svn commit: r1189258 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/filters/ java/org/apache/catalina/valves/ webapps/docs/

Wed, 26 Oct 2011 08:06:44 -0700 

Author: markt
Date: Wed Oct 26 15:06:19 2011
New Revision: 1189258

URL: http://svn.apache.org/viewvc?rev=1189258&view=rev
Log:
Make configuration issues for security related valves and filters result in the 
failure of the valve or filter rather than just a warning message.

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/FilterBase.java
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/RequestFilter.java
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/valves/LocalStrings.properties
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/valves/RequestFilterValve.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Oct 26 15:06:19 2011
@@ -1 +1 @@
-/tomcat/trunk:1156115,1156171,1156276,1156304,1156519,1156530,1156602,1157015,1157018,1157151,1157198,1157204,1157810,1157832,1157834,1157847,1157908,1157939,1158155,1158160,1158176,1158195,1158198-1158199,1158227,1158331,1158334-1158335,1158426,1160347,1160592,1160611,1160619,1160626,1160639,1160652,1160720-1160721,1160772,1160774,1160776,1161303,1161310,1161322,1161339,1161486,1161540,1161549,1161584,1162082,1162149,1162169,1162721,1162769,1162836,1162932,1163630,1164419,1164438,1164469,1164480,1164567,1165234,1165247-1165248,1165253,1165273,1165282,1165309,1165331,1165338,1165347,1165360-1165361,1165367-1165368,1165602,1165608,1165677,1165693,1165721,1165723,1165728,1165730,1165738,1165746,1165765,1165777,1165918,1165921,1166077,1166150-1166151,1166290,1166366,1166620,1166686,1166693,1166752,1166757,1167368,1167394,1169447,1170647,1171692,1172233-1172234,1172236,1172269,1172278,1172282,1172556,1172610,1172664,1172689,1172711,1173020-1173021,1173082,1173088,1173090,1173096
 
,1173241,1173256,1173288,1173333,1173342,1173461,1173614,1173630,1173659,1173722,1174061,1174239,1174322,1174325,1174329-1174330,1174337-1174339,1174343,1174353,1174799,1174882,1174884,1174983,1175155,1175158,1175167,1175182,1175190,1175201,1175272,1175275,1175283,1175582,1175589-1175590,1175594,1175602,1175613,1175633,1175690,1175713,1175889,1175896,1175907,1176584,1176590,1176799,1177050,1177060,1177125,1177152,1177160,1177245,1177850,1177862,1177978,1178209,1178228,1178233,1178449,1178542,1178681,1178684,1178721,1179268,1179274,1180261,1180865,1180891,1180894,1180907,1181028,1181123,1181125,1181136,1181291,1181743,1182796,1183078,1183105,1183142,1183328,1183339-1183340,1183492-1183494,1183605,1184917,1184919,1185018,1185020,1185200,1185588,1185626,1185756,1185758,1186011,1186042-1186045,1186104,1186123,1186137,1186153,1186254,1186257,1186377-1186379,1186479-1186480,1186712,1186743,1186750,1186763,1186890-1186892,1186894,1186949,1187018,1187027-1187028,1187381,1187755,1187
 
775,1187827,1188301,1188303-1188305,1188399,1188822,1188930-1188931,1189116,1189129,1189183,1189240
+/tomcat/trunk:1156115,1156171,1156276,1156304,1156519,1156530,1156602,1157015,1157018,1157151,1157198,1157204,1157810,1157832,1157834,1157847,1157908,1157939,1158155,1158160,1158176,1158195,1158198-1158199,1158227,1158331,1158334-1158335,1158426,1160347,1160592,1160611,1160619,1160626,1160639,1160652,1160720-1160721,1160772,1160774,1160776,1161303,1161310,1161322,1161339,1161486,1161540,1161549,1161584,1162082,1162149,1162169,1162721,1162769,1162836,1162932,1163630,1164419,1164438,1164469,1164480,1164567,1165234,1165247-1165248,1165253,1165273,1165282,1165309,1165331,1165338,1165347,1165360-1165361,1165367-1165368,1165602,1165608,1165677,1165693,1165721,1165723,1165728,1165730,1165738,1165746,1165765,1165777,1165918,1165921,1166077,1166150-1166151,1166290,1166366,1166620,1166686,1166693,1166752,1166757,1167368,1167394,1169447,1170647,1171692,1172233-1172234,1172236,1172269,1172278,1172282,1172556,1172610,1172664,1172689,1172711,1173020-1173021,1173082,1173088,1173090,1173096
 
