| Links Top Level Elements Executors Connectors Containers Nested Components Cluster Elements web.xml Other | The Valve Component| Introduction |  | 
  A Valve element represents a component that will be
  inserted into the request processing pipeline for the associated
  Catalina container (Engine,
  Host, or Context).
  Individual Valves have distinct processing capabilities, and are
  described individually below. The description below uses the variable name $CATALINA_BASE to refer the
    base directory against which most relative paths are resolved. If you have
    not configured Tomcat for multiple instances by setting a CATALINA_BASE
    directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME,
    the directory into which you have installed Tomcat. | 
 | Access Logging |  | 
Access logging is performed by valves that implement
org.apache.catalina.AccessLog interface. | Access Log Valve |  | 
  | Introduction |  | 
    The Access Log Valve creates log files in the
    same format as those created by standard web servers.  These logs
    can later be analyzed by standard log analysis tools to track page
    hit counts, user session activity, and so on.  This Valveuses self-contained logic to write its log files, which can be
    automatically rolled over at midnight each day.  (The essential
    requirement for access logging is to handle a large continuous
    stream of data with low overhead. ThisValvedoes not
    use Apache Commons Logging, thus avoiding additional overhead and
    potentially complex configuration). This Valvemay be associated with any Catalina container
    (Context,Host, orEngine), and
    will record ALL requests processed by that container. Some requests may be handled by Tomcat before they are passed to a
    container. These include redirects from /foo to /foo/ and the rejection of
    invalid requests. Where Tomcat can identify the Contextthat
    would have handled the request, the request/response will be logged in theAccessLog(s) associatedContext,HostandEngine. Where Tomcat cannot identify theContextthat would have handled the request, e.g. in cases
    where the URL is invalid, Tomcat will look first in theEngine,
    then the defaultHostfor theEngineand finally
    the ROOT (or default)Contextfor the defaultHostfor anAccessLogimplementation. Tomcat will use the firstAccessLogimplementation found to log those requests that are
    rejected before they are passed to a container. The output file will be placed in the directory given by the
    directoryattribute. The name of the file is composed
    by concatenation of the configuredprefix, timestamp andsuffix. The format of the timestamp in the file name can be
    set using thefileDateFormatattribute. This timestamp will
    be omitted if the file rotation is switched off by settingrotatabletofalse. Warning: If multiple AccessLogValve instances
    are used, they should be configured to use different output files. If sendfile is used, the response bytes will be written asynchronously
    in a separate thread and the access log valve will not know how many bytes
    were actually written. In this case, the number of bytes that was passed to
    the sendfile thread for writing will be recorded in the access log valve.
     | 
 | Attributes |  | 
    The Access Log Valve supports the following
    configuration attributes: | Attribute | Description | 
|---|
 | buffered | Flag to determine if logging will be buffered.
           If set to false, then access logging will be written after each
           request. Default value:true |  | className | Java class name of the implementation to use.  This MUST be set to
        org.apache.catalina.valves.AccessLogValve to use the
        default access log valve. |  | condition | The same as conditionUnless. This attribute is
           provided for backwards compatibility. |  | conditionIf | Turns on conditional logging. If set, requests will be
           logged only if ServletRequest.getAttribute()is
           not null. For example, if this value is set toimportant, then a particular request will only be logged
           ifServletRequest.getAttribute("important") != null.
           The use of Filters is an easy way to set/unset the attribute
           in the ServletRequest on many different requests. |  | conditionUnless | Turns on conditional logging. If set, requests will be
           logged only if ServletRequest.getAttribute()is
           null. For example, if this value is set tojunk, then a particular request will only be logged
           ifServletRequest.getAttribute("junk") == null.
           The use of Filters is an easy way to set/unset the attribute
           in the ServletRequest on many different requests. |  | directory | Absolute or relative pathname of a directory in which log files
        created by this valve will be placed.  If a relative path is
        specified, it is interpreted as relative to $CATALINA_BASE.  If
        no directory attribute is specified, the default value is "logs"
        (relative to $CATALINA_BASE). |  | encoding | Character set used to write the log file. An empty string means
        to use the system default character set. Default value: use the
        system default character set.
         |  | fileDateFormat | Allows a customized timestamp in the access log file name.
           The file is rotated whenever the formatted timestamp changes.
           The default value is yyyy-MM-dd.
           If you wish to rotate every hour, then set this value
           toyyyy-MM-dd.HH.
           The date format will always be localized
           using the localeen_US. |  | locale | The locale used to format timestamps in the access log
           lines. Any timestamps configured using an
           explicit SimpleDateFormat pattern (%{xxx}t)
           are formatted in this locale. By default the
           default locale of the Java process is used. Switching the
           locale after the AccessLogValve is initialized is not supported.
           Any timestamps using the common log format
           (CLF) are always formatted in the localeen_US. |  | maxDays | The maximum number of days rotated access logs will be retained for
           before being deleted. If not specified, the default value of
           -1will be used which means never delete old files. |  | pattern | A formatting layout identifying the various information fields
        from the request and response to be logged, or the word
        commonorcombinedto select a
        standard format.  See below for more information on configuring
        this attribute. |  | prefix | The prefix added to the start of each log file's name.  If not
        specified, the default value is "access_log". |  | renameOnRotate | By default for a rotatable log the active access log file name
           will contain the current timestamp in fileDateFormat.
           During rotation the file is closed and a new file with the next
           timestamp in the name is created and used. When settingrenameOnRotatetotrue, the timestamp
           is no longer part of the active log file name. Only during rotation
           the file is closed and then renamed to include the timestamp.
           This is similar to the behavior of most log frameworks when
           doing time based rotation.
           Default value:false |  | requestAttributesEnabled | Set to trueto check for the existence of request
        attributes (typically set by the RemoteIpValve and similar) that should
        be used to override the values returned by the request for remote
        address, remote host, server port and protocol. If the attributes are
        not set, or this attribute is set tofalsethen the values
        from the request will be used. If not set, the default value offalsewill be used. |  | resolveHosts | This attribute is no longer supported. Use the connector
        attribute enableLookupsinstead. If you have enableLookupson the connector set totrueand want to ignore it, use %a instead of
        %h in the value ofpattern. |  | rotatable | Flag to determine if log rotation should occur.
           If set to false, then this file is never rotated andfileDateFormatis ignored.
           Default value:true |  | suffix | The suffix added to the end of each log file's name.  If not
        specified, the default value is "" (a zero-length string),
        meaning that no suffix will be added. | 
 Values for the patternattribute are made up of literal
    text strings, combined with pattern identifiers prefixed by the "%"
    character to cause replacement by the corresponding variable value from
    the current request and response.  The following pattern codes are
    supported: 
    %a - Remote IP address%A - Local IP address%b - Bytes sent, excluding HTTP headers, or '-' if zero%B - Bytes sent, excluding HTTP headers%h - Remote host name (or IP address if
        enableLookupsfor the connector is false)%H - Request protocol%l - Remote logical username from identd (always returns
        '-')%m - Request method (GET, POST, etc.)%p - Local port on which this request was received.
