address, remote host, server port
+ and protocol values set by this filter to the access log,
+ they are put into request attributes. Publishing these values here
+ is enabled by default, but <code>AccessLogValve</code> should be explicitly
+ configured to use them. See documentation for
+ <code>requestAttributesEnabled</code> attribute of
+ <code>AccessLogValve</code>.</p>
+
+ <p>The names of request attributes that are set by this filter
+ and can be used by access logging are the following:</p>
+
+ <ul>
+ <li><code>org.apache.catalina.AccessLog.RemoteAddr</code></li>
+ <li><code>org.apache.catalina.AccessLog.RemoteHost</code></li>
+ <li><code>org.apache.catalina.AccessLog.Protocol</code></li>
+ <li><code>org.apache.catalina.AccessLog.ServerPort</code></li>
+ </ul>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Remote IP Filter/Filter Class Name"><!--()--></a><a name="Remote_IP_Filter/Filter_Class_Name"><strong>Filter Class Name</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The filter class name for the Remote IP Filter is
+ <strong><code>org.apache.catalina.filters.RemoteIpFilter</code>
+ </strong>.</p>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Basic configuration to handle 'x-forwarded-for'"><!--()--></a><a name="Basic_configuration_to_handle_'x-forwarded-for'"><strong>Basic configuration to handle 'x-forwarded-for'</strong></a></font></td></tr><tr><td><blockquote>
+ <p>
+ The filter will process the <code>x-forwarded-for</code> http header.
+ </p>
+ <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+ <filter>
+ <filter-name>RemoteIpFilter</filter-name>
+ <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
+ </filter>
+
+ <filter-mapping>
+ <filter-name>RemoteIpFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ <dispatcher>REQUEST</dispatcher>
+ </filter-mapping>
+ </pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Basic configuration to handle 'x-forwarded-for' and 'x-forwarded-proto'"><!--()--></a><a name="Basic_configuration_to_handle_'x-forwarded-for'_and_'x-forwarded-proto'"><strong>Basic configuration to handle 'x-forwarded-for' and 'x-forwarded-proto'</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>
+ The filter will process <code>x-forwarded-for</code> and
+ <code>x-forwarded-proto</code> http headers. Expected value for the
+ <code>x-forwarded-proto</code> header in case of SSL connections is
+ <code>https</code> (case insensitive). </p>
+ <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+ <filter>
+ <filter-name>RemoteIpFilter</filter-name>
+ <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
+ <init-param>
+ <param-name>protocolHeader</param-name>
+ <param-value>x-forwarded-proto</param-value>
+ </init-param>
+ </filter>
+
+ <filter-mapping>
+ <filter-name>RemoteIpFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ <dispatcher>REQUEST</dispatcher>
+ </filter-mapping>
+ </pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Advanced configuration with internal proxies"><!--()--></a><a name="Advanced_configuration_with_internal_proxies"><strong>Advanced configuration with internal proxies</strong></a></font></td></tr><tr><td><blockquote>
+ <p>RemoteIpFilter configuration: </p>
+ <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+ <filter>
+ <filter-name>RemoteIpFilter</filter-name>
+ <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
+ <init-param>
+ <param-name>allowedInternalProxies</param-name>
+ <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
+ </init-param>
+ <init-param>
+ <param-name>remoteIpHeader</param-name>
+ <param-value>x-forwarded-for</param-value>
+ </init-param>
+ <init-param>
+ <param-name>remoteIpProxiesHeader</param-name>
+ <param-value>x-forwarded-by</param-value>
+ </init-param>
+ <init-param>
+ <param-name>protocolHeader</param-name>
+ <param-value>x-forwarded-proto</param-value>
+ </init-param>
+ </filter>
+ </pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+ <p>Request values:
+ <table border="1" cellpadding="5">
+ <tr>
+ <th bgcolor="#023264"><font color="#ffffff">Property</font></th>
+ <th bgcolor="#023264"><font color="#ffffff">Value Before RemoteIpFilter</font></th>
+ <th bgcolor="#023264"><font color="#ffffff">Value After RemoteIpFilter</font></th>
+ </tr>
+ <tr>
+ <td> request.remoteAddr </td>
+ <td> 192.168.0.10 </td>
+ <td> 140.211.11.130 </td>
+ </tr>
+ <tr>
+ <td> request.header<code>[</code>'x-forwarded-for'<code>]</code> </td>
+ <td> 140.211.11.130, 192.168.0.10 </td>
+ <td> null </td>
+ </tr>
+ <tr>
+ <td> request.header<code>[</code>'x-forwarded-by'<code>]</code> </td>
+ <td> null </td>
+ <td> null </td>
+ </tr>
+ <tr>
+ <td> request.header<code>[</code>'x-forwarded-proto'<code>]</code> </td>
+ <td> https </td>
+ <td> https </td>
+ </tr>
+ <tr>
+ <td> request.scheme </td>
+ <td> http </td>
+ <td> https </td>
+ </tr>
+ <tr>
+ <td> request.secure </td>
+ <td> false </td>
+ <td> true </td>
+ </tr>
+ <tr>
+ <td> request.serverPort </td>
+ <td> 80 </td>
+ <td> 443 </td>
+ </tr>
+ </table>
+ </p>
+ <p>
+ Note : <code>x-forwarded-by</code> header is <code>null</code> because only
+ internal proxies has been traversed by the request.
