Package org.apache.catalina.valves
Class RequestFilterValve
java.lang.Object
org.apache.catalina.util.LifecycleBase
org.apache.catalina.util.LifecycleMBeanBase
org.apache.catalina.valves.ValveBase
org.apache.catalina.valves.RequestFilterValve
- All Implemented Interfaces:
- MBeanRegistration,- Contained,- JmxEnabled,- Lifecycle,- Valve
- Direct Known Subclasses:
- RemoteAddrValve,- RemoteCIDRValve,- RemoteHostValve
Implementation of a Valve that performs filtering based on comparing the appropriate request property (selected based
 on which subclass you choose to configure into your Container's pipeline) against the regular expressions configured
 for this Valve.
 
 This valve is configured by setting the allow and/or deny properties to a regular
 expressions (in the syntax supported by Pattern) to which the appropriate request property will be compared.
 Evaluation proceeds as follows:
 
- The subclass extracts the request property to be filtered, and calls the common process()method.
- If there is a deny expression configured, the property will be compared to the expression. If a match is found, this request will be rejected with a "Forbidden" HTTP response.
- If there is a allow expression configured, the property will be compared to each such expression. If a match is found, this request will be allowed to pass through to the next Valve in the current pipeline.
- If a deny expression was specified but no allow expression, allow this request to pass through (because none of the deny expressions matched it).
- The request will be rejected with a "Forbidden" HTTP response.
 As an option the valve can generate an invalid authenticate header instead of denying the request. This
 can be combined with the context attribute preemptiveAuthentication="true" and an authenticator to force
 authentication instead of denial.
 
This Valve may be attached to any Container, depending on the granularity of the filtering you wish to perform.
- Author:
- Craig R. McClanahan
- 
Nested Class SummaryNested classes/interfaces inherited from interface org.apache.catalina.LifecycleLifecycle.SingleUse
- 
Field SummaryFieldsModifier and TypeFieldDescriptionprotected PatternThe regular expression used to test for allowed requests.protected booleanHelper variable to catch configuration errors.protected StringThe current allow configuration value that may or may not compile into a validPattern.protected PatternThe regular expression used to test for denied requests.protected intThe HTTP response status code that is used when rejecting denied request.protected booleanHelper variable to catch configuration errors.protected StringThe current deny configuration value that may or may not compile into a validPattern.Fields inherited from class org.apache.catalina.valves.ValveBaseasyncSupported, container, containerLog, next, smFields inherited from interface org.apache.catalina.LifecycleAFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
- 
Constructor SummaryConstructors
- 
Method SummaryModifier and TypeMethodDescriptionprotected voiddenyRequest(Request request, Response response) Reject the request that was denied by this valve.booleanGet the flag deciding whether we add the server connector port to the property compared in the filtering method.getAllow()Return the regular expression used to test for allowed requests for this Valve, if any; otherwise, returnnull.getDeny()Return the regular expression used to test for denied requests for this Valve, if any; otherwise, returnnull.intbooleanprotected abstract LoggetLog()booleanGet the flag deciding whether we use the connection peer address or the remote address.protected voidSub-classes wishing to perform additional initialization should override this method, ensuring that super.initInternal() is the first call in the overriding method.abstract voidExtract the desired request property, and pass it (along with the specified request and response objects) to the protectedprocess()method to perform the actual filtering.booleanPerform the test implemented by this Valve, matching against the specified request property value.final booleanReturnsfalseif the last change to theallowpattern did not apply successfully.final booleanReturnsfalseif the last change to thedenypattern did not apply successfully.protected voidPerform the filtering that has been configured for this Valve, matching against the specified request property.voidsetAddConnectorPort(boolean addConnectorPort) Set the flag deciding whether we add the server connector port to the property compared in the filtering method.voidSet the regular expression used to test for allowed requests for this Valve, if any.voidSet the regular expression used to test for denied requests for this Valve, if any.voidsetDenyStatus(int denyStatus) Set response status code that is used to reject denied request.voidsetInvalidAuthenticationWhenDeny(boolean value) Set invalidAuthenticationWhenDeny property.voidsetUsePeerAddress(boolean usePeerAddress) Set the flag deciding whether we use the connection peer address or the remote address.protected voidStart this component and implement the requirements ofLifecycleBase.startInternal().Methods inherited from class org.apache.catalina.valves.ValveBasebackgroundProcess, getContainer, getDomainInternal, getNext, getObjectNameKeyProperties, isAsyncSupported, setAsyncSupported, setContainer, setNext, stopInternal, toStringMethods inherited from class org.apache.catalina.util.LifecycleMBeanBasedestroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregisterMethods inherited from class org.apache.catalina.util.LifecycleBaseaddLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
- 
Field Details- 
allowThe regular expression used to test for allowed requests.
- 
allowValueThe current allow configuration value that may or may not compile into a validPattern.
- 
allowValidprotected volatile boolean allowValidHelper variable to catch configuration errors. It istrueby default, but becomesfalseif there was an attempt to assign an invalid value to theallowpattern.
- 
denyThe regular expression used to test for denied requests.
- 
denyValueThe current deny configuration value that may or may not compile into a validPattern.
- 
denyValidprotected volatile boolean denyValidHelper variable to catch configuration errors. It istrueby default, but becomesfalseif there was an attempt to assign an invalid value to thedenypattern.
- 
denyStatusprotected int denyStatusThe HTTP response status code that is used when rejecting denied request. It is 403 by default, but may be changed to be 404.
 
- 
- 
Constructor Details- 
RequestFilterValvepublic RequestFilterValve()
 
- 
- 
Method Details- 
getAllowReturn the regular expression used to test for allowed requests for this Valve, if any; otherwise, returnnull.- Returns:
- the regular expression
 
- 
setAllowSet the regular expression used to test for allowed requests for this Valve, if any.- Parameters:
- allow- The new allow expression
 
- 
getDenyReturn the regular expression used to test for denied requests for this Valve, if any; otherwise, returnnull.- Returns:
- the regular expression
 
- 
setDenySet the regular expression used to test for denied requests for this Valve, if any.- Parameters:
- deny- The new deny expression
 
- 
isAllowValidpublic final boolean isAllowValid()Returnsfalseif the last change to theallowpattern did not apply successfully. E.g. if the pattern is syntactically invalid.- Returns:
- falseif the current pattern is invalid
 
- 
isDenyValidpublic final boolean isDenyValid()Returnsfalseif the last change to thedenypattern did not apply successfully. E.g. if the pattern is syntactically invalid.- Returns:
- falseif the current pattern is invalid
 
- 
getDenyStatuspublic int getDenyStatus()- Returns:
- response status code that is used to reject denied request.
 
- 
setDenyStatuspublic void setDenyStatus(int denyStatus) Set response status code that is used to reject denied request.- Parameters:
- denyStatus- The status code
 
- 
getInvalidAuthenticationWhenDenypublic boolean getInvalidAuthenticationWhenDeny()- Returns:
- trueif a deny is handled by setting an invalid auth header.
 
- 
setInvalidAuthenticationWhenDenypublic void setInvalidAuthenticationWhenDeny(boolean value) Set invalidAuthenticationWhenDeny property.- Parameters:
- value-- trueto handle a deny by setting an invalid auth header
 
- 
getAddConnectorPortpublic boolean getAddConnectorPort()Get the flag deciding whether we add the server connector port to the property compared in the filtering method. The port will be appended using a ";" as a separator.- Returns:
- trueto add the connector port
 
- 
setAddConnectorPortpublic void setAddConnectorPort(boolean addConnectorPort) Set the flag deciding whether we add the server connector port to the property compared in the filtering method. The port will be appended using a ";" as a separator.- Parameters:
- addConnectorPort- The new flag
 
- 
getUsePeerAddresspublic boolean getUsePeerAddress()Get the flag deciding whether we use the connection peer address or the remote address. This makes a dfifference when using AJP or the RemoteIpValve.- Returns:
- trueif we use the connection peer address
 
- 
setUsePeerAddresspublic void setUsePeerAddress(boolean usePeerAddress) Set the flag deciding whether we use the connection peer address or the remote address. This makes a dfifference when using AJP or the RemoteIpValve.- Parameters:
- usePeerAddress- The new flag
 
- 
invokepublic abstract void invoke(Request request, Response response) throws IOException, ServletException Extract the desired request property, and pass it (along with the specified request and response objects) to the protectedprocess()method to perform the actual filtering. This method must be implemented by a concrete subclass.- Parameters:
- request- The servlet request to be processed
- response- The servlet response to be created
- Throws:
- IOException- if an input/output error occurs
- ServletException- if a servlet error occurs
 
- 
initInternalDescription copied from class:LifecycleMBeanBaseSub-classes wishing to perform additional initialization should override this method, ensuring that super.initInternal() is the first call in the overriding method.- Overrides:
- initInternalin class- ValveBase
- Throws:
- LifecycleException- If the initialisation fails
 
- 
startInternalDescription copied from class:ValveBaseStart this component and implement the requirements ofLifecycleBase.startInternal().- Overrides:
- startInternalin class- ValveBase
- Throws:
- LifecycleException- if this component detects a fatal error that prevents this component from being used
 
- 
processprotected void process(String property, Request request, Response response) throws IOException, ServletException Perform the filtering that has been configured for this Valve, matching against the specified request property.- Parameters:
- property- The request property on which to filter
- request- The servlet request to be processed
- response- The servlet response to be processed
- Throws:
- IOException- if an input/output error occurs
- ServletException- if a servlet error occurs
 
- 
getLog
- 
denyRequestReject the request that was denied by this valve.If invalidAuthenticationWhenDenyis true and the context haspreemptiveAuthenticationset, set an invalid authorization header to trigger basic auth.- Parameters:
- request- The servlet request to be processed
- response- The servlet response to be processed
- Throws:
- IOException- if an input/output error occurs
- ServletException- if a servlet error occurs
 
- 
isAllowedPerform the test implemented by this Valve, matching against the specified request property value. This method is public so that it can be called through JMX, e.g. to test whether certain IP address is allowed or denied by the valve configuration.- Parameters:
- property- The request property value on which to filter
- Returns:
- trueif the request is allowed
 
 
-