        See also %{xxx}pbelow.%q - Query string (prepended with a '?' if it exists)%r - First line of the request (method and request URI)%s - HTTP status code of the response%S - User session ID%t - Date and time, in Common Log Format%u - Remote user that was authenticated (if any), else '-'%U - Requested URL path%v - Local server name%D - Time taken to process the request in millis. Note: In
                    httpd %D is microseconds. Behaviour will be aligned to httpd
                    in Tomcat 10 onwards.%T - Time taken to process the request, in seconds. Note: This
                    value has millisecond resolution whereas in httpd it has
                    second resolution. Behaviour will be align to httpd
                    in Tomcat 10 onwards.%F - Time taken to commit the response, in millis%I - Current request thread name (can compare later with stacktraces) 
    There is also support to write information incoming or outgoing
    headers, cookies, session or request attributes and special
    timestamp formats.
    It is modeled after the
    Apache HTTP Server log configuration
    syntax. Each of them can be used multiple times with different xxxkeys: 
    %{xxx}iwrite value of incoming header with namexxx%{xxx}owrite value of outgoing header with namexxx%{xxx}cwrite value of cookie with namexxx%{xxx}rwrite value of ServletRequest attribute with namexxx%{xxx}swrite value of HttpSession attribute with namexxx%{xxx}pwrite local (server) port (xxx==local) or
        remote (client) port (xxx=remote)%{xxx}twrite timestamp at the end of the request formatted using the
        enhanced SimpleDateFormat patternxxx All formats supported by SimpleDateFormat are allowed in %{xxx}t.
    In addition the following extensions have been added: 
    sec- number of seconds since the epochmsec- number of milliseconds since the epochmsec_frac- millisecond fraction These formats cannot be mixed with SimpleDateFormat formats in the same format
    token. Furthermore one can define whether to log the timestamp for the request start
    time or the response finish time: 
    beginor prefixbegin:chooses
    the request start timeendor prefixend:chooses
    the response finish time By adding multiple %{xxx}ttokens to the pattern, one can
    also log both timestamps. The shorthand pattern pattern="common"corresponds to the Common Log Format defined by
    '%h %l %u %t "%r" %s %b'. The shorthand pattern pattern="combined"appends the values of theRefererandUser-Agentheaders, each in double quotes, to thecommonpattern. When Tomcat is operating behind a reverse proxy, the client information
    logged by the Access Log Valve may represent the reverse proxy, the browser
    or some combination of the two depending on the configuration of Tomcat and
    the reverse proxy. For Tomcat configuration options see
    Proxies Support and the
    Proxy How-To. For reverse proxies that
    use mod_jk, see the generic
    proxy documentation. For other reverse proxies, consult their
    documentation. | 
 | 
 | Extended Access Log Valve |  | 
  | Introduction |  | 
    The Extended Access Log Valve extends the
    Access Log Valve class, and so
    uses the same self-contained logging logic.  This means it
    implements many of the same file handling attributes.  The main
    difference to the standard AccessLogValveis thatExtendedAccessLogValvecreates log files which
    conform to the Working Draft for the
    Extended Log File Format
    defined by the W3C. | 
 | Attributes |  | 
    The Extended Access Log Valve supports all
    configuration attributes of the standard
    Access Log Valve. Only the
    values used for classNameandpatterndiffer. | Attribute | Description | 
|---|
 | className | Java class name of the implementation to use.  This MUST be set to
        org.apache.catalina.valves.ExtendedAccessLogValve to
        use the extended access log valve. |  | pattern | A formatting layout identifying the various information fields
        from the request and response to be logged.
        See below for more information on configuring this attribute. | 
 Values for the patternattribute are made up of
    format tokens. Some of the tokens need an additional prefix. Possible
    prefixes arecfor "client",sfor "server",csfor "client to server",scfor
    "server to client" orxfor "application specific".
    Furthermore some tokens are completed by an additional selector.
    See the W3C specification
    for more information about the format. The following format tokens are supported: 
    bytes - Bytes sent, excluding HTTP headers, or '-' if zeroc-dns - Remote host name (or IP address if
        enableLookupsfor the connector is false)c-ip - Remote IP addresscs-method - Request method (GET, POST, etc.)cs-uri - Request URIcs-uri-query - Query string (prepended with a '?' if it exists)cs-uri-stem - Requested URL pathdate - The date in yyyy-mm-dd format for GMTs-dns - Local host names-ip - Local IP addresssc-status - HTTP status code of the responsetime - Time the request was served in HH:mm:ss format for GMTtime-taken - Time (in seconds as floating point) taken to serve the requestx-threadname - Current request thread name (can compare later with stacktraces) For any of the x-H(XXX)the following method will be called from the
    HttpServletRequest object: 
    x-H(authType): getAuthTypex-H(characterEncoding): getCharacterEncodingx-H(contentLength): getContentLengthx-H(locale):  getLocalex-H(protocol): getProtocolx-H(remoteUser):  getRemoteUserx-H(requestedSessionId): getRequestedSessionIdx-H(requestedSessionIdFromCookie):
                     isRequestedSessionIdFromCookiex-H(requestedSessionIdValid):
                     isRequestedSessionIdValidx-H(scheme):  getSchemex-H(secure):  isSecure 
    There is also support to write information about headers
    cookies, context, request or session attributes and request
    parameters.