+ <code>x-forwarded-for</code> is <code>null</code> because all the proxies are
+ trusted or internal.
+ </p>
+ </blockquote></td></tr></table>
+
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Advanced configuration with trusted proxies"><!--()--></a><a name="Advanced_configuration_with_trusted_proxies"><strong>Advanced configuration with trusted proxies</strong></a></font></td></tr><tr><td><blockquote>
+ <p>RemoteIpFilter configuration: </p>
+ <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+ <filter>
+ <filter-name>RemoteIpFilter</filter-name>
+ <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
+ <init-param>
+ <param-name>allowedInternalProxies</param-name>
+ <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
+ </init-param>
+ <init-param>
+ <param-name>remoteIpHeader</param-name>
+ <param-value>x-forwarded-for</param-value>
+ </init-param>
+ <init-param>
+ <param-name>remoteIpProxiesHeader</param-name>
+ <param-value>x-forwarded-by</param-value>
+ </init-param>
+ <init-param>
+ <param-name>trustedProxies</param-name>
+ <param-value>proxy1|proxy2</param-value>
+ </init-param>
+ </filter>
+ </pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+ <p>Request values: <table border="1" cellpadding="5">
+ <tr>
+ <th bgcolor="#023264"><font color="#ffffff">Property</font></th>
+ <th bgcolor="#023264"><font color="#ffffff">Value Before RemoteIpFilter</font></th>
+ <th bgcolor="#023264"><font color="#ffffff">Value After RemoteIpFilter</font></th>
+ </tr>
+ <tr>
+ <td> request.remoteAddr </td>
+ <td> 192.168.0.10 </td>
+ <td> 140.211.11.130 </td>
+ </tr>
+ <tr>
+ <td> request.header<code>[</code>'x-forwarded-for'<code>]</code> </td>
+ <td> 140.211.11.130, proxy1, proxy2 </td>
+ <td> null </td>
+ </tr>
+ <tr>
+ <td> request.header<code>[</code>'x-forwarded-by'<code>]</code> </td>
+ <td> null </td>
+ <td> proxy1, proxy2 </td>
+ </tr>
+ </table>
+ </p>
+ <p>
+ Note : <code>proxy1</code> and <code>proxy2</code> are both trusted proxies that
+ come in <code>x-forwarded-for</code> header, they both are migrated in
+ <code>x-forwarded-by</code> header. <code>x-forwarded-for</code> is <code>null</code>
+ because all the proxies are trusted or internal.
+ </p>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Advanced configuration with internal and trusted proxies"><!--()--></a><a name="Advanced_configuration_with_internal_and_trusted_proxies"><strong>Advanced configuration with internal and trusted proxies</strong></a></font></td></tr><tr><td><blockquote>
+ <p>RemoteIpFilter configuration: </p>
+ <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+ <filter>
+ <filter-name>RemoteIpFilter</filter-name>
+ <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
+ <init-param>
+ <param-name>allowedInternalProxies</param-name>
+ <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
+ </init-param>
+ <init-param>
+ <param-name>remoteIpHeader</param-name>
+ <param-value>x-forwarded-for</param-value>
+ </init-param>
+ <init-param>
+ <param-name>remoteIpProxiesHeader</param-name>
+ <param-value>x-forwarded-by</param-value>
+ </init-param>
+ <init-param>
+ <param-name>trustedProxies</param-name>
+ <param-value>proxy1|proxy2</param-value>
+ </init-param>
+ </filter>
+ </pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+ <p>Request values: <table border="1" cellpadding="5">
+ <tr>
+ <th bgcolor="#023264"><font color="#ffffff">Property</font></th>
+ <th bgcolor="#023264"><font color="#ffffff">Value Before RemoteIpFilter</font></th>
+ <th bgcolor="#023264"><font color="#ffffff">Value After RemoteIpFilter</font></th>
+ </tr>
+ <tr>
+ <td> request.remoteAddr </td>
+ <td> 192.168.0.10 </td>
+ <td> 140.211.11.130 </td>
+ </tr>
+ <tr>
+ <td> request.header<code>[</code>'x-forwarded-for'<code>]</code> </td>
+ <td> 140.211.11.130, proxy1, proxy2, 192.168.0.10 </td>
+ <td> null </td>
+ </tr>
+ <tr>
+ <td> request.header<code>[</code>'x-forwarded-by'<code>]</code> </td>
+ <td> null </td>
+ <td> proxy1, proxy2 </td>
+ </tr>
+ </table>
+ </p>
+ <p>
+ Note : <code>proxy1</code> and <code>proxy2</code> are both trusted proxies that
+ come in <code>x-forwarded-for</code> header, they both are migrated in
+ <code>x-forwarded-by</code> header. As <code>192.168.0.10</code> is an internal
+ proxy, it does not appear in <code>x-forwarded-by</code>.
