valve.xml

Konstantin Kolinko Sun, 30 Nov 2014 12:14:48 -0800

2014-11-30 21:30 GMT+03:00  <rj...@apache.org>:
> Author: rjung
> Date: Sun Nov 30 18:30:47 2014
> New Revision: 1642595
>
> URL: http://svn.apache.org/r1642595
> Log:
> Allow RemoteAddreValve and RemoteHostValve to
> trigger authentication instead of denying a
> request with a status code.
>
> This only works in combination with preemptiveAuthentication
> on the application context.
>
> It can be used to add an additional authentication
> without touching the application war.
>
> Example:
>
> <Context preemptiveAuthentication="true">
>   <Valve className="org.apache.catalina.valves.RequestFilterValve"


RequestFilterValve is an abstract class...

>          allow=".*,8009"

1) If you ever plan to backport this to Tomcat 6, then comma (',') is
a wrong choice, because in Tomcat 6 it cannot be used in a regular
expression, as it is treated as a separator between several regular
expressions.

If colon is no good (as part of ipv6 address), I propose to use semicolon (';').

>          addLocalPort="true"

2) "local port" usually means request.getServerPort() (that is what
means "%p" in AccessLogValve) or request.getLocalPort().

Your request.getConnector().getPort() in r1642564 is different from
either of them, because it can return "-1" if Tomcat is configured to
autoselect a port number, while none of the above methods can do that.
(See Connector.getPort() vs. connector.getLocalPort())

The Connector.getPort() value is good for this task of identifying connectors.
Maybe name this feature "addConnectorPort" instead of "addLocalPort"?

>          invalidAuthenticationWhenDeny="true"/>
>   <Valve className="org.apache.catalina.authenticator.BasicAuthenticator" />
> </Context>
>
> This will allow normal access via the port 8009 connector (AJP)
> but will trigger basic auth when accessed via any other connector.
> An administrator can use an http port to check whether the app
> works but public access will still be restricted to the AJP port.


3) Expose the new properties via JMX = ?

> Modified:
>     tomcat/trunk/java/org/apache/catalina/valves/RequestFilterValve.java
>     tomcat/trunk/test/org/apache/catalina/valves/TestRequestFilterValve.java
>     tomcat/trunk/webapps/docs/config/valve.xml
>

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: svn commit: r1642595 - in /tomcat/trunk: java/org/apache/catalina/valves/RequestFilterValve.java test/org/apache/catalina/valves/TestRequestFilterValve.java webapps/docs/config/valve.xml

Reply via email to