     
    cs(XXX)for incoming request headers with name XXXsc(XXX)for outgoing response headers with name XXXx-A(XXX)for the servlet context attribute with name XXXx-C(XXX)for the first cookie with name XXXx-O(XXX)for a concatenation of all outgoing response headers with name XXXx-P(XXX)for the URL encoded (using UTF-8) request parameter with name XXXx-R(XXX)for the request attribute with name XXXx-S(XXX)for the session attribute with name XXX | 
 | 
 | 
 | Access Control |  | 
| Remote Address Valve |  | 
  | Introduction |  | 
    The Remote Address Valve allows you to compare the
    IP address of the client that submitted this request against one or more
    regular expressions, and either allow the request to continue
    or refuse to process the request from this client.  A Remote Address
    Valve can be associated with any Catalina container
    (Engine, Host, or
    Context), and must accept any request
    presented to this container for processing before it will be passed on. The syntax for regular expressions is different than that for
    'standard' wildcard matching. Tomcat uses the java.util.regexpackage. Please consult the Java documentation for details of the
    expressions supported. Optionally one can append the server connector port separated with a
    semicolon (";") to allow different expressions for each connector. The behavior when a request is refused can be changed
    to not deny but instead set an invalid authenticationheader. This is useful in combination with the context attributepreemptiveAuthentication="true". Note: There is a caveat when using this valve with
    IPv6 addresses. Format of the IP address that this valve is processing
    depends on the API that was used to obtain it. If the address was obtained
    from Java socket using Inet6Address class, its format will be
    x:x:x:x:x:x:x:x. That is, the IP address for localhost
    will be0:0:0:0:0:0:0:1instead of the more widely used::1. Consult your access logs for the actual value. See also: Remote Host Valve,
    Remote IP Valve. | 
 | Attributes |  | 
    The Remote Address Valve supports the following
    configuration attributes: | Attribute | Description | 
|---|
 | className | Java class name of the implementation to use.  This MUST be set to
        org.apache.catalina.valves.RemoteAddrValve. |  | allow | A regular expression (using java.util.regex) that the
        remote client's IP address is compared to.  If this attribute
        is specified, the remote address MUST match for this request to be
        accepted.  If this attribute is not specified, all requests will be
        accepted UNLESS the remote address matches adenypattern. |  | deny | A regular expression (using java.util.regex) that the
        remote client's IP address is compared to.  If this attribute
        is specified, the remote address MUST NOT match for this request to be
        accepted.  If this attribute is not specified, request acceptance is
        governed solely by theallowattribute. |  | denyStatus | HTTP response status code that is used when rejecting denied
        request. The default value is 403. For example,
        it can be set to the value404. |  | addConnectorPort | Append the server connector port to the client IP address separated
        with a semicolon (";"). If this is set to true, the
        expressions configured withallowanddenyis compared againstADDRESS;PORTwhereADDRESSis the client IP address andPORTis the Tomcat connector port which received the
        request. The default value isfalse. |  | invalidAuthenticationWhenDeny | When a request should be denied, do not deny but instead
        set an invalid authenticationheader. This only works
        if the context has the attributepreemptiveAuthentication="true"set. An already existingauthenticationheader will not be
        overwritten. In effect this will trigger authentication instead of deny
        even if the application does not have a security constraint configured. This can be combined with addConnectorPortto trigger authentication
        depending on the client and the connector that is used to access an application. | 
 | 
 | Example 1 |  | 
    To allow access only for the clients connecting from localhost: <Valve className="org.apache.catalina.valves.RemoteAddrValve"
   allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>
 | 
 | Example 2 |  | 
    To allow unrestricted access for the clients connecting from localhost
    but for all other clients only to port 8443: <Valve className="org.apache.catalina.valves.RemoteAddrValve"
   addConnectorPort="true"
   allow="127\.\d+\.\d+\.\d+;\d*|::1;\d*|0:0:0:0:0:0:0:1;\d*|.*;8443"/>
 | 
 | Example 3 |  | 
    To allow unrestricted access to port 8009, but trigger basic
    authentication if the application is accessed on another port: <Context>
  ...
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         addConnectorPort="true"
         invalidAuthenticationWhenDeny="true"
         allow=".*;8009"/>
  <Valve className="org.apache.catalina.authenticator.BasicAuthenticator" />
  ...
</Context>
 | 
 | 
 | Remote Host Valve |  | 
  | Introduction |  | 
    The Remote Host Valve allows you to compare the
    hostname of the client that submitted this request against one or more
    regular expressions, and either allow the request to continue
    or refuse to process the request from this client.  A Remote Host
    Valve can be associated with any Catalina container
    (Engine, Host, or
    Context), and must accept any request
    presented to this container for processing before it will be passed on. The syntax for regular expressions is different than that for
    'standard' wildcard matching. Tomcat uses the java.util.regexpackage. Please consult the Java documentation for details of the
    expressions supported. Optionally one can append the server connector port separated with a
    semicolon (";") to allow different expressions for each connector. The behavior when a request is refused can be changed
    to not deny but instead set an invalid authenticationheader. This is useful in combination with the context attributepreemptiveAuthentication="true". Note: This valve processes the value returned by
    method ServletRequest.getRemoteHost(). To allow the method
    to return proper host names, you have to enable "DNS lookups" feature on
    a Connector. See also: Remote Address Valve,
    HTTP Connector configuration. | 
 | Attributes |  | 
    The Remote Host Valve supports the following
    configuration attributes: | Attribute | Description | 
|---|
 | className | Java class name of the implementation to use.  This MUST be set to
        org.apache.catalina.valves.RemoteHostValve. |  | allow | A regular expression (using java.util.regex) that the
        remote client's hostname is compared to.  If this attribute
        is specified, the remote hostname MUST match for this request to be
        accepted.  If this attribute is not specified, all requests will be
        accepted UNLESS the remote hostname matches adenypattern. |  | deny | A regular expression (using java.util.regex) that the
        remote client's hostname is compared to.  If this attribute
        is specified, the remote hostname MUST NOT match for this request to be
        accepted.  If this attribute is not specified, request acceptance is
        governed solely by theallowattribute. |  | denyStatus | HTTP response status code that is used when rejecting denied
        request. The default value is 403. For example,
        it can be set to the value404. |  | addConnectorPort | Append the server connector port to the client hostname separated
        with a semicolon (";"). If this is set to true, the
        expressions configured withallowanddenyis compared againstHOSTNAME;PORTwhereHOSTNAMEis the client hostname andPORTis the Tomcat connector port which received the
        request. The default value isfalse. |  | invalidAuthenticationWhenDeny | When a request should be denied, do not deny but instead
        set an invalid authenticationheader. This only works
        if the context has the attributepreemptiveAuthentication="true"set. An already existingauthenticationheader will not be
        overwritten. In effect this will trigger authentication instead of deny
        even if the application does not have a security constraint configured. This can be combined with addConnectorPortto trigger authentication
        depending on the client and the connector that is used to access an application. | 
 | 
 | 
 | Remote CIDR Valve |  | 
  | Introduction |  | 
    The Remote CIDR Valve allows you to compare the
      IP address of the client that submitted this request against one or more
      netmasks following the CIDR notation, and either allow the request to
      continue or refuse to process the request from this client. IPv4 and
      IPv6 are both fully supported. A Remote CIDR Valve can be associated
      with any Catalina container (Engine,
      Host, or Context), and
      must accept any request presented to this container for processing before
      it will be passed on.
     This valve mimicks Apache's Order,Allow fromandDeny fromdirectives,
      with the following limitations: 
      Orderwill always beallow, deny;dotted quad notations for netmasks are not supported (that is, you
        cannot write 192.168.1.0/255.255.255.0, you must write192.168.1.0/24;shortcuts, like 10.10., which is equivalent to10.10.0.0/16, are not supported;as the valve name says, this is a CIDR only valve,
        therefore subdomain notations like .mydomain.comare not
        supported either. Some more features of this valve are:
     
      if you omit the CIDR prefix, this valve becomes a single IP
        valve;unlike the Remote Host Valve,
      it can handle IPv6 addresses in condensed form (::1,fe80::/71, etc). | 
 | Attributes |  | 
    The Remote CIDR Valve supports the following
      configuration attributes: | Attribute | Description | 
|---|
 | className | Java class name of the implementation to use.  This MUST be set to
          org.apache.catalina.valves.RemoteCIDRValve. |  | allow | A comma-separated list of IPv4 or IPv6 netmasks or addresses
          that the remote client's IP address is matched against.