+ <code>x-forwarded-for</code> is <code>null</code> because all the proxies are
+ trusted or internal.
+ </p>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Advanced configuration with an untrusted proxy"><!--()--></a><a name="Advanced_configuration_with_an_untrusted_proxy"><strong>Advanced configuration with an untrusted proxy</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>RemoteIpFilter configuration: </p>
+ <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>
+ <filter>
+ <filter-name>RemoteIpFilter</filter-name>
+ <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
+ <init-param>
+ <param-name>allowedInternalProxies</param-name>
+ <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
+ </init-param>
+ <init-param>
+ <param-name>remoteIpHeader</param-name>
+ <param-value>x-forwarded-for</param-value>
+ </init-param>
+ <init-param>
+ <param-name>remoteIpProxiesHeader</param-name>
+ <param-value>x-forwarded-by</param-value>
+ </init-param>
+ <init-param>
+ <param-name>trustedProxies</param-name>
+ <param-value>proxy1|proxy2</param-value>
+ </init-param>
+ </filter>
+ </pre></td><td bgcolor="#023264" width="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="../images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
+ <p>Request values: <table border="1" cellpadding="5">
+ <tr>
+ <th bgcolor="#023264"><font color="#ffffff">Property</font></th>
+ <th bgcolor="#023264"><font color="#ffffff">Value Before RemoteIpFilter</font></th>
+ <th bgcolor="#023264"><font color="#ffffff">Value After RemoteIpFilter</font></th>
+ </tr>
+ <tr>
+ <td> request.remoteAddr </td>
+ <td> 192.168.0.10 </td>
+ <td> untrusted-proxy </td>
+ </tr>
+ <tr>
+ <td> request.header<code>[</code>'x-forwarded-for'<code>]</code> </td>
+ <td> 140.211.11.130, untrusted-proxy, proxy1 </td>
+ <td> 140.211.11.130 </td>
+ </tr>
+ <tr>
+ <td> request.header<code>[</code>'x-forwarded-by'<code>]</code> </td>
+ <td> null </td>
+ <td> proxy1 </td>
+ </tr>
+ </table>
+ </p>
+ <p>
+ Note : <code>x-forwarded-by</code> holds the trusted proxy <code>proxy1</code>.
+ <code>x-forwarded-by</code> holds <code>140.211.11.130</code> because
+ <code>untrusted-proxy</code> is not trusted and thus, we can not trust that
+ <code>untrusted-proxy</code> is the actual remote ip.
+ <code>request.remoteAddr</code> is <code>untrusted-proxy</code> that is an IP
+ verified by <code>proxy1</code>.
+ </p>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Remote IP Filter/Initialisation parameters"><!--()--></a><a name="Remote_IP_Filter/Initialisation_parameters"><strong>Initialisation parameters</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The <strong>Remote IP Filter</strong> supports the
+ following initialisation parameters:</p>
+
+ <table border="1" cellpadding="5"><tr><th width="15%" bgcolor="#023264"><font color="#ffffff">Attribute</font></th><th width="85%" bgcolor="#023264"><font color="#ffffff">Description</font></th></tr><tr><td align="left" valign="center"><code class="attributeName">remoteIpHeader</code></td><td align="left" valign="center">
+ <p>Name of the HTTP Header read by this valve that holds the list of
+ traversed IP addresses starting from the requesting client. If not
+ specified, the default of <code>x-forwarded-for</code> is used.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">internalProxies</code></td><td align="left" valign="center">
+ <p>Regular expression (using <code>java.util.regex</code>) that a
+ proxy's IP address must match to be considered an internal proxy.
