7:44 p.m.
Author: remy.maucherat(a)jboss.com
Date: 2010-03-12 13:44:44 -0500 (Fri, 12 Mar 2010)
New Revision: 1410
Added:
trunk/java/org/apache/catalina/filters/Constants.java
trunk/java/org/apache/catalina/filters/FilterBase.java
trunk/java/org/apache/catalina/filters/LocalStrings.properties
trunk/java/org/apache/catalina/filters/LocalStrings_es.properties
trunk/java/org/apache/catalina/filters/LocalStrings_fr.properties
trunk/java/org/apache/catalina/filters/RemoteAddrFilter.java
trunk/java/org/apache/catalina/filters/RemoteHostFilter.java
trunk/java/org/apache/catalina/filters/RemoteIpFilter.java
trunk/java/org/apache/catalina/filters/RequestDumperFilter.java
trunk/java/org/apache/catalina/filters/RequestFilter.java
Modified:
trunk/webapps/docs/changelog.xml
Log:
- Port utility filters from Tomcat.
Added: trunk/java/org/apache/catalina/filters/Constants.java
===================================================================
--- trunk/java/org/apache/catalina/filters/Constants.java (rev 0)
+++ trunk/java/org/apache/catalina/filters/Constants.java 2010-03-12 18:44:44 UTC (rev
1410)
@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package org.apache.catalina.filters;
+
+
+/**
+ * Manifest constants for this Java package.
+ *
+ *
+ * @author Craig R. McClanahan
+ * @version $Revision: 794798 $ $Date: 2009-07-16 21:34:49 +0200 (Thu, 16 Jul 2009) $
+ */
+
+public final class Constants {
+
+ public static final String Package = "org.apache.catalina.filters";
+
+}
Added: trunk/java/org/apache/catalina/filters/FilterBase.java
===================================================================
--- trunk/java/org/apache/catalina/filters/FilterBase.java (rev
0)
+++ trunk/java/org/apache/catalina/filters/FilterBase.java 2010-03-12 18:44:44 UTC (rev
1410)
@@ -0,0 +1,58 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.catalina.filters;
+
+import java.util.Enumeration;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+
+import org.apache.tomcat.util.IntrospectionUtils;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Base class for filters that provides generic initialisation and a simple
+ * no-op destruction.
+ *
+ * @author xxd
+ *
+ */
+public abstract class FilterBase implements Filter {
+
+ protected static final StringManager sm =
+ StringManager.getManager(Constants.Package);
+
+ public void init(FilterConfig filterConfig) throws ServletException {
+ Enumeration<String> paramNames = filterConfig.getInitParameterNames();
+ while (paramNames.hasMoreElements()) {
+ String paramName = paramNames.nextElement();
+ if (!IntrospectionUtils.setProperty(this, paramName,
+ filterConfig.getInitParameter(paramName))) {
+
filterConfig.getServletContext().log(sm.getString("filterbase.noSuchProperty",
+ paramName, this.getClass().getName()));
+ }
+ }
+ }
+
+ @Override
+ public void destroy() {
+ // NOOP
+ }
+
+}
Added: trunk/java/org/apache/catalina/filters/LocalStrings.properties
===================================================================
--- trunk/java/org/apache/catalina/filters/LocalStrings.properties
(rev 0)
+++ trunk/java/org/apache/catalina/filters/LocalStrings.properties 2010-03-12 18:44:44 UTC
(rev 1410)
@@ -0,0 +1,18 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+filterbase.noSuchProperty=The property "{0}" is not defined for filters of type
"{1}"
+
+http.403=Access to the specified resource ({0}) has been forbidden.
Added: trunk/java/org/apache/catalina/filters/LocalStrings_es.properties
===================================================================
--- trunk/java/org/apache/catalina/filters/LocalStrings_es.properties
(rev 0)
+++ trunk/java/org/apache/catalina/filters/LocalStrings_es.properties 2010-03-12 18:44:44
UTC (rev 1410)
@@ -0,0 +1,16 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+http.403=El acceso al recurso especificado ({0}) ha sido prohibido.
Added: trunk/java/org/apache/catalina/filters/LocalStrings_fr.properties
===================================================================
--- trunk/java/org/apache/catalina/filters/LocalStrings_fr.properties
(rev 0)
+++ trunk/java/org/apache/catalina/filters/LocalStrings_fr.properties 2010-03-12 18:44:44
UTC (rev 1410)
@@ -0,0 +1,16 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+http.403=L''acc\u00e8s \u00e0 la ressource demand\u00e9e ({0}) a \u00e9t\u00e9
interdit.