          If this attribute is specified, the remote address MUST match
          for this request to be accepted. If this attribute is not specified,
          all requests will be accepted UNLESS the remote IP is matched by a
          netmask in the denyattribute. |  | deny | A comma-separated list of IPv4 or IPv6 netmasks or addresses
          that the remote client's IP address is matched against.
          If this attribute is specified, the remote address MUST NOT match
          for this request to be accepted. If this attribute is not specified,
          request acceptance is governed solely by the acceptattribute. | 
 | 
 | Example |  | 
    To allow access only for the clients connecting from localhost: 
      <Valve className="org.apache.catalina.valves.RemoteCIDRValve"
      allow="127.0.0.1, ::1"/>
     | 
 | 
 | 
 | Proxies Support |  | 
| Remote IP Valve |  | 
  | Introduction |  | 
    Tomcat port of
    mod_remoteip,
    this valve replaces the apparent client remote IP address and hostname for
    the request with the IP address list presented by a proxy or a load balancer
    via a request headers (e.g. "X-Forwarded-For"). Another feature of this valve is to replace the apparent scheme
    (http/https), server port and request.securewith the scheme presented
    by a proxy or a load balancer via a request header
    (e.g. "X-Forwarded-Proto"). This Valve may be used at the Engine,HostorContextlevel as required. Normally, this Valve would be used
    at theEnginelevel. If used in conjunction with Remote Address/Host valves then this valve
    should be defined first to ensure that the correct client IP address is
    presented to the Remote Address/Host valves. Note: By default this valve has no effect on the
    values that are written into access log. The original values are restored
    when request processing leaves the valve and that always happens earlier
    than access logging. To pass the remote address, remote host, server port
    and protocol values set by this valve to the access log,
    they are put into request attributes. Publishing these values here
    is enabled by default, but AccessLogValveshould be explicitly
    configured to use them. See documentation forrequestAttributesEnabledattribute ofAccessLogValve. The names of request attributes that are set by this valve
    and can be used by access logging are the following: 
      org.apache.catalina.AccessLog.RemoteAddrorg.apache.catalina.AccessLog.RemoteHostorg.apache.catalina.AccessLog.Protocolorg.apache.catalina.AccessLog.ServerPortorg.apache.tomcat.remoteAddr | 
 | Attributes |  | 
    The Remote IP Valve supports the
    following configuration attributes: | Attribute | Description | 
|---|
 | className | Java class name of the implementation to use.  This MUST be set to
        org.apache.catalina.valves.RemoteIpValve. |  | remoteIpHeader | Name of the HTTP Header read by this valve that holds the list of
        traversed IP addresses starting from the requesting client. If not
        specified, the default of x-forwarded-foris used. |  | internalProxies | Regular expression (using java.util.regex) that a
        proxy's IP address must match to be considered an internal proxy.
        Internal proxies that appear in the remoteIpHeader will
        be trusted and will not appear in the proxiesHeader
        value. If not specified the default value of
        10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
        will be used. |  | proxiesHeader | Name of the HTTP header created by this valve to hold the list of
        proxies that have been processed in the incoming
        remoteIpHeader. If not specified, the default of
        x-forwarded-byis used. |  | requestAttributesEnabled | Set to trueto set the request attributes used by
        AccessLog implementations to override the values returned by the
        request for remote address, remote host, server port and protocol.
        Request attributes are also used to enable the forwarded remote address
        to be displayed on the status page of the Manager web application.
        If not set, the default value oftruewill be used. |  | trustedProxies | Regular expression (using java.util.regex) that a
        proxy's IP address must match to be considered an trusted proxy.
        Trusted proxies that appear in the remoteIpHeader will
        be trusted and will appear in the proxiesHeader value.
        If not specified, no proxies will be trusted. |  | protocolHeader | Name of the HTTP Header read by this valve that holds the protocol
        used by the client to connect to the proxy. If not specified, the
        default of X-Forwarded-Protois used. |  | hostHeader | Name of the HTTP Header read by this valve that holds the host
        used by the client to connect to the proxy. If not specified, the
        default of nullis used. |  | portHeader | Name of the HTTP Header read by this valve that holds the port
        used by the client to connect to the proxy. If not specified, the
        default of nullis used. |  | protocolHeaderHttpsValue | Value of the protocolHeader to indicate that it is
        an HTTPS request. If not specified, the default of httpsis
        used. |  | httpServerPort | Value returned by ServletRequest.getServerPort()when the protocolHeader indicateshttpprotocol and no portHeader is present. If not
         specified, the default of80is used. |  | httpsServerPort | Value returned by ServletRequest.getServerPort()when the protocolHeader indicateshttpsprotocol and no portHeader is present. If not
         specified, the default of443is used. |  | changeLocalHost | If true, the value returned byServletRequest.getLocalHost()andServletRequest.getServerHost()is modified by the this
        valve. If not specified, the default offalseis used. |  | changeLocalPort | If true, the value returned byServletRequest.getLocalPort()andServletRequest.getServerPort()is modified by the this
        valve. If not specified, the default offalseis used. | 
 | 
 | 
 | SSL Valve |  | 
  | Introduction |  | 
    When using mod_proxy_http, the client SSL information is not included in
    the protocol (unlike mod_jk and mod_proxy_ajp). To make the client SSL
    information available to Tomcat, some additional configuration is required.
    In httpd, mod_headers is used to add the SSL information as HTTP headers. In
    Tomcat, this valve is used to read the information from the HTTP headers and
    insert it into the request. Note: Ensure that the headers are always set by httpd for all requests to
    prevent a client spoofing SSL information by sending fake headers. To configure httpd to set the necessary headers, add the following: <IfModule ssl_module>
  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
  RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
  RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
  RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"
</IfModule>
 | 
 | Attributes |  | 
    The SSL Valve supports the following configuration
    attribute: | Attribute | Description | 
|---|
 | className | Java class name of the implementation to use.  This MUST be set to
        org.apache.catalina.valves.SSLValve.
         |  | sslClientCertHeader | Allows setting a custom name for the ssl_client_cert header.
        If not specified, the default of ssl_client_certis
        used. |  | sslCipherHeader | Allows setting a custom name for the ssl_cipher header.
        If not specified, the default of ssl_cipheris
        used. |  | sslSessionIdHeader | Allows setting a custom name for the ssl_session_id header.
        If not specified, the default of ssl_session_idis
        used. |  | sslCipherUserKeySizeHeader | Allows setting a custom name for the ssl_cipher_usekeysize header.