+ Internal proxies that appear in the <strong>remoteIpHeader</strong> will
+ be trusted and will not appear in the <strong>proxiesHeader</strong>
+ value. If not specified the default value of <code>
+ 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}
+ </code> will be used.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">proxiesHeader</code></td><td align="left" valign="center">
+ <p>Name of the HTTP header created by this valve to hold the list of
+ proxies that have been processed in the incoming
+ <strong>remoteIpHeader</strong>. If not specified, the default of
+ <code>x-forwarded-by</code> is used.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">requestAttributesEnabled</code></td><td align="left" valign="center">
+ <p>Set to <code>true</code> to set the request attributes used by
+ AccessLog implementations to override the values returned by the
+ request for remote address, remote host, server port and protocol.
+ If not set, the default value of <code>true</code> will be used.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">trustedProxies</code></td><td align="left" valign="center">
+ <p>Regular expression (using <code>java.util.regex</code>) that a
+ proxy's IP address must match to be considered an trusted proxy.
+ Trusted proxies that appear in the <strong>remoteIpHeader</strong> will
+ be trusted and will appear in the <strong>proxiesHeader</strong> value.
+ If not specified, no proxies will be trusted.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">protocolHeader</code></td><td align="left" valign="center">
+ <p>Name of the HTTP Header read by this valve that holds the protocol
+ used by the client to connect to the proxy. If not specified, the
+ default of <code>null</code> is used.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">portHeader</code></td><td align="left" valign="center">
+ <p>Name of the HTTP Header read by this valve that holds the port
+ used by the client to connect to the proxy. If not specified, the
+ default of <code>null</code> is used.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">protocolHeaderHttpsValue</code></td><td align="left" valign="center">
+ <p>Value of the <strong>protocolHeader</strong> to indicate that it is
+ an HTTPS request. If not specified, the default of <code>https</code> is
+ used.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">httpServerPort</code></td><td align="left" valign="center">
+ <p>Value returned by <code>ServletRequest.getServerPort()</code>
+ when the <strong>protocolHeader</strong> indicates <code>http</code>
+ protocol and no <strong>portHeader</strong> is present. If not
+ specified, the default of <code>80</code> is used.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">httpsServerPort</code></td><td align="left" valign="center">
+ <p>Value returned by <code>ServletRequest.getServerPort()</code>
+ when the <strong>protocolHeader</strong> indicates <code>https</code>
+ protocol and no <strong>portHeader</strong> is present. If not
+ specified, the default of <code>443</code> is used.</p>
+ </td></tr><tr><td align="left" valign="center"><code class="attributeName">changeLocalPort</code></td><td align="left" valign="center">
+ <p>If <code>true</code>, the value returned by
+ <code>ServletRequest.getLocalPort()</code> and
+ <code>ServletRequest.getServerPort()</code> is modified by the this
+ filter. If not specified, the default of <code>false</code> is used.</p>
+ </td></tr></table>
+
+
+ </blockquote></td></tr></table>
+
+</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Request Dumper Filter"><!--()--></a><a name="Request_Dumper_Filter"><strong>Request Dumper Filter</strong></a></font></td></tr><tr><td><blockquote>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Request Dumper Filter/Introduction"><!--()--></a><a name="Request_Dumper_Filter/Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The Request Dumper Filter logs information from the request and response
+ objects and is intended to be used for debugging purposes. When using this
+ Filter, it is recommended that the
+ <code>org.apache.catalina.filter.RequestDumperFilter</code> logger is
+ directed to a dedicated file and that the
+ <code>org.apache.juli.VerbatimFormmater</code> is used.</p>
+
+ <p><strong>WARNING: Using this filter has side-effects.</strong> The
+ output from this filter includes any parameters included with the request.
+ The parameters will be decoded using the default platform encoding. Any
+ subsequent calls to <code>request.setCharacterEncoding()</code> within
+ the web application will have no effect.</p>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Request Dumper Filter/Filter Class Name"><!--()--></a><a name="Request_Dumper_Filter/Filter_Class_Name"><strong>Filter Class Name</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The filter class name for the Request Dumper Filter is
+ <strong><code>org.apache.catalina.filters.RequestDumperFilter</code>
+ </strong>.</p>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Request Dumper Filter/Initialisation parameters"><!--()--></a><a name="Request_Dumper_Filter/Initialisation_parameters"><strong>Initialisation parameters</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The Request Dumper Filter does not support any initialization
+ parameters.</p>
+
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Sample Configuration"><!--()--></a><a name="Sample_Configuration"><strong>Sample Configuration</strong></a></font></td></tr><tr><td><blockquote>
+
+ <p>The following entries in a web application's web.xml would enable the
+ Request Dumper filter for all requests for that web application. If the
[... 169 lines stripped ...]
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org