,1173241,1173256,1173288,1173333,1173342,1173461,1173614,1173630,1173659,1173722,1174061,1174239,1174322,1174325,1174329-1174330,1174337-1174339,1174343,1174353,1174799,1174882,1174884,1174983,1175155,1175158,1175167,1175182,1175190,1175201,1175272,1175275,1175283,1175582,1175589-1175590,1175594,1175602,1175613,1175633,1175690,1175713,1175889,1175896,1175907,1176584,1176590,1176799,1177050,1177060,1177125,1177152,1177160,1177245,1177850,1177862,1177978,1178209,1178228,1178233,1178449,1178542,1178681,1178684,1178721,1179268,1179274,1180261,1180865,1180891,1180894,1180907,1181028,1181123,1181125,1181136,1181291,1181743,1182796,1183078,1183105,1183142,1183328,1183339-1183340,1183492-1183494,1183605,1184917,1184919,1185018,1185020,1185200,1185588,1185626,1185756,1185758,1186011,1186042-1186045,1186104,1186123,1186137,1186153,1186254,1186257,1186377-1186379,1186479-1186480,1186712,1186743,1186750,1186763,1186890-1186892,1186894,1186949,1187018,1187027-1187028,1187381,1187755,1187
 
775,1187827,1188301,1188303-1188305,1188399,1188822,1188930-1188931,1189116,1189129,1189183,1189240,1189256

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=1189258&r1=1189257&r2=1189258&view=diff
==============================================================================
--- 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java 
(original)
+++ 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java 
Wed Oct 26 15:06:19 2011
@@ -187,6 +187,13 @@ public class CsrfPreventionFilter extend
         chain.doFilter(request, wResponse);
     }
 
+
+    @Override
+    protected boolean isConfigProblemFatal() {
+        return true;
+    }
+
+
     /**
      * Generate a once time token (nonce) for authenticating subsequent
      * requests. This will also add the token to the session. The nonce

Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/FilterBase.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/FilterBase.java?rev=1189258&r1=1189257&r2=1189258&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/FilterBase.java 
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/FilterBase.java Wed 
Oct 26 15:06:19 2011
@@ -48,8 +48,13 @@ public abstract class FilterBase impleme
             String paramName = paramNames.nextElement();
             if (!IntrospectionUtils.setProperty(this, paramName,
                     filterConfig.getInitParameter(paramName))) {
-                getLogger().warn(sm.getString("filterbase.noSuchProperty",
-                        paramName, this.getClass().getName()));
+                String msg = sm.getString("filterbase.noSuchProperty",
+                        paramName, this.getClass().getName());
+                if (isConfigProblemFatal()) {
+                    throw new ServletException(msg);
+                } else {
+                    getLogger().warn(msg);
+                }
             }
         }    
     }
@@ -59,4 +64,15 @@ public abstract class FilterBase impleme
         // NOOP
     }
 
+    /**
+     * Determines if an exception when calling a setter or an unknown
+     * configuration attribute triggers the failure of the this filter which in
+     * turn will prevent the web application from starting.
+     *
+     * @return <code>true</true> if a problem should trigger the failure of 
this
+     *         filter, else <code>false</code>
+     */
+    protected boolean isConfigProblemFatal() {
+        return false;
+    }
 }

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/RequestFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/RequestFilter.java?rev=1189258&r1=1189257&r2=1189258&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/RequestFilter.java 
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/RequestFilter.java 
Wed Oct 26 15:06:19 2011
@@ -162,6 +162,12 @@ public abstract class RequestFilter
     // ------------------------------------------------------ Protected Methods
 
 
+    @Override
+    protected boolean isConfigProblemFatal() {
+        return true;
+    }
+
+
     /**
      * Perform the filtering that has been configured for this Filter, matching
      * against the specified request property.
@@ -189,6 +195,7 @@ public abstract class RequestFilter
         }
     }
 
+
     /**
      * Perform the filtering that has been configured for this Filter, matching
      * against the specified request property.