        If not specified, the default of ssl_cipher_usekeysizeis
        used. | 
 | 
 | 
 | 
 | Single Sign On Valve |  | 
  | Introduction |  | 
    The Single Sign On Valve is utilized when you wish to give users
    the ability to sign on to any one of the web applications associated with
    your virtual host, and then have their identity recognized by all other
    web applications on the same virtual host. See the Single Sign On special
    feature on the Host element for more information. | 
 | Attributes |  | 
    The Single Sign On Valve supports the following
    configuration attributes: | Attribute | Description | 
|---|
 | className | Java class name of the implementation to use.  This MUST be set to
        org.apache.catalina.authenticator.SingleSignOn. |  | requireReauthentication | Default false. Flag to determine whether each request needs to be
        reauthenticated to the security Realm. If "true", this
        Valve uses cached security credentials (username and password) to
        reauthenticate to the Realm each request associated
        with an SSO session.  If "false", the Valve can itself authenticate
        requests based on the presence of a valid SSO cookie, without
        rechecking with the Realm. |  | cookieDomain | Sets the host domain to be used for sso cookies. | 
 | 
 | 
 | Authentication |  | 
The valves in this section implement
org.apache.catalina.Authenticator interface. | Basic Authenticator Valve |  | 
  | Introduction |  | 
    The Basic Authenticator Valve is automatically added to
    any Context that is configured to use BASIC
    authentication. If any non-default settings are required, the valve may be configured
    within Context element with the required
    values. | 
 | Attributes |  | 
    The Basic Authenticator Valve supports the following
    configuration attributes: | Attribute | Description | 
|---|
 | allowCorsPreflight | Are requests that appear to be CORS preflight requests allowed to
        bypass the authenticator as required by the CORS specification. The
        allowed values are never,filterandalways.nevermeans that a request will never
        bypass authentication even if it appears to be a CORS preflight request.filtermeans that a request will bypass authentication if
        it appears to be a CORS preflight request; it is mapped to a web
        application that has the CORS
        Filter enabled; and the CORS Filter is mapped to/*.alwaysmeans that all requests that appear to be CORS
        preflight requests will bypass authentication. If not set, the default
        value isnever. |  | alwaysUseSession | Should a session always be used once a user is authenticated? This
        may offer some performance benefits since the session can then be used
        to cache the authenticated Principal, hence removing the need to
        authenticate the user via the Realm on every request. This may be of
        help for combinations such as BASIC authentication used with the
        JNDIRealm or DataSourceRealms. However there will also be the
        performance cost of creating and GC'ing the session. If not set, the
        default value of falsewill be used. |  | cache | Should we cache authenticated Principals if the request is part of an
        HTTP session? If not specified, the default value of truewill be used. |  | changeSessionIdOnAuthentication | Controls if the session ID is changed if a session exists at the
        point where users are authenticated. This is to prevent session fixation
        attacks. If not set, the default value of truewill be
        used. |  | charset | Controls if the WWW-AuthenticateHTTP header includes acharsetauthentication parameter as per RFC 7617. The only
        permitted options arenull, the empty string andUTF-8. IfUTF-8is specified then thecharsetauthentication parameter will be sent with that
        value and the provided user name and optional password will be converted
        from bytes to characters using UTF-8. Otherwise, nocharsetauthentication parameter will be sent and the provided user name and
        optional password will be converted from bytes to characters using
        ISO-8859-1. The default value isnull |  | className | Java class name of the implementation to use.  This MUST be set to
        org.apache.catalina.authenticator.BasicAuthenticator. |  | disableProxyCaching | Controls the caching of pages that are protected by security
        constraints. Setting this to falsemay help work around
        caching issues in some browsers but will also cause secured pages to be
        cached by proxies which will almost certainly be a security issue.securePagesWithPragmaoffers an alternative, secure,
        workaround for browser caching issues. If not set, the default value oftruewill be used. |  | securePagesWithPragma | Controls the caching of pages that are protected by security
        constraints. Setting this to falsemay help work around
        caching issues in some browsers by usingCache-Control: privaterather than the default ofPragma: No-cacheandCache-control: No-cache.
        If not set, the default value offalsewill be used. |  | secureRandomAlgorithm | Name of the algorithm to use to create the
        java.security.SecureRandominstances that generate session
        IDs. If an invalid algorithm and/or provider is specified, the platform
        default provider and the default algorithm will be used. If not
        specified, the default algorithm of SHA1PRNG will be used. If the
        default algorithm is not supported, the platform default will be used.
        To specify that the platform default should be used, do not set the
        secureRandomProvider attribute and set this attribute to the empty
        string. |  | secureRandomClass | Name of the Java class that extends
        java.security.SecureRandomto use to generate SSO session
        IDs. If not specified, the default value isjava.security.SecureRandom. |  | secureRandomProvider | Name of the provider to use to create the
        java.security.SecureRandominstances that generate SSO
        session IDs. If an invalid algorithm and/or provider is specified, the
        platform default provider and the default algorithm will be used. If not
        specified, the platform default provider will be used. |  | sendAuthInfoResponseHeaders | Controls whether the auth information (remote user and auth type)
        shall be returned as response headers for a forwarded/proxied request.
        When the RemoteIpValveorRemoteIpFiltermark
        a forwarded request with theGlobals.REQUEST_FORWARDED_ATTRIBUTEthis authenticator can return the values ofHttpServletRequest.getRemoteUser()andHttpServletRequest.getAuthType()as response headersremote-userandauth-typeto a reverse proxy.
        This is useful, e.g., for access log consistency or other decisions to make.
        If not specified, the default value isfalse. | 
 | 
 | 
 | Digest Authenticator Valve |  | 
  | Introduction |  | 
    The Digest Authenticator Valve is automatically added to
    any Context that is configured to use DIGEST
    authentication. If any non-default settings are required, the valve may be configured
    within Context element with the required
    values. | 
 | Attributes |  | 
    The Digest Authenticator Valve supports the following
    configuration attributes: | Attribute | Description | 
|---|
 | allowCorsPreflight | Are requests that appear to be CORS preflight requests allowed to
        bypass the authenticator as required by the CORS specification. The
        allowed values are never,filterandalways.nevermeans that a request will never
        bypass authentication even if it appears to be a CORS preflight request.filtermeans that a request will bypass authentication if
        it appears to be a CORS preflight request; it is mapped to a web
        application that has the CORS
        Filter enabled; and the CORS Filter is mapped to/*.alwaysmeans that all requests that appear to be CORS
        preflight requests will bypass authentication. If not set, the default
        value isnever. |  | alwaysUseSession | Should a session always be used once a user is authenticated? This
        may offer some performance benefits since the session can then be used
        to cache the authenticated Principal, hence removing the need to
        authenticate the user via the Realm on every request. This may be of
        help for combinations such as BASIC authentication used with the
        JNDIRealm or DataSourceRealms. However there will also be the
        performance cost of creating and GC'ing the session. If not set, the
        default value of falsewill be used. |  | cache | Should we cache authenticated Principals if the request is part of an
        HTTP session? If not specified, the default value of falsewill be used. |  | changeSessionIdOnAuthentication | Controls if the session ID is changed if a session exists at the
        point where users are authenticated. This is to prevent session fixation
        attacks. If not set, the default value of truewill be
        used. |  | className | Java class name of the implementation to use.  This MUST be set to
        org.apache.catalina.authenticator.DigestAuthenticator. |  | disableProxyCaching | Controls the caching of pages that are protected by security
        constraints. Setting this to falsemay help work around
        caching issues in some browsers but will also cause secured pages to be
        cached by proxies which will almost certainly be a security issue.securePagesWithPragmaoffers an alternative, secure,
        workaround for browser caching issues. If not set, the default value oftruewill be used. |  | key | The secret key used by digest authentication. If not set, a secure
        random value is generated. This should normally only be set when it is
        necessary to keep key values constant either across server restarts
        and/or across a cluster. |  | nonceCacheSize | To protect against replay attacks, the DIGEST authenticator tracks
        server nonce and nonce count values. This attribute controls the size
        of that cache. If not specified, the default value of 1000 is used. |  | nonceCountWindowSize | Client requests may be processed out of order which in turn means
        that the nonce count values may be processed out of order. To prevent
        authentication failures when nonce counts are presented out of order
        the authenticator tracks a window of nonce count values. This attribute
        controls how big that window is. If not specified, the default value of
        100 is used. |  | nonceValidity | The time, in milliseconds, that a server generated nonce will be
        considered valid for use in authentication. If not specified, the
        default value of 300000 (5 minutes) will be used. |  | opaque | The opaque server string used by digest authentication. If not set, a
        random value is generated. This should normally only be set when it is
        necessary to keep opaque values constant either across server restarts
        and/or across a cluster. |  | securePagesWithPragma | Controls the caching of pages that are protected by security
        constraints. Setting this to falsemay help work around
        caching issues in some browsers by usingCache-Control: privaterather than the default ofPragma: No-cacheandCache-control: No-cache.
        If not set, the default value offalsewill be used. |  | secureRandomAlgorithm | Name of the algorithm to use to create the
        java.security.SecureRandominstances that generate session
        IDs. If an invalid algorithm and/or provider is specified, the platform
        default provider and the default algorithm will be used. If not
        specified, the default algorithm of SHA1PRNG will be used. If the
        default algorithm is not supported, the platform default will be used.
        To specify that the platform default should be used, do not set the
        secureRandomProvider attribute and set this attribute to the empty
        string. |  | secureRandomClass | Name of the Java class that extends
        java.security.SecureRandomto use to generate SSO session
        IDs. If not specified, the default value isjava.security.SecureRandom. |  | secureRandomProvider | Name of the provider to use to create the
        java.security.SecureRandominstances that generate SSO
        session IDs. If an invalid algorithm and/or provider is specified, the
        platform default provider and the default algorithm will be used. If not
        specified, the platform default provider will be used. |  | sendAuthInfoResponseHeaders | Controls whether the auth information (remote user and auth type)
        shall be returned as response headers for a forwarded/proxied request.
        When the RemoteIpValveorRemoteIpFiltermark
        a forwarded request with theGlobals.REQUEST_FORWARDED_ATTRIBUTEthis authenticator can return the values ofHttpServletRequest.getRemoteUser()andHttpServletRequest.getAuthType()as response headersremote-userandauth-typeto a reverse proxy.
        This is useful, e.g., for access log consistency or other decisions to make.
        If not specified, the default value isfalse. |  | validateUri | Should the URI be validated as required by RFC2617? If not specified,
        the default value of truewill be used. This should
        normally only be set when Tomcat is located behind a reverse proxy and
        the proxy is modifying the URI passed to Tomcat such that DIGEST
        authentication always fails. | 
 | 
 | 
 | Form Authenticator Valve |  | 
  | Introduction |  | 
    The Form Authenticator Valve is automatically added to
    any Context that is configured to use FORM
    authentication. If any non-default settings are required, the valve may be configured
    within Context element with the required
    values. | 
 | Attributes |  | 
    The Form Authenticator Valve supports the following
    configuration attributes: | Attribute | Description | 
|---|
 | allowCorsPreflight | Are requests that appear to be CORS preflight requests allowed to
        bypass the authenticator as required by the CORS specification. The
        allowed values are never,filterandalways.nevermeans that a request will never
        bypass authentication even if it appears to be a CORS preflight request.filtermeans that a request will bypass authentication if
        it appears to be a CORS preflight request; it is mapped to a web
        application that has the CORS
        Filter enabled; and the CORS Filter is mapped to/*.alwaysmeans that all requests that appear to be CORS
        preflight requests will bypass authentication. If not set, the default
        value isnever. |  | changeSessionIdOnAuthentication | Controls if the session ID is changed if a session exists at the
        point where users are authenticated. This is to prevent session fixation
        attacks. If not set, the default value of truewill be
        used. |  | characterEncoding | Character encoding to use to read the username and password parameters
        from the request. If not set, the encoding of the request body will be
        used. |  | className | Java class name of the implementation to use.  This MUST be set to
        org.apache.catalina.authenticator.FormAuthenticator. |  | disableProxyCaching | Controls the caching of pages that are protected by security
        constraints. Setting this to falsemay help work around
        caching issues in some browsers but will also cause secured pages to be
        cached by proxies which will almost certainly be a security issue.securePagesWithPragmaoffers an alternative, secure,
        workaround for browser caching issues. If not set, the default value oftruewill be used. |  | landingPage | Controls the behavior of the FORM authentication process if the
        process is misused, for example by directly requesting the login page
        or delaying logging in for so long that the session expires. If this
        attribute is set, rather than returning an error response code, Tomcat
        will redirect the user to the specified landing page if the login form
        is submitted with valid credentials. For the login to be processed, the
        landing page must be a protected resource (i.e. one that requires
        authentication). If the landing page does not require authentication
        then the user will not be logged in and will be prompted for their
        credentials again when they access a protected page. |  | securePagesWithPragma | Controls the caching of pages that are protected by security
        constraints. Setting this to falsemay help work around
        caching issues in some browsers by usingCache-Control: privaterather than the default ofPragma: No-cacheandCache-control: No-cache.
        If not set, the default value offalsewill be used. |  | secureRandomAlgorithm | Name of the algorithm to use to create the
        java.security.SecureRandominstances that generate session
        IDs. If an invalid algorithm and/or provider is specified, the platform
        default provider and the default algorithm will be used. If not
        specified, the default algorithm of SHA1PRNG will be used. If the
        default algorithm is not supported, the platform default will be used.
        To specify that the platform default should be used, do not set the
        secureRandomProvider attribute and set this attribute to the empty
        string. |  | secureRandomClass | Name of the Java class that extends
        java.security.SecureRandomto use to generate SSO session
        IDs. If not specified, the default value isjava.security.SecureRandom. |  | secureRandomProvider | Name of the provider to use to create the
        java.security.SecureRandominstances that generate SSO
        session IDs. If an invalid algorithm and/or provider is specified, the
        platform default provider and the default algorithm will be used. If not
        specified, the platform default provider will be used. |  | sendAuthInfoResponseHeaders | Controls whether the auth information (remote user and auth type)
        shall be returned as response headers for a forwarded/proxied request.
        When the RemoteIpValveorRemoteIpFiltermark
        a forwarded request with theGlobals.REQUEST_FORWARDED_ATTRIBUTEthis authenticator can return the values ofHttpServletRequest.getRemoteUser()andHttpServletRequest.getAuthType()as response headersremote-userandauth-typeto a reverse proxy.
        This is useful, e.g., for access log consistency or other decisions to make.
        If not specified, the default value isfalse. | 
 | 
 | 
 | SSL Authenticator Valve |  | 
  | Introduction |  | 
    The SSL Authenticator Valve is automatically added to
    any Context that is configured to use SSL
    authentication. If any non-default settings are required, the valve may be configured
    within Context element with the required
    values. | 
 | Attributes |  | 
    The SSL Authenticator Valve supports the following
    configuration attributes: | Attribute | Description | 
|---|
 | allowCorsPreflight | Are requests that appear to be CORS preflight requests allowed to
        bypass the authenticator as required by the CORS specification. The
        allowed values are never,filterandalways.nevermeans that a request will never
        bypass authentication even if it appears to be a CORS preflight request.filtermeans that a request will bypass authentication if
        it appears to be a CORS preflight request; it is mapped to a web
        application that has the CORS
        Filter enabled; and the CORS Filter is mapped to/*.alwaysmeans that all requests that appear to be CORS
        preflight requests will bypass authentication. If not set, the default
        value isnever. |  | cache | Should we cache authenticated Principals if the request is part of an
        HTTP session? If not specified, the default value of truewill be used. |  | className | Java class name of the implementation to use.  This MUST be set to
        org.apache.catalina.authenticator.SSLAuthenticator. |  | changeSessionIdOnAuthentication | Controls if the session ID is changed if a session exists at the
        point where users are authenticated. This is to prevent session fixation
        attacks. If not set, the default value of truewill be
        used. |  | disableProxyCaching | Controls the caching of pages that are protected by security
        constraints. Setting this to falsemay help work around
        caching issues in some browsers but will also cause secured pages to be
        cached by proxies which will almost certainly be a security issue.securePagesWithPragmaoffers an alternative, secure,
        workaround for browser caching issues. If not set, the default value oftruewill be used. |  | securePagesWithPragma | Controls the caching of pages that are protected by security
        constraints. Setting this to falsemay help work around
        caching issues in some browsers by usingCache-Control: privaterather than the default ofPragma: No-cacheandCache-control: No-cache.
        If not set, the default value offalsewill be used. |  | secureRandomAlgorithm | Name of the algorithm to use to create the
        java.security.SecureRandominstances that generate session
        IDs. If an invalid algorithm and/or provider is specified, the platform
        default provider and the default algorithm will be used. If not
        specified, the default algorithm of SHA1PRNG will be used. If the
        default algorithm is not supported, the platform default will be used.
        To specify that the platform default should be used, do not set the
        secureRandomProvider attribute and set this attribute to the empty
        string. |  | secureRandomClass | Name of the Java class that extends
        java.security.SecureRandomto use to generate SSO session
        IDs. If not specified, the default value isjava.security.SecureRandom. |  | secureRandomProvider | Name of the provider to use to create the
        java.security.SecureRandominstances that generate SSO
        session IDs. If an invalid algorithm and/or provider is specified, the
        platform default provider and the default algorithm will be used. If not
        specified, the platform default provider will be used. | 
 | 
 | 
 | SPNEGO Valve |  | 
  | Introduction |  | 
    The SPNEGO Authenticator Valve is automatically added to
    any Context that is configured to use SPNEGO
    authentication. If any non-default settings are required, the valve may be configured
    within Context element with the required
    values. | 
 | Attributes |  | 
    The SPNEGO Authenticator Valve supports the following
    configuration attributes: | Attribute | Description | 
|---|
 | allowCorsPreflight | Are requests that appear to be CORS preflight requests allowed to
        bypass the authenticator as required by the CORS specification. The
        allowed values are never,filterandalways.nevermeans that a request will never
        bypass authentication even if it appears to be a CORS preflight request.filtermeans that a request will bypass authentication if
        it appears to be a CORS preflight request and the web application the
        request maps to has the CORS
        Filter enabled and mapped to/*.alwaysmeans that all requests that appear to be CORS preflight requests will
        bypass authentication. If not set, the default value isnever. |  | alwaysUseSession | Should a session always be used once a user is authenticated? This
        may offer some performance benefits since the session can then be used
        to cache the authenticated Principal, hence removing the need to
        authenticate the user on every request. This will also help with clients
        that assume that the server will cache the authenticated user. However
        there will also be the performance cost of creating and GC'ing the
        session. For an alternative solution see
        noKeepAliveUserAgents. If not set, the default value offalsewill be used. |  | applyJava8u40Fix | A fix introduced in Java 8 update 40 (
        JDK-8048194)
        onwards broke SPNEGO authentication for IE with Tomcat running on
        Windows 2008 R2 servers. This option enables a work-around that allows
        SPNEGO authentication to continue working. The work-around should not
        impact other configurations so it is enabled by default. If necessary,
        the workaround can be disabled by setting this attribute to
        false. |  | cache | Should we cache authenticated Principals if the request is part of an
        HTTP session? If not specified, the default value of truewill be used. |  | className | Java class name of the implementation to use.  This MUST be set to
        org.apache.catalina.authenticator.SpnegoAuthenticator.
         |  | changeSessionIdOnAuthentication | Controls if the session ID is changed if a session exists at the
        point where users are authenticated. This is to prevent session fixation
        attacks. If not set, the default value of truewill be
        used. |  | disableProxyCaching | Controls the caching of pages that are protected by security
        constraints. Setting this to falsemay help work around
        caching issues in some browsers but will also cause secured pages to be
        cached by proxies which will almost certainly be a security issue.securePagesWithPragmaoffers an alternative, secure,
        workaround for browser caching issues. If not set, the default value oftruewill be used. |  | loginConfigName | The name of the JAAS login configuration to be used to login as the
        service. If not specified, the default of
        com.sun.security.jgss.krb5.acceptis used. |  | noKeepAliveUserAgents | Some clients (not most browsers) expect the server to cache the
        authenticated user information for a connection and do not resend the
        credentials with every request. Tomcat will not do this unless an HTTP
        session is available. A session will be available if either the
        application creates one or if alwaysUseSessionis enabled
        for this Authenticator. As an alternative to creating a session, this attribute may be used
        to define the user agents for which HTTP keep-alive is disabled. This
        means that a connection will only used for a single request and hence
        there is no ability to cache authenticated user information per
        connection. There will be a performance cost in disabling HTTP
        keep-alive. The attribute should be a regular expression that matches the entire
        user-agent string, e.g. .*Chrome.*. If not specified, no
        regular expression will be defined and no user agents will have HTTP
        keep-alive disabled. |  | securePagesWithPragma | Controls the caching of pages that are protected by security
        constraints. Setting this to falsemay help work around
        caching issues in some browsers by usingCache-Control: privaterather than the default ofPragma: No-cacheandCache-control: No-cache.
        If not set, the default value offalsewill be used. |  | secureRandomAlgorithm | Name of the algorithm to use to create the
        java.security.SecureRandominstances that generate session
        IDs. If an invalid algorithm and/or provider is specified, the platform
        default provider and the default algorithm will be used. If not
        specified, the default algorithm of SHA1PRNG will be used. If the
        default algorithm is not supported, the platform default will be used.
        To specify that the platform default should be used, do not set the
        secureRandomProvider attribute and set this attribute to the empty
        string. |  | secureRandomClass | Name of the Java class that extends
        java.security.SecureRandomto use to generate SSO session
        IDs. If not specified, the default value isjava.security.SecureRandom. |  | secureRandomProvider | Name of the provider to use to create the
        java.security.SecureRandominstances that generate SSO
        session IDs. If an invalid algorithm and/or provider is specified, the
        platform default provider and the default algorithm will be used. If not
        specified, the platform default provider will be used. |  | sendAuthInfoResponseHeaders | Controls whether the auth information (remote user and auth type)
        shall be returned as response headers for a forwarded/proxied request.
        When the RemoteIpValveorRemoteIpFiltermark
        a forwarded request with theGlobals.REQUEST_FORWARDED_ATTRIBUTEthis authenticator can return the values ofHttpServletRequest.getRemoteUser()andHttpServletRequest.getAuthType()as response headersremote-userandauth-typeto a reverse proxy.
        This is useful, e.g., for access log consistency or other decisions to make.
        If not specified, the default value isfalse. |  | storeDelegatedCredential | Controls if the user' delegated credential will be stored in
        the user Principal. If available, the delegated credential will be
        available to applications (e.g. for onward authentication to external
        services) via the org.apache.catalina.realm.GSS_CREDENTIALrequest attribute. If not set, the default value oftruewill be used. | 
 | 
 | 
 | 
 | Error Report Valve |  | 
  | Introduction |  | 
    The Error Report Valve is a simple error handler
    for HTTP status codes that will generate and return HTML error pages. NOTE: Disabling both showServerInfo and showReport will
    only return the HTTP status code. | 
 | Attributes |  | 
    The Error Report Valve supports the following
    configuration attributes: | Attribute | Description | 
|---|
 | className | Java class name of the implementation to use.  This MUST be set to
        org.apache.catalina.valves.ErrorReportValve to use the
        default error report valve. |  | showReport | Flag to determine if the error report (custom error message and/or
           stack trace) is presented when an error occurs. If set to
           false, then the error report is not returned in the HTML
           response.
           Default value:true |  | showServerInfo | Flag to determine if server information is presented when an error
           occurs. If set to false, then the server version is not
           returned in the HTML response.
           Default value:true | 
 | 
 | 
 | Crawler Session Manager Valve |  | 
  | Introduction |  | 
    Web crawlers can trigger the creation of many thousands of sessions as
    they crawl a site which may result in significant memory consumption. This
    Valve ensures that crawlers are associated with a single session - just like
    normal users - regardless of whether or not they provide a session token
    with their requests. This Valve may be used at the Engine,HostorContextlevel as required. Normally, this Valve would be used
    at theEnginelevel. If used in conjunction with Remote IP valve then the Remote IP valve
    should be defined before this valve to ensure that the correct client IP
    address is presented to this valve. | 
 | Attributes |  | 
    The Crawler Session Manager Valve supports the
    following configuration attributes: | Attribute | Description | 
|---|
 | className | Java class name of the implementation to use.  This MUST be set to
        org.apache.catalina.valves.CrawlerSessionManagerValve.
         |  | contextAware | Flag to use the context name together with the client IP to
        identify the session to re-use. Can be combined with hostAware.
        Default value:true |  | crawlerIps | Regular expression (using java.util.regex) that client
        IP is matched against to determine if a request is from a web crawler.
        By default such regular expression is not set. |  | crawlerUserAgents | Regular expression (using java.util.regex) that the user
        agent HTTP request header is matched against to determine if a request
        is from a web crawler. If not set, the default of.*[bB]ot.*|.*Yahoo! Slurp.*|.*Feedfetcher-Google.*is used. |  | hostAware | Flag to use the configured host together with the client IP to
        identify the session to re-use. Can be combined with contextAware.
        Default value:true |  | sessionInactiveInterval | The minimum time in seconds that the Crawler Session Manager Valve
        should keep the mapping of client IP to session ID in memory without any
        activity from the client. The client IP / session cache will be
        periodically purged of mappings that have been inactive for longer than
        this interval. If not specified the default value of 60will be used. | 
 | 
 | 
 | Stuck Thread Detection Valve |  | 
  | Introduction |  | 
    This valve allows to detect requests that take a long time to process,
    which might indicate that the thread that is processing it is stuck.
    Additionally it can optionally interrupt such threads to try and unblock
    them. When such a request is detected, the current stack trace of its thread is
    written to Tomcat log with a WARN level. The IDs and names of the stuck threads are available through JMX in the
    stuckThreadIdsandstuckThreadNamesattributes.
    The IDs can be used with the standard Threading JVM MBean
    (java.lang:type=Threading) to retrieve other information
    about each stuck thread. | 
 | Attributes |  | 
    The Stuck Thread Detection Valve supports the
    following configuration attributes: | Attribute | Description | 
|---|
 | className | Java class name of the implementation to use.  This MUST be set to
        org.apache.catalina.valves.StuckThreadDetectionValve.
         |  | threshold | Minimum duration in seconds after which a thread is considered stuck.
        Default is 600 seconds. If set to 0, the detection is disabled. Note: since the detection (and optional interruption) is done in the
        background thread of the Container (Engine, Host or Context) declaring
        this Valve, the threshold should be higher than the
        backgroundProcessorDelayof this Container. |  | interruptThreadThreshold | Minimum duration in seconds after which a stuck thread should be
        interrupted to attempt to "free" it. Note that there's no guarantee that the thread will get unstuck.
        This usually works well for threads stuck on I/O or locks, but is
        probably useless in case of infinite loops. Default is -1 which disables the feature. To enable it, the value
        must be greater or equal to threshold. | 
 | 
 | 
 | Semaphore Valve |  | 
  | Introduction |  | 
    The Semaphore Valve is able to limit the number of
    concurrent request processing threads. org.apache.catalina.valves.SemaphoreValve provides
    methods which may be overridden by a subclass to customize behavior: 
    controlConcurrencymay be overridden to add
    conditions;permitDeniedmay be overridden to add error handling
    when a permit isn't granted. | 
 | Attributes |  | 
    The Semaphore Valve supports the following
    configuration attributes: | Attribute | Description | 
|---|
 | block | Flag to determine if a thread is blocked until a permit is available.
        The default value is true. |  | className | Java class name of the implementation to use. This MUST be set to
        org.apache.catalina.valves.SemaphoreValve. |  | concurrency | Concurrency level of the semaphore. The default value is
        10. |  | fairness | Fairness of the semaphore. The default value is
        false. |  | interruptible | Flag to determine if a thread may be interrupted until a permit is
        available. The default value is false. | 
 | 
 | 
 |