Re: svn commit: r1642595 - in /tomcat/trunk: java/org/apache/catalina/valves/RequestFilterValve.java test/org/apache/catalina/valves/TestRequestFilterValve.java webapps/docs/config/valve.xml

Sun, 30 Nov 2014 13:01:24 -0800 

Am 30.11.2014 um 21:13 schrieb Konstantin Kolinko:

2014-11-30 21:30 GMT+03:00  <rj...@apache.org>:

Author: rjung
Date: Sun Nov 30 18:30:47 2014
New Revision: 1642595

URL: http://svn.apache.org/r1642595
Log:
Allow RemoteAddreValve and RemoteHostValve to
trigger authentication instead of denying a
request with a status code.

This only works in combination with preemptiveAuthentication
on the application context.

It can be used to add an additional authentication
without touching the application war.

Example:

<Context preemptiveAuthentication="true">
   <Valve className="org.apache.catalina.valves.RequestFilterValve"


RequestFilterValve is an abstract class...


Oups, yes, it would be either RequestAddrValve or RequestHostValve.

I should add an explicit working example to the docs-


          allow=".*,8009"


1) If you ever plan to backport this to Tomcat 6, then comma (',') is
a wrong choice, because in Tomcat 6 it cannot be used in a regular
expression, as it is treated as a separator between several regular
expressions.
Thanks for the hint. I had originally used "-", but didn't like it because it can show up in host names. 


If colon is no good (as part of ipv6 address), I propose to use semicolon (';').


ACK, will adjust.


          addLocalPort="true"


2) "local port" usually means request.getServerPort() (that is what
means "%p" in AccessLogValve) or request.getLocalPort().

Your request.getConnector().getPort() in r1642564 is different from
either of them, because it can return "-1" if Tomcat is configured to
autoselect a port number, while none of the above methods can do that.
(See Connector.getPort() vs. connector.getLocalPort())

The Connector.getPort() value is good for this task of identifying connectors.
Maybe name this feature "addConnectorPort" instead of "addLocalPort"?


Good point, thanks.


          invalidAuthenticationWhenDeny="true"/>
   <Valve className="org.apache.catalina.authenticator.BasicAuthenticator" />
</Context>

This will allow normal access via the port 8009 connector (AJP)
but will trigger basic auth when accessed via any other connector.
An administrator can use an http port to check whether the app
works but public access will still be restricted to the AJP port.



3) Expose the new properties via JMX = ?


ACK

Thanks a bunch for your review!

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to