Package org.apache.catalina.valves
Class RequestFilterValve
- java.lang.Object
- 
- org.apache.catalina.util.LifecycleBase
- 
- org.apache.catalina.util.LifecycleMBeanBase
- 
- org.apache.catalina.valves.ValveBase
- 
- org.apache.catalina.valves.RequestFilterValve
 
 
 
 
- 
- All Implemented Interfaces:
- javax.management.MBeanRegistration,- Contained,- JmxEnabled,- Lifecycle,- Valve
 - Direct Known Subclasses:
- RemoteAddrValve,- RemoteCIDRValve,- RemoteHostValve
 
 public abstract class RequestFilterValve extends ValveBase Implementation of a Valve that performs filtering based on comparing the appropriate request property (selected based on which subclass you choose to configure into your Container's pipeline) against the regular expressions configured for this Valve.This valve is configured by setting the allowand/ordenyproperties to a regular expressions (in the syntax supported byPattern) to which the appropriate request property will be compared. Evaluation proceeds as follows:- The subclass extracts the request property to be filtered, and calls the common process()method.
- If there is a deny expression configured, the property will be compared to the expression. If a match is found, this request will be rejected with a "Forbidden" HTTP response.
- If there is a allow expression configured, the property will be compared to each such expression. If a match is found, this request will be allowed to pass through to the next Valve in the current pipeline.
- If a deny expression was specified but no allow expression, allow this request to pass through (because none of the deny expressions matched it).
- The request will be rejected with a "Forbidden" HTTP response.
 As an option the valve can generate an invalid authenticateheader instead of denying the request. This can be combined with the context attributepreemptiveAuthentication="true"and an authenticator to force authentication instead of denial.This Valve may be attached to any Container, depending on the granularity of the filtering you wish to perform. - Author:
- Craig R. McClanahan
 
- 
- 
Nested Class Summary- 
Nested classes/interfaces inherited from interface org.apache.catalina.LifecycleLifecycle.SingleUse
 
- 
 - 
Field SummaryFields Modifier and Type Field Description protected java.util.regex.PatternallowThe regular expression used to test for allowed requests.protected booleanallowValidHelper variable to catch configuration errors.protected java.lang.StringallowValueThe current allow configuration value that may or may not compile into a validPattern.protected java.util.regex.PatterndenyThe regular expression used to test for denied requests.protected intdenyStatusThe HTTP response status code that is used when rejecting denied request.protected booleandenyValidHelper variable to catch configuration errors.protected java.lang.StringdenyValueThe current deny configuration value that may or may not compile into a validPattern.- 
Fields inherited from class org.apache.catalina.valves.ValveBaseasyncSupported, container, containerLog, next, sm
 - 
Fields inherited from class org.apache.catalina.util.LifecycleMBeanBasemserver
 - 
Fields inherited from interface org.apache.catalina.LifecycleAFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
 
- 
 - 
Constructor SummaryConstructors Constructor Description RequestFilterValve()
 - 
Method SummaryAll Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description protected voiddenyRequest(Request request, Response response)Reject the request that was denied by this valve.booleangetAddConnectorPort()Get the flag deciding whether we add the server connector port to the property compared in the filtering method.java.lang.StringgetAllow()Return the regular expression used to test for allowed requests for this Valve, if any; otherwise, returnnull.java.lang.StringgetDeny()Return the regular expression used to test for denied requests for this Valve, if any; otherwise, returnnull.intgetDenyStatus()booleangetInvalidAuthenticationWhenDeny()protected abstract LoggetLog()booleangetUsePeerAddress()Get the flag deciding whether we use the connection peer address or the remote address.protected voidinitInternal()Sub-classes wishing to perform additional initialization should override this method, ensuring that super.initInternal() is the first call in the overriding method.abstract voidinvoke(Request request, Response response)Extract the desired request property, and pass it (along with the specified request and response objects) to the protectedprocess()method to perform the actual filtering.booleanisAllowed(java.lang.String property)Perform the test implemented by this Valve, matching against the specified request property value.booleanisAllowValid()Returnsfalseif the last change to theallowpattern did not apply successfully.booleanisDenyValid()Returnsfalseif the last change to thedenypattern did not apply successfully.protected voidprocess(java.lang.String property, Request request, Response response)Perform the filtering that has been configured for this Valve, matching against the specified request property.voidsetAddConnectorPort(boolean addConnectorPort)Set the flag deciding whether we add the server connector port to the property compared in the filtering method.voidsetAllow(java.lang.String allow)Set the regular expression used to test for allowed requests for this Valve, if any.voidsetDeny(java.lang.String deny)Set the regular expression used to test for denied requests for this Valve, if any.voidsetDenyStatus(int denyStatus)Set response status code that is used to reject denied request.voidsetInvalidAuthenticationWhenDeny(boolean value)Set invalidAuthenticationWhenDeny property.voidsetUsePeerAddress(boolean usePeerAddress)Set the flag deciding whether we use the connection peer address or the remote address.protected voidstartInternal()Start this component and implement the requirements ofLifecycleBase.startInternal().- 
Methods inherited from class org.apache.catalina.valves.ValveBasebackgroundProcess, getContainer, getDomainInternal, getNext, getObjectNameKeyProperties, isAsyncSupported, setAsyncSupported, setContainer, setNext, stopInternal, toString
 - 
Methods inherited from class org.apache.catalina.util.LifecycleMBeanBasedestroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregister
 - 
Methods inherited from class org.apache.catalina.util.LifecycleBaseaddLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
 
- 
 
- 
- 
- 
Field Detail- 
allowprotected volatile java.util.regex.Pattern allow The regular expression used to test for allowed requests.
 - 
allowValueprotected volatile java.lang.String allowValue The current allow configuration value that may or may not compile into a validPattern.
 - 
allowValidprotected volatile boolean allowValid Helper variable to catch configuration errors. It istrueby default, but becomesfalseif there was an attempt to assign an invalid value to theallowpattern.
 - 
denyprotected volatile java.util.regex.Pattern deny The regular expression used to test for denied requests.
 - 
denyValueprotected volatile java.lang.String denyValue The current deny configuration value that may or may not compile into a validPattern.
 - 
denyValidprotected volatile boolean denyValid Helper variable to catch configuration errors. It istrueby default, but becomesfalseif there was an attempt to assign an invalid value to thedenypattern.
 - 
denyStatusprotected int denyStatus The HTTP response status code that is used when rejecting denied request. It is 403 by default, but may be changed to be 404.
 
- 
 - 
Method Detail- 
getAllowpublic java.lang.String getAllow() Return the regular expression used to test for allowed requests for this Valve, if any; otherwise, returnnull.- Returns:
- the regular expression
 
 - 
setAllowpublic void setAllow(java.lang.String allow) Set the regular expression used to test for allowed requests for this Valve, if any.- Parameters:
- allow- The new allow expression
 
 - 
getDenypublic java.lang.String getDeny() Return the regular expression used to test for denied requests for this Valve, if any; otherwise, returnnull.- Returns:
- the regular expression
 
 - 
setDenypublic void setDeny(java.lang.String deny) Set the regular expression used to test for denied requests for this Valve, if any.- Parameters:
- deny- The new deny expression
 
 - 
isAllowValidpublic final boolean isAllowValid() Returnsfalseif the last change to theallowpattern did not apply successfully. E.g. if the pattern is syntactically invalid.- Returns:
- falseif the current pattern is invalid
 
 - 
isDenyValidpublic final boolean isDenyValid() Returnsfalseif the last change to thedenypattern did not apply successfully. E.g. if the pattern is syntactically invalid.- Returns:
- falseif the current pattern is invalid
 
 - 
getDenyStatuspublic int getDenyStatus() - Returns:
- response status code that is used to reject denied request.
 
 - 
setDenyStatuspublic void setDenyStatus(int denyStatus) Set response status code that is used to reject denied request.- Parameters:
- denyStatus- The status code
 
 - 
getInvalidAuthenticationWhenDenypublic boolean getInvalidAuthenticationWhenDeny() - Returns:
- trueif a deny is handled by setting an invalid auth header.
 
 - 
setInvalidAuthenticationWhenDenypublic void setInvalidAuthenticationWhenDeny(boolean value) Set invalidAuthenticationWhenDeny property.- Parameters:
- value-- trueto handle a deny by setting an invalid auth header
 
 - 
getAddConnectorPortpublic boolean getAddConnectorPort() Get the flag deciding whether we add the server connector port to the property compared in the filtering method. The port will be appended using a ";" as a separator.- Returns:
- trueto add the connector port
 
 - 
setAddConnectorPortpublic void setAddConnectorPort(boolean addConnectorPort) Set the flag deciding whether we add the server connector port to the property compared in the filtering method. The port will be appended using a ";" as a separator.- Parameters:
- addConnectorPort- The new flag
 
 - 
getUsePeerAddresspublic boolean getUsePeerAddress() Get the flag deciding whether we use the connection peer address or the remote address. This makes a dfifference when using AJP or the RemoteIpValve.- Returns:
- trueif we use the connection peer address
 
 - 
setUsePeerAddresspublic void setUsePeerAddress(boolean usePeerAddress) Set the flag deciding whether we use the connection peer address or the remote address. This makes a dfifference when using AJP or the RemoteIpValve.- Parameters:
- usePeerAddress- The new flag
 
 - 
invokepublic abstract void invoke(Request request, Response response) throws java.io.IOException, ServletException Extract the desired request property, and pass it (along with the specified request and response objects) to the protectedprocess()method to perform the actual filtering. This method must be implemented by a concrete subclass.- Parameters:
- request- The servlet request to be processed
- response- The servlet response to be created
- Throws:
- java.io.IOException- if an input/output error occurs
- ServletException- if a servlet error occurs
 
 - 
initInternalprotected void initInternal() throws LifecycleExceptionDescription copied from class:LifecycleMBeanBaseSub-classes wishing to perform additional initialization should override this method, ensuring that super.initInternal() is the first call in the overriding method.- Overrides:
- initInternalin class- ValveBase
- Throws:
- LifecycleException- If the initialisation fails
 
 - 
startInternalprotected void startInternal() throws LifecycleExceptionDescription copied from class:ValveBaseStart this component and implement the requirements ofLifecycleBase.startInternal().- Overrides:
- startInternalin class- ValveBase
- Throws:
- LifecycleException- if this component detects a fatal error that prevents this component from being used
 
 - 
processprotected void process(java.lang.String property, Request request, Response response) throws java.io.IOException, ServletExceptionPerform the filtering that has been configured for this Valve, matching against the specified request property.- Parameters:
- property- The request property on which to filter
- request- The servlet request to be processed
- response- The servlet response to be processed
- Throws:
- java.io.IOException- if an input/output error occurs
- ServletException- if a servlet error occurs
 
 - 
getLogprotected abstract Log getLog() 
 - 
denyRequestprotected void denyRequest(Request request, Response response) throws java.io.IOException, ServletException Reject the request that was denied by this valve.If invalidAuthenticationWhenDenyis true and the context haspreemptiveAuthenticationset, set an invalid authorization header to trigger basic auth.- Parameters:
- request- The servlet request to be processed
- response- The servlet response to be processed
- Throws:
- java.io.IOException- if an input/output error occurs
- ServletException- if a servlet error occurs
 
 - 
isAllowedpublic boolean isAllowed(java.lang.String property) Perform the test implemented by this Valve, matching against the specified request property value. This method is public so that it can be called through JMX, e.g. to test whether certain IP address is allowed or denied by the valve configuration.- Parameters:
- property- The request property value on which to filter
- Returns:
- trueif the request is allowed
 
 
- 
 
-