Added: trunk/java/org/apache/catalina/filters/RemoteAddrFilter.java
===================================================================
--- trunk/java/org/apache/catalina/filters/RemoteAddrFilter.java
(rev 0)
+++ trunk/java/org/apache/catalina/filters/RemoteAddrFilter.java 2010-03-12 18:44:44 UTC
(rev 1410)
@@ -0,0 +1,86 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package org.apache.catalina.filters;
+
+
+import java.io.IOException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+import org.jboss.servlet.http.HttpEvent;
+import org.jboss.servlet.http.HttpEventFilterChain;
+
+
+/**
+ * Concrete implementation of <code>RequestFilter</code> that filters
+ * based on the string representation of the remote client's IP address.
+ *
+ * @author Craig R. McClanahan
+ *
+ */
+
+public final class RemoteAddrFilter
+ extends RequestFilter {
+
+ // --------------------------------------------------------- Public Methods
+
+
+ /**
+ * Extract the desired request property, and pass it (along with the
+ * specified request and response objects and associated filter chain) to
+ * the protected <code>process()</code> method to perform the actual
+ * filtering.
+ *
+ * @param request The servlet request to be processed
+ * @param response The servlet response to be created
+ * @param chain The filter chain for this request
+ *
+ * @exception IOException if an input/output error occurs
+ * @exception ServletException if a servlet error occurs
+ */
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response,
+ FilterChain chain) throws IOException, ServletException {
+
+ process(request.getRemoteAddr(), request, response, chain);
+
+ }
+
+ /**
+ * Extract the desired request property, and pass it (along with the comet
+ * event and filter chain) to the protected <code>process()</code>
method
+ * to perform the actual filtering.
+ *
+ * @param event The comet event to be processed
+ * @param chain The filter chain for this event
+ *
+ * @exception IOException if an input/output error occurs
+ * @exception ServletException if a servlet error occurs
+ */
+ @Override
+ public void doFilterEvent(HttpEvent event, HttpEventFilterChain chain)
+ throws IOException, ServletException {
+ processCometEvent(event.getHttpServletRequest().getRemoteHost(),
+ event, chain);
+ }
+
+}
Added: trunk/java/org/apache/catalina/filters/RemoteHostFilter.java
===================================================================
--- trunk/java/org/apache/catalina/filters/RemoteHostFilter.java
(rev 0)
+++ trunk/java/org/apache/catalina/filters/RemoteHostFilter.java 2010-03-12 18:44:44 UTC
(rev 1410)
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package org.apache.catalina.filters;
+
+
+import java.io.IOException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+import org.jboss.servlet.http.HttpEvent;
+import org.jboss.servlet.http.HttpEventFilterChain;
+
+
+/**
+ * Concrete implementation of <code>RequestFilter</code> that filters
+ * based on the remote client's host name.
+ *
+ * @author Craig R. McClanahan
+ *
+ */
+
+public final class RemoteHostFilter
+ extends RequestFilter {
+
+
+ // --------------------------------------------------------- Public Methods
+
+
+ /**
+ * Extract the desired request property, and pass it (along with the
+ * specified request and response objects and associated filter chain) to
+ * the protected <code>process()</code> method to perform the actual
+ * filtering.
+ *
+ * @param request The servlet request to be processed
+ * @param response The servlet response to be created
+ * @param chain The filter chain for this request
+ *
+ * @exception IOException if an input/output error occurs
+ * @exception ServletException if a servlet error occurs
+ */
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response,
+ FilterChain chain) throws IOException, ServletException {
+
+ process(request.getRemoteHost(), request, response, chain);
+
+ }
+
+ /**
+ * Extract the desired request property, and pass it (along with the comet
+ * event and filter chain) to the protected <code>process()</code>
method
+ * to perform the actual filtering.
+ *
+ * @param event The comet event to be processed
+ * @param chain The filter chain for this event
+ *
+ * @exception IOException if an input/output error occurs
+ * @exception ServletException if a servlet error occurs
+ */
+ @Override
+ public void doFilterEvent(HttpEvent event, HttpEventFilterChain chain)
+ throws IOException, ServletException {
+ processCometEvent(event.getHttpServletRequest().getRemoteHost(),
+ event, chain);
+ }
+
+}
Added: trunk/java/org/apache/catalina/filters/RemoteIpFilter.java
===================================================================
--- trunk/java/org/apache/catalina/filters/RemoteIpFilter.java
(rev 0)
+++ trunk/java/org/apache/catalina/filters/RemoteIpFilter.java 2010-03-12 18:44:44 UTC
(rev 1410)
@@ -0,0 +1,969 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.filters;
+
+import java.io.IOException;
+import java.text.DateFormat;
+import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.regex.Pattern;
+import java.util.regex.PatternSyntaxException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * <p>
+ * Servlet filter to integrate "X-Forwarded-For" and
"X-Forwarded-Proto" HTTP headers.
+ * </p>
+ * <p>
+ * Most of the design of this Servlet Filter is a port of <a
+ *
href="http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html"...;,
this servlet filter replaces the apparent client remote
+ * IP address and hostname for the request with the IP address list presented by a proxy
or a load balancer via a request headers (e.g.
+ * "X-Forwarded-For").
+ * </p>
+ * <p>
+ * Another feature of this servlet filter is to replace the apparent scheme (http/https)
and server port with the scheme presented by a
+ * proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").
+ * </p>
+ * <p>
+ * This servlet filter proceeds as follows:
+ * </p>
+ * <p>
+ * If the incoming <code>request.getRemoteAddr()</code> matches the servlet
filter's list of internal proxies :
+ * <ul>
+ * <li>Loop on the comma delimited list of IPs and hostnames passed by the
preceding load balancer or proxy in the given request's Http
+ * header named <code>$remoteIPHeader</code> (default value
<code>x-forwarded-for</code>). Values are processed in right-to-left
order.</li>
+ * <li>For each ip/host of the list:
+ * <ul>
+ * <li>if it matches the internal proxies list, the ip/host is
swallowed</li>
+ * <li>if it matches the trusted proxies list, the ip/host is added to the created
proxies header</li>
+ * <li>otherwise, the ip/host is declared to be the remote ip and looping is
stopped.</li>
+ * </ul>
+ * </li>
+ * <li>If the request http header named <code>$protocolHeader</code>
(e.g. <code>x-forwarded-for</code>) equals to the value of
+ * <code>protocolHeaderHttpsValue</code> configuration parameter (default
<code>https</code>) then <code>request.isSecure = true</code>,
+ * <code>request.scheme = https</code> and <code>request.serverPort =
443</code>. Note that 443 can be overwritten with the
+ * <code>$httpsServerPort</code> configuration parameter.</li>
+ * </ul>
+ * </p>
+ * <p>
+ * <strong>Configuration parameters:</strong>
+ * <table border="1">
+ * <tr>
+ * <th>XForwardedFilter property</th>
+ * <th>Description</th>
+ * <th>Equivalent mod_remoteip directive</th>
+ * <th>Format</th>
+ * <th>Default Value</th>
+ * </tr>
+ * <tr>
+ * <td>remoteIPHeader</td>
+ * <td>Name of the Http Header read by this servlet filter that holds the list of
traversed IP addresses starting from the requesting client
+ * </td>
+ * <td>RemoteIPHeader</td>
+ * <td>Compliant http header name</td>
+ * <td>x-forwarded-for</td>
+ * </tr>
+ * <tr>
+ * <td>internalProxies</td>
+ * <td>List of internal proxies ip adress. If they appear in the
<code>remoteIpHeader</code> value, they will be trusted and will not appear
+ * in the <code>proxiesHeader</code> value</td>
+ * <td>RemoteIPInternalProxy</td>
+ * <td>Comma delimited list of regular expressions (in the syntax supported by the
{@link java.util.regex.Pattern} library)</td>
+ * <td>10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3},
169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3} <br/>
+ * By default, 10/8, 192.168/16, 169.254/16 and 127/8 are allowed ; 172.16/12 has not
been enabled by default because it is complex to
+ * describe with regular expressions</td>
+ * </tr>
+ * </tr>
+ * <tr>
+ * <td>proxiesHeader</td>
+ * <td>Name of the http header created by this servlet filter to hold the list of
proxies that have been processed in the incoming
+ * <code>remoteIPHeader</code></td>
+ * <td>RemoteIPProxiesHeader</td>
+ * <td>Compliant http header name</td>
+ * <td>x-forwarded-by</td>
+ * </tr>
+ * <tr>
+ * <td>trustedProxies</td>
+ * <td>List of trusted proxies ip adress. If they appear in the
<code>remoteIpHeader</code> value, they will be trusted and will appear in
+ * the <code>proxiesHeader</code> value</td>
+ * <td>RemoteIPTrustedProxy</td>
+ * <td>Comma delimited list of regular expressions (in the syntax supported by the
{@link java.util.regex.Pattern} library)</td>
+ * <td> </td>
+ * </tr>
+ * <tr>
+ * <td>protocolHeader</td>
+ * <td>Name of the http header read by this servlet filter that holds the flag that
this request</td>
+ * <td>N/A</td>
+ * <td>Compliant http header name like <code>X-Forwarded-Proto</code>,
<code>X-Forwarded-Ssl</code> or
<code>Front-End-Https</code></td>
+ * <td><code>null</code></td>
+ * </tr>
+ * <tr>
+ * <td>protocolHeaderHttpsValue</td>
+ * <td>Value of the <code>protocolHeader</code> to indicate that it is
an Https request</td>
+ * <td>N/A</td>
+ * <td>String like <code>https</code> or
<code>ON</code></td>
+ * <td><code>https</code></td>
+ * </tr>
+ * <tr>
+ * <td>httpServerPort</td>
+ * <td>Value returned by {@link ServletRequest#getServerPort()} when the
<code>protocolHeader</code> indicates <code>http</code>
protocol</td>
+ * <td>N/A</td>
+ * <td>integer</td>
+ * <td>80</td>
+ * </tr>
+ * <tr>
+ * <td>httpsServerPort</td>
+ * <td>Value returned by {@link ServletRequest#getServerPort()} when the
<code>protocolHeader</code> indicates <code>https</code>
protocol</td>
+ * <td>N/A</td>
+ * <td>integer</td>
+ * <td>443</td>
+ * </tr>
+ * </table>
+ * </p>
+ * <p>
+ * <p>
+ * <strong>Regular expression vs. IP address blocks:</strong>
<code>mod_remoteip</code> allows to use address blocks (e.g.
+ * <code>192.168/16</code>) to configure
<code>RemoteIPInternalProxy</code> and
<code>RemoteIPTrustedProxy</code> ; as the JVM doesn't have a
+ * library similar to <a
+ *
href="http://apr.apache.org/docs/apr/1.3/group__apr__network__io.htm...;,
we rely on
+ * regular expressions.
+ * </p>
+ * <hr/>
+ * <p>
+ * <strong>Sample with internal proxies</strong>
+ * </p>
+ * <p>
+ * XForwardedFilter configuration:
+ * </p>
+ * <code><pre>
+ * <filter>
+ * <filter-name>RemoteIpFilter</filter-name>
+ *
<filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
+ * <init-param>
+ *
<param-name>internalProxies</param-name><param-value>192\.168\.0\.10,
192\.168\.0\.11</param-value>
+ * </init-param>
+ * <init-param>
+ *
<param-name>remoteIPHeader</param-name><param-value>x-forwarded-for</param-value>
+ * </init-param>
+ * <init-param>
+ *
<param-name>remoteIPProxiesHeader</param-name><param-value>x-forwarded-by</param-value>
+ * </init-param>
+ * <init-param>
+ *
<param-name>protocolHeader</param-name><param-value>x-forwarded-proto</param-value>
+ * </init-param>
+ * </filter>
+ *
+ * <filter-mapping>
+ * <filter-name>RemoteIpFilter</filter-name>
+ * <url-pattern>/*</url-pattern>
+ * <dispatcher>REQUEST</dispatcher>
+ * </filter-mapping></pre></code>
+ * <p>
+ * Request values:
+ * <table border="1">
+ * <tr>
+ * <th>property</th>
+ * <th>Value Before RemoteIpFilter</th>
+ * <th>Value After RemoteIpFilter</th>
+ * </tr>
+ * <tr>
+ * <td>request.remoteAddr</td>
+ * <td>192.168.0.10</td>
+ * <td>140.211.11.130</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-for']</td>
+ * <td>140.211.11.130, 192.168.0.10</td>
+ * <td>null</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-by']</td>
+ * <td>null</td>
+ * <td>null</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-proto']</td>
+ * <td>https</td>
+ * <td>https</td>
+ * </tr>
+ * <tr>
+ * <td>request.scheme</td>
+ * <td>http</td>
+ * <td>https</td>
+ * </tr>
+ * <tr>
+ * <td>request.secure</td>
+ * <td>false</td>
+ * <td>true</td>
+ * </tr>
+ * <tr>
+ * <td>request.serverPort</td>
+ * <td>80</td>
+ * <td>443</td>
+ * </tr>
+ * </table>
+ * Note : <code>x-forwarded-by</code> header is null because only internal
proxies as been traversed by the request.
+ * <code>x-forwarded-by</code> is null because all the proxies are trusted or
internal.
+ * </p>
+ * <hr/>
+ * <p>
+ * <strong>Sample with trusted proxies</strong>
+ * </p>
+ * <p>
+ * RemoteIpFilter configuration:
+ * </p>
+ * <code><pre>
+ * <filter>
+ * <filter-name>RemoteIpFilter</filter-name>
+ *
<filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
+ * <init-param>
+ *
<param-name>internalProxies</param-name><param-value>192\.168\.0\.10,
192\.168\.0\.11</param-value>
+ * </init-param>
+ * <init-param>
+ *
<param-name>remoteIPHeader</param-name><param-value>x-forwarded-for</param-value>
+ * </init-param>
+ * <init-param>
+ *
<param-name>remoteIPProxiesHeader</param-name><param-value>x-forwarded-by</param-value>
+ * </init-param>
+ * <init-param>
+ *
<param-name>trustedProxies</param-name><param-value>proxy1,
proxy2</param-value>
+ * </init-param>
+ * </filter>
+ *
+ * <filter-mapping>
+ * <filter-name>RemoteIpFilter</filter-name>
+ * <url-pattern>/*</url-pattern>
+ * <dispatcher>REQUEST</dispatcher>
+ * </filter-mapping></pre></code>
+ * <p>
+ * Request values:
+ * <table border="1">
+ * <tr>
+ * <th>property</th>
+ * <th>Value Before RemoteIpFilter</th>
+ * <th>Value After RemoteIpFilter</th>
+ * </tr>
+ * <tr>
+ * <td>request.remoteAddr</td>
+ * <td>192.168.0.10</td>
+ * <td>140.211.11.130</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-for']</td>
+ * <td>140.211.11.130, proxy1, proxy2</td>
+ * <td>null</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-by']</td>
+ * <td>null</td>
+ * <td>proxy1, proxy2</td>
+ * </tr>
+ * </table>
+ * Note : <code>proxy1</code> and <code>proxy2</code> are both
trusted proxies that come in <code>x-forwarded-for</code> header, they both
+ * are migrated in <code>x-forwarded-by</code> header.
<code>x-forwarded-by</code> is null because all the proxies are trusted or
internal.
+ * </p>
+ * <hr/>
+ * <p>
+ * <strong>Sample with internal and trusted proxies</strong>
+ * </p>
+ * <p>
+ * RemoteIpFilter configuration:
+ * </p>
+ * <code><pre>
+ * <filter>
+ * <filter-name>RemoteIpFilter</filter-name>
+ *
<filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
+ * <init-param>
+ *
<param-name>internalProxies</param-name><param-value>192\.168\.0\.10,
192\.168\.0\.11</param-value>
+ * </init-param>
+ * <init-param>
+ *
<param-name>remoteIPHeader</param-name><param-value>x-forwarded-for</param-value>
+ * </init-param>
+ * <init-param>
+ *
<param-name>remoteIPProxiesHeader</param-name><param-value>x-forwarded-by</param-value>
+ * </init-param>
+ * <init-param>
+ *
<param-name>trustedProxies</param-name><param-value>proxy1,
proxy2</param-value>
+ * </init-param>
+ * </filter>
+ *
+ * <filter-mapping>
+ * <filter-name>RemoteIpFilter</filter-name>
+ * <url-pattern>/*</url-pattern>
+ * <dispatcher>REQUEST</dispatcher>
+ * </filter-mapping></pre></code>
+ * <p>
+ * Request values:
+ * <table border="1">
+ * <tr>
+ * <th>property</th>
+ * <th>Value Before RemoteIpFilter</th>
+ * <th>Value After RemoteIpFilter</th>
+ * </tr>
+ * <tr>
+ * <td>request.remoteAddr</td>
+ * <td>192.168.0.10</td>
+ * <td>140.211.11.130</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-for']</td>
+ * <td>140.211.11.130, proxy1, proxy2, 192.168.0.10</td>
+ * <td>null</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-by']</td>
+ * <td>null</td>
+ * <td>proxy1, proxy2</td>
+ * </tr>
+ * </table>
+ * Note : <code>proxy1</code> and <code>proxy2</code> are both
trusted proxies that come in <code>x-forwarded-for</code> header, they both
+ * are migrated in <code>x-forwarded-by</code> header. As
<code>192.168.0.10</code> is an internal proxy, it does not appear in
+ * <code>x-forwarded-by</code>. <code>x-forwarded-by</code> is
null because all the proxies are trusted or internal.
+ * </p>
+ * <hr/>
+ * <p>
+ * <strong>Sample with an untrusted proxy</strong>
+ * </p>
+ * <p>
+ * RemoteIpFilter configuration:
+ * </p>
+ * <code><pre>
+ * <filter>
+ * <filter-name>RemoteIpFilter</filter-name>
+ *
<filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
+ * <init-param>
+ *
<param-name>internalProxies</param-name><param-value>192\.168\.0\.10,
192\.168\.0\.11</param-value>
+ * </init-param>
+ * <init-param>
+ *
<param-name>remoteIPHeader</param-name><param-value>x-forwarded-for</param-value>
+ * </init-param>
+ * <init-param>
+ *
<param-name>remoteIPProxiesHeader</param-name><param-value>x-forwarded-by</param-value>
+ * </init-param>
+ * <init-param>
+ *
<param-name>trustedProxies</param-name><param-value>proxy1,
proxy2</param-value>
+ * </init-param>
+ * </filter>
+ *
+ * <filter-mapping>
+ * <filter-name>RemoteIpFilter</filter-name>
+ * <url-pattern>/*</url-pattern>
+ * <dispatcher>REQUEST</dispatcher>
+ * </filter-mapping></pre></code>
+ * <p>
+ * Request values:
+ * <table border="1">
+ * <tr>
+ * <th>property</th>
+ * <th>Value Before RemoteIpFilter</th>
+ * <th>Value After RemoteIpFilter</th>
+ * </tr>
+ * <tr>
+ * <td>request.remoteAddr</td>
+ * <td>192.168.0.10</td>
+ * <td>untrusted-proxy</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-for']</td>
+ * <td>140.211.11.130, untrusted-proxy, proxy1</td>
+ * <td>140.211.11.130</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-by']</td>
+ * <td>null</td>
+ * <td>proxy1</td>
+ * </tr>
+ * </table>
+ * Note : <code>x-forwarded-by</code> holds the trusted proxy
<code>proxy1</code>. <code>x-forwarded-by</code> holds
+ * <code>140.211.11.130</code> because
<code>untrusted-proxy</code> is not trusted and thus, we can not trust that
+ * <code>untrusted-proxy</code> is the actual remote ip.
<code>request.remoteAddr</code> is <code>untrusted-proxy</code>
that is an IP
+ * verified by <code>proxy1</code>.
+ * </p>
+ * <hr/>
+ */
+public class RemoteIpFilter implements Filter {
+ public static class XForwardedRequest extends HttpServletRequestWrapper {
+
+ final static ThreadLocal<SimpleDateFormat[]> threadLocalDateFormats = new
ThreadLocal<SimpleDateFormat[]>() {
+ @Override
+ protected SimpleDateFormat[] initialValue() {
+ return new SimpleDateFormat[] {
+ new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss zzz",
Locale.US),
+ new SimpleDateFormat("EEEEEE, dd-MMM-yy HH:mm:ss zzz",
Locale.US),
+ new SimpleDateFormat("EEE MMMM d HH:mm:ss yyyy",
Locale.US)
+ };
+
+ }
+ };
+
+ protected Map<String, List<String>> headers;
+
+ protected String remoteAddr;
+
+ protected String remoteHost;
+
+ protected String scheme;
+
+ protected boolean secure;
+
+ protected int serverPort;
+
+ public XForwardedRequest(HttpServletRequest request) {
+ super(request);
+ this.remoteAddr = request.getRemoteAddr();
+ this.remoteHost = request.getRemoteHost();
+ this.scheme = request.getScheme();
+ this.secure = request.isSecure();
+ this.serverPort = request.getServerPort();
+
+ headers = new HashMap<String, List<String>>();
+ for (Enumeration<String> headerNames = request.getHeaderNames();
headerNames.hasMoreElements();) {
+ String header = headerNames.nextElement();
+ headers.put(header, Collections.list(request.getHeaders(header)));
+ }
+ }
+
+ @Override
+ public long getDateHeader(String name) {
+ String value = getHeader(name);
+ if (value == null) {
+ return -1;
+ }
+ DateFormat[] dateFormats = threadLocalDateFormats.get();
+ Date date = null;
+ for (int i = 0; ((i < dateFormats.length) && (date == null)); i++)
{
+ DateFormat dateFormat = dateFormats[i];
+ try {
+ date = dateFormat.parse(value);
+ } catch (Exception ParseException) {
+ // Ignore
+ }
+ }
+ if (date == null) {
+ throw new IllegalArgumentException(value);
+ }
+ return date.getTime();
+ }
+
+ @Override
+ public String getHeader(String name) {
+ Map.Entry<String, List<String>> header = getHeaderEntry(name);
+ if (header == null || header.getValue() == null ||
header.getValue().isEmpty()) {
+ return null;
+ }
+ return header.getValue().get(0);
+ }
+
+ protected Map.Entry<String, List<String>> getHeaderEntry(String name)
{
+ for (Map.Entry<String, List<String>> entry : headers.entrySet())
{
+ if (entry.getKey().equalsIgnoreCase(name)) {
+ return entry;
+ }
+ }
+ return null;
+ }
+
+ @Override
+ public Enumeration<String> getHeaderNames() {
+ return Collections.enumeration(headers.keySet());
+ }
+
+ @Override
+ public Enumeration<String> getHeaders(String name) {
+ Map.Entry<String, List<String>> header = getHeaderEntry(name);
+ if (header == null || header.getValue() == null) {
+ return Collections.enumeration(Collections.<String>emptyList());
+ }
+ return Collections.enumeration(header.getValue());
+ }
+
+ @Override
+ public int getIntHeader(String name) {
+ String value = getHeader(name);
+ if (value == null) {
+ return -1;
+ }
+ return Integer.parseInt(value);
+ }
+
+ @Override
+ public String getRemoteAddr() {
+ return this.remoteAddr;
+ }
+
+ @Override
+ public String getRemoteHost() {
+ return this.remoteHost;
+ }
+
+ @Override
+ public String getScheme() {
+ return scheme;
+ }
+
+ @Override
+ public int getServerPort() {
+ return serverPort;
+ }
+
+ @Override
+ public boolean isSecure() {
+ return secure;
+ }
+
+ public void removeHeader(String name) {
+ Map.Entry<String, List<String>> header = getHeaderEntry(name);
+ if (header != null) {
+ headers.remove(header.getKey());
+ }
+ }
+
+ public void setHeader(String name, String value) {
+ List<String> values = Arrays.asList(value);
+ Map.Entry<String, List<String>> header = getHeaderEntry(name);
+ if (header == null) {
+ headers.put(name, values);
+ } else {
+ header.setValue(values);
+ }
+
+ }
+
+ public void setRemoteAddr(String remoteAddr) {
+ this.remoteAddr = remoteAddr;
+ }
+
+ public void setRemoteHost(String remoteHost) {
+ this.remoteHost = remoteHost;
+ }
+
+ public void setScheme(String scheme) {
+ this.scheme = scheme;
+ }
+
+ public void setSecure(boolean secure) {
+ this.secure = secure;
+ }
+
+ public void setServerPort(int serverPort) {
+ this.serverPort = serverPort;
+ }
+ }
+
+ /**
+ * {@link Pattern} for a comma delimited string that support whitespace characters
+ */
+ private static final Pattern commaSeparatedValuesPattern =
Pattern.compile("\\s*,\\s*");
+
+ protected static final String HTTP_SERVER_PORT_PARAMETER =
"httpServerPort";
+
+ protected static final String HTTPS_SERVER_PORT_PARAMETER =
"httpsServerPort";
+
+ protected static final String INTERNAL_PROXIES_PARAMETER =
"internalProxies";
+
+ protected static final String PROTOCOL_HEADER_PARAMETER =
"protocolHeader";
+
+ protected static final String PROTOCOL_HEADER_HTTPS_VALUE_PARAMETER =
"protocolHeaderHttpsValue";
+
+ protected static final String PROXIES_HEADER_PARAMETER = "proxiesHeader";
+
+ protected static final String REMOTE_IP_HEADER_PARAMETER =
"remoteIPHeader";
+
+ protected static final String TRUSTED_PROXIES_PARAMETER =
"trustedProxies";
+
+ /**
+ * Convert a given comma delimited list of regular expressions into an array of