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/valves/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/valves/LocalStrings.properties?rev=1189258&r1=1189257&r2=1189258&view=diff
==============================================================================
--- 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/valves/LocalStrings.properties 
(original)
+++ 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/valves/LocalStrings.properties 
Wed Oct 26 15:06:19 2011
@@ -45,6 +45,8 @@ errorReportValve.rootCauseInLogs=The ful
 remoteIpValve.syntax=Invalid regular expressions [{0}] provided.
 remoteIpValve.invalidPortHeader=Invalid value [{0}] found for port in HTTP 
header [{1}]
 
+requestFilterValve.configInvalid=One or more invalid configuration settings 
were provided for the Remote[Host|Ip]Valve which prevented the Valve and its 
parent containers from starting
+
 sslValve.certError=Failed to process certificate string [{0}] to create a 
java.security.cert.X509Certificate object
 sslValve.invalidProvider=The SSL provider specified on the connector 
associated with this request of [{0}] is invalid. The certificate data could 
not be processed.
 

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/valves/RequestFilterValve.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/valves/RequestFilterValve.java?rev=1189258&r1=1189257&r2=1189258&view=diff
==============================================================================
--- 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/valves/RequestFilterValve.java 
(original)
+++ 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/valves/RequestFilterValve.java 
Wed Oct 26 15:06:19 2011
@@ -23,6 +23,7 @@ import java.util.regex.Pattern;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.catalina.LifecycleException;
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
 
@@ -81,12 +82,14 @@ public abstract class RequestFilterValve
      * The regular expression used to test for allowed requests.
      */
     protected volatile Pattern allow = null;
+    protected volatile boolean allowValid = true;
 
 
     /**
      * The regular expression used to test for denied requests.
      */
     protected volatile Pattern deny = null;
+    protected volatile boolean denyValid = true;
 
 
     // ------------------------------------------------------------- Properties
@@ -115,8 +118,15 @@ public abstract class RequestFilterValve
     public void setAllow(String allow) {
         if (allow == null || allow.length() == 0) {
             this.allow = null;
+            allowValid = true;
         } else {
-            this.allow = Pattern.compile(allow);
+            boolean success = false;
+            try {
+                this.allow = Pattern.compile(allow);
+                success = true;
+            } finally {
+                allowValid = success;
+            }
         }
     }
 
@@ -144,8 +154,15 @@ public abstract class RequestFilterValve
     public void setDeny(String deny) {
         if (deny == null || deny.length() == 0) {
             this.deny = null;
+            denyValid = true;
         } else {
-            this.deny = Pattern.compile(deny);
+            boolean success = false;
+            try {
+                this.deny = Pattern.compile(deny);
+                success = true;
+            } finally {
+                denyValid = success;
+            }
         }
     }
 
@@ -184,6 +201,16 @@ public abstract class RequestFilterValve
     // ------------------------------------------------------ Protected Methods
 
 
+    @Override
+    protected void initInternal() throws LifecycleException {
+        super.initInternal();
+        if (!allowValid || !denyValid) {
+            throw new LifecycleException(
+                    sm.getString("requestFilterValve.configInvalid"));
+        }
+    }
+
+
     /**
      * Perform the filtering that has been configured for this Valve, matching
      * against the specified request property.

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1189258&r1=1189257&r2=1189258&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Wed Oct 26 15:06:19 2011
@@ -136,6 +136,11 @@
         <code>authenticator.Constants</code> with the auth method names from
         <code>HttpServletRequest</code>. (kkolinko)
       </scode>
+      <add>
+        Make configuration issues for security related Valves and Filters 
result
+        in the failure of the valve or filter rather than just a warning
+        message. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to