Package org.apache.catalina.valves

Class RequestFilterValve

  • All Implemented Interfaces:
    javax.management.MBeanRegistration, Contained, JmxEnabled, Lifecycle, Valve
    Direct Known Subclasses:
    RemoteAddrValve, RemoteCIDRValve, RemoteHostValve
    public abstract class RequestFilterValve
extends ValveBase
    Implementation of a Valve that performs filtering based on comparing the appropriate request property (selected based on which subclass you choose to configure into your Container's pipeline) against the regular expressions configured for this Valve.

    This valve is configured by setting the allow and/or deny properties to a regular expressions (in the syntax supported by Pattern) to which the appropriate request property will be compared. Evaluation proceeds as follows:

    • The subclass extracts the request property to be filtered, and calls the common process() method.
    • If there is a deny expression configured, the property will be compared to the expression. If a match is found, this request will be rejected with a "Forbidden" HTTP response.
    • If there is a allow expression configured, the property will be compared to each such expression. If a match is found, this request will be allowed to pass through to the next Valve in the current pipeline.
    • If a deny expression was specified but no allow expression, allow this request to pass through (because none of the deny expressions matched it).
    • The request will be rejected with a "Forbidden" HTTP response.

    As an option the valve can generate an invalid authenticate header instead of denying the request. This can be combined with the context attribute preemptiveAuthentication="true" and an authenticator to force authentication instead of denial.

    This Valve may be attached to any Container, depending on the granularity of the filtering you wish to perform.

    Author:
    Craig R. McClanahan

    • Field Detail

      • allow

        protected volatile java.util.regex.Pattern allow
        The regular expression used to test for allowed requests.

      • allowValue

        protected volatile java.lang.String allowValue
        The current allow configuration value that may or may not compile into a valid Pattern.

      • allowValid

        protected volatile boolean allowValid
        Helper variable to catch configuration errors. It is true by default, but becomes false if there was an attempt to assign an invalid value to the allow pattern.

      • deny

        protected volatile java.util.regex.Pattern deny
        The regular expression used to test for denied requests.

      • denyValue

        protected volatile java.lang.String denyValue
        The current deny configuration value that may or may not compile into a valid Pattern.

      • denyValid

        protected volatile boolean denyValid
        Helper variable to catch configuration errors. It is true by default, but becomes false if there was an attempt to assign an invalid value to the deny pattern.

      • denyStatus

        protected int denyStatus
        The HTTP response status code that is used when rejecting denied request. It is 403 by default, but may be changed to be 404.

    • Constructor Detail

      • RequestFilterValve

        public RequestFilterValve()

    • Method Detail

      • getAllow

        public java.lang.String getAllow()
        Return the regular expression used to test for allowed requests for this Valve, if any; otherwise, return null.
        Returns:
        the regular expression

      • setAllow

        public void setAllow​(java.lang.String allow)
        Set the regular expression used to test for allowed requests for this Valve, if any.
        Parameters:
        allow - The new allow expression

      • getDeny

        public java.lang.String getDeny()
        Return the regular expression used to test for denied requests for this Valve, if any; otherwise, return null.
        Returns:
        the regular expression

      • setDeny

        public void setDeny​(java.lang.String deny)
        Set the regular expression used to test for denied requests for this Valve, if any.
        Parameters:
        deny - The new deny expression

      • isAllowValid

        public final boolean isAllowValid()
        Returns false if the last change to the allow pattern did not apply successfully. E.g. if the pattern is syntactically invalid.
        Returns:
        false if the current pattern is invalid

      • isDenyValid

        public final boolean isDenyValid()
        Returns false if the last change to the deny pattern did not apply successfully. E.g. if the pattern is syntactically invalid.
        Returns:
        false if the current pattern is invalid

      • getDenyStatus

        public int getDenyStatus()
        Returns:
        response status code that is used to reject denied request.

      • setDenyStatus

        public void setDenyStatus​(int denyStatus)
        Set response status code that is used to reject denied request.
        Parameters:
        denyStatus - The status code

      • getInvalidAuthenticationWhenDeny

        public boolean getInvalidAuthenticationWhenDeny()
        Returns:
        true if a deny is handled by setting an invalid auth header.

      • setInvalidAuthenticationWhenDeny

        public void setInvalidAuthenticationWhenDeny​(boolean value)
        Set invalidAuthenticationWhenDeny property.
        Parameters:
        value - true to handle a deny by setting an invalid auth header

      • getAddConnectorPort

        public boolean getAddConnectorPort()
        Get the flag deciding whether we add the server connector port to the property compared in the filtering method. The port will be appended using a ";" as a separator.
        Returns:
        true to add the connector port

      • setAddConnectorPort

        public void setAddConnectorPort​(boolean addConnectorPort)
        Set the flag deciding whether we add the server connector port to the property compared in the filtering method. The port will be appended using a ";" as a separator.
        Parameters:
        addConnectorPort - The new flag

      • getUsePeerAddress

        public boolean getUsePeerAddress()
        Get the flag deciding whether we use the connection peer address or the remote address. This makes a dfifference when using AJP or the RemoteIpValve.
        Returns:
        true if we use the connection peer address

      • setUsePeerAddress

        public void setUsePeerAddress​(boolean usePeerAddress)
        Set the flag deciding whether we use the connection peer address or the remote address. This makes a dfifference when using AJP or the RemoteIpValve.
        Parameters:
        usePeerAddress - The new flag

      • invoke

        public abstract void invoke​(Request request,
                            Response response)
                     throws java.io.IOException,
                            ServletException
        Extract the desired request property, and pass it (along with the specified request and response objects) to the protected process() method to perform the actual filtering. This method must be implemented by a concrete subclass.
        Parameters:
        request - The servlet request to be processed
        response - The servlet response to be created
        Throws:
        java.io.IOException - if an input/output error occurs
        ServletException - if a servlet error occurs

      • initInternal

        protected void initInternal()
                     throws LifecycleException
        Description copied from class: LifecycleMBeanBase
        Sub-classes wishing to perform additional initialization should override this method, ensuring that super.initInternal() is the first call in the overriding method.
        Overrides:
        initInternal in class ValveBase
        Throws:
        LifecycleException - If the initialisation fails

      • process

        protected void process​(java.lang.String property,
                       Request request,
                       Response response)
                throws java.io.IOException,
                       ServletException
        Perform the filtering that has been configured for this Valve, matching against the specified request property.
        Parameters:
        property - The request property on which to filter
        request - The servlet request to be processed
        response - The servlet response to be processed
        Throws:
        java.io.IOException - if an input/output error occurs
        ServletException - if a servlet error occurs

      • getLog

        protected abstract Log getLog()

      • denyRequest

        protected void denyRequest​(Request request,
                           Response response)
                    throws java.io.IOException,
                           ServletException
        Reject the request that was denied by this valve.

        If invalidAuthenticationWhenDeny is true and the context has preemptiveAuthentication set, set an invalid authorization header to trigger basic auth.

        Parameters:
        request - The servlet request to be processed
        response - The servlet response to be processed
        Throws:
        java.io.IOException - if an input/output error occurs
        ServletException - if a servlet error occurs

      • isAllowed

        public boolean isAllowed​(java.lang.String property)
        Perform the test implemented by this Valve, matching against the specified request property value. This method is public so that it can be called through JMX, e.g. to test whether certain IP address is allowed or denied by the valve configuration.
        Parameters:
        property - The request property value on which to filter
        Returns:
        true if the request is allowed