compiled {@link Pattern}
+ *
+ * @return array of patterns (not <code>null</code>)
+ */
+ protected static Pattern[] commaDelimitedListToPatternArray(String
commaDelimitedPatterns) {
+ String[] patterns = commaDelimitedListToStringArray(commaDelimitedPatterns);
+ List<Pattern> patternsList = new ArrayList<Pattern>();
+ for (String pattern : patterns) {
+ try {
+ patternsList.add(Pattern.compile(pattern));
+ } catch (PatternSyntaxException e) {
+ throw new IllegalArgumentException("Illegal pattern syntax
'" + pattern + "'", e);
+ }
+ }
+ return patternsList.toArray(new Pattern[0]);
+ }
+
+ /**
+ * Convert a given comma delimited list of regular expressions into an array of
String
+ *
+ * @return array of patterns (non <code>null</code>)
+ */
+ protected static String[] commaDelimitedListToStringArray(String
commaDelimitedStrings) {
+ return (commaDelimitedStrings == null || commaDelimitedStrings.length() == 0) ?
new String[0] : commaSeparatedValuesPattern
+ .split(commaDelimitedStrings);
+ }
+
+ /**
+ * Convert an array of strings in a comma delimited string
+ */
+ protected static String listToCommaDelimitedString(List<String> stringList) {
+ if (stringList == null) {
+ return "";
+ }
+ StringBuilder result = new StringBuilder();
+ for (Iterator<String> it = stringList.iterator(); it.hasNext();) {
+ Object element = it.next();
+ if (element != null) {
+ result.append(element);
+ if (it.hasNext()) {
+ result.append(", ");
+ }
+ }
+ }
+ return result.toString();
+ }
+
+ /**
+ * Return <code>true</code> if the given <code>str</code>
matches at least one of the given <code>patterns</code>.
+ */
+ protected static boolean matchesOne(String str, Pattern... patterns) {
+ for (Pattern pattern : patterns) {
+ if (pattern.matcher(str).matches()) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ /**
+ * @see #setHttpServerPort(int)
+ */
+ private int httpServerPort = 80;
+
+ /**
+ * @see #setHttpsServerPort(int)
+ */
+ private int httpsServerPort = 443;
+
+ /**
+ * @see #setInternalProxies(String)
+ */
+ private Pattern[] internalProxies = new Pattern[] {
+ Pattern.compile("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"),
Pattern.compile("192\\.168\\.\\d{1,3}\\.\\d{1,3}"),
+ Pattern.compile("169\\.254\\.\\d{1,3}\\.\\d{1,3}"),
Pattern.compile("127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}")
+ };
+
+ /**
+ * @see #setProtocolHeader(String)
+ */
+ private String protocolHeader = null;
+
+ private String protocolHeaderHttpsValue = "https";
+
+ /**
+ * @see #setProxiesHeader(String)
+ */
+ private String proxiesHeader = "X-Forwarded-By";
+
+ /**
+ * @see #setRemoteIPHeader(String)
+ */
+ private String remoteIPHeader = "X-Forwarded-For";
+
+ /**
+ * @see #setTrustedProxies(String)
+ */
+ private Pattern[] trustedProxies = new Pattern[0];
+
+ public void destroy() {
+ // NOOP
+ }
+
+ public void doFilter(HttpServletRequest request, HttpServletResponse response,
FilterChain chain) throws IOException, ServletException {
+
+ if (matchesOne(request.getRemoteAddr(), internalProxies)) {
+ String remoteIp = null;
+ // In java 6, proxiesHeaderValue should be declared as a java.util.Deque
+ LinkedList<String> proxiesHeaderValue = new
LinkedList<String>();
+
+ String[] remoteIPHeaderValue =
commaDelimitedListToStringArray(request.getHeader(remoteIPHeader));
+ int idx;
+ // loop on remoteIPHeaderValue to find the first trusted remote ip and to
build the proxies chain
+ for (idx = remoteIPHeaderValue.length - 1; idx >= 0; idx--) {
+ String currentRemoteIp = remoteIPHeaderