Author: markt
Date: Thu Jun 16 12:48:16 2016
New Revision: 1748715
URL: http://svn.apache.org/viewvc?rev=1748715&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=57705
Add debug logging for requests denied by the remote host and remote address
valves and filters. Based on a patch by Graham Leggett.
Modified:
tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties
tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java
tomcat/trunk/java/org/apache/catalina/valves/LocalStrings.properties
tomcat/trunk/java/org/apache/catalina/valves/RemoteAddrValve.java
tomcat/trunk/java/org/apache/catalina/valves/RemoteHostValve.java
tomcat/trunk/java/org/apache/catalina/valves/RequestFilterValve.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties?rev=1748715&r1=1748714&r2=1748715&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties Thu
Jun 16 12:48:16 2016
@@ -47,4 +47,6 @@ expiresFilter.invalidDurationUnit=Invali
httpHeaderSecurityFilter.committed=Unable to add HTTP headers since response
is already committed on entry to the HTTP header security Filter
httpHeaderSecurityFilter.clickjack.invalid=An invalid value [{0}] was
specified for the anti click-jacking header
+requestFilter.deny=Denied request for [{0}] based on property [{1}]
+
restCsrfPreventionFilter.invalidNonce=CSRF nonce validation failed
\ No newline at end of file
Modified: tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java?rev=1748715&r1=1748714&r2=1748715&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java Thu Jun 16
12:48:16 2016
@@ -24,6 +24,7 @@ import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
@@ -204,6 +205,10 @@ public abstract class RequestFilter exte
chain.doFilter(request, response);
} else {
if (response instanceof HttpServletResponse) {
+ if (getLogger().isDebugEnabled()) {
+ getLogger().debug(sm.getString("requestFilter.deny",
+ ((HttpServletRequest) request).getRequestURI(),
property));
+ }
((HttpServletResponse) response).sendError(denyStatus);
} else {
sendErrorWhenNotHttp(response);
Modified: tomcat/trunk/java/org/apache/catalina/valves/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/valves/LocalStrings.properties?rev=1748715&r1=1748714&r2=1748715&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/valves/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/catalina/valves/LocalStrings.properties Thu
Jun 16 12:48:16 2016
@@ -46,6 +46,7 @@ remoteIpValve.invalidPortHeader=Invalid
# Request filter valve - RemoteAddrValve, RemoteHostValve
requestFilterValve.configInvalid=One or more invalid configuration settings
were provided for the Remote[Addr|Host]Valve which prevented the Valve and its
parent containers from starting
+requestFilterValve.deny=Denied request for [{0}] based on property [{1}]
sslValve.certError=Failed to process certificate string [{0}] to create a
java.security.cert.X509Certificate object
sslValve.invalidProvider=The SSL provider specified on the connector
associated with this request of [{0}] is invalid. The certificate data could
not be processed.
Modified: tomcat/trunk/java/org/apache/catalina/valves/RemoteAddrValve.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/valves/RemoteAddrValve.java?rev=1748715&r1=1748714&r2=1748715&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/valves/RemoteAddrValve.java (original)
+++ tomcat/trunk/java/org/apache/catalina/valves/RemoteAddrValve.java Thu Jun
16 12:48:16 2016
@@ -23,6 +23,8 @@ import javax.servlet.ServletException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
/**
@@ -34,6 +36,9 @@ import org.apache.catalina.connector.Res
*/
public final class RemoteAddrValve extends RequestFilterValve {
+ private static final Log log = LogFactory.getLog(RemoteAddrValve.class);
+
+
// ----------------------------------------------------- Instance Variables
/**
@@ -72,22 +77,8 @@ public final class RemoteAddrValve exten
// --------------------------------------------------------- Public Methods
- /**
- * Extract the desired request property, and pass it (along with the
- * specified request and response objects) to the protected
- * <code>process()</code> method to perform the actual filtering.
- * This method must be implemented by a concrete subclass.
- *
- * @param request The servlet request to be processed
- * @param response The servlet response to be created
- *
- * @exception IOException if an input/output error occurs
- * @exception ServletException if a servlet error occurs
- */
@Override
- public void invoke(Request request, Response response)
- throws IOException, ServletException {
-
+ public void invoke(Request request, Response response) throws IOException,
ServletException {
String property;
if (addConnectorPort) {
property = request.getRequest().getRemoteAddr() + ";" +
request.getConnector().getPort();
@@ -95,6 +86,12 @@ public final class RemoteAddrValve exten
property = request.getRequest().getRemoteAddr();
}
process(property, request, response);
+ }
+
+
+ @Override
+ protected Log getLog() {
+ return log;
}
}
Modified: tomcat/trunk/java/org/apache/catalina/valves/RemoteHostValve.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/valves/RemoteHostValve.java?rev=1748715&r1=1748714&r2=1748715&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/valves/RemoteHostValve.java (original)
+++ tomcat/trunk/java/org/apache/catalina/valves/RemoteHostValve.java Thu Jun
16 12:48:16 2016
@@ -16,14 +16,14 @@
*/
package org.apache.catalina.valves;
-
import java.io.IOException;
import javax.servlet.ServletException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
-
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
/**
* Concrete implementation of <code>RequestFilterValve</code> that filters
@@ -34,6 +34,9 @@ import org.apache.catalina.connector.Res
*/
public final class RemoteHostValve extends RequestFilterValve {
+ private static final Log log = LogFactory.getLog(RemoteHostValve.class);
+
+
// ----------------------------------------------------- Instance Variables
/**
@@ -71,22 +74,8 @@ public final class RemoteHostValve exten
// --------------------------------------------------------- Public Methods
- /**
- * Extract the desired request property, and pass it (along with the
- * specified request and response objects) to the protected
- * <code>process()</code> method to perform the actual filtering.
- * This method must be implemented by a concrete subclass.
- *
- * @param request The servlet request to be processed
- * @param response The servlet response to be created
- *
- * @exception IOException if an input/output error occurs
- * @exception ServletException if a servlet error occurs
- */
@Override
- public void invoke(Request request, Response response)
- throws IOException, ServletException {
-
+ public void invoke(Request request, Response response) throws IOException,
ServletException {
String property;
if (addConnectorPort) {
property = request.getRequest().getRemoteHost() + ";" +
request.getConnector().getPort();
@@ -94,6 +83,11 @@ public final class RemoteHostValve exten
property = request.getRequest().getRemoteHost();
}
process(property, request, response);
+ }
+
+ @Override
+ protected Log getLog() {
+ return log;
}
}
Modified: tomcat/trunk/java/org/apache/catalina/valves/RequestFilterValve.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/valves/RequestFilterValve.java?rev=1748715&r1=1748714&r2=1748715&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/valves/RequestFilterValve.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/valves/RequestFilterValve.java Thu
Jun 16 12:48:16 2016
@@ -27,6 +27,7 @@ import org.apache.catalina.Context;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
+import org.apache.juli.logging.Log;
/**
* Implementation of a Valve that performs filtering based on comparing the
@@ -319,12 +320,19 @@ public abstract class RequestFilterValve
return;
}
+ if (getLog().isDebugEnabled()) {
+ getLog().debug(sm.getString("requestFilterValve.deny",
+ request.getRequestURI(), property));
+ }
+
// Deny this request
denyRequest(request, response);
-
}
+ protected abstract Log getLog();
+
+
/**
* Reject the request that was denied by this valve.
* <p>If <code>invalidAuthenticationWhenDeny</code> is true
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1748715&r1=1748714&r2=1748715&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Jun 16 12:48:16 2016
@@ -48,6 +48,11 @@
<subsection name="Catalina">
<changelog>
<fix>
+ <bug>57705</bug>: Add debug logging for requests denied by the remote
+ host and remote address valves and filters. Based on a patch by Graham
+ Leggett. (markt)
+ </fix>
+ <fix>
Correct a regression in the fix for <bug>58588</bug> that removed the
entire <code>org.apache.juli</code> package from the embedded JARs
rendering them unusable. (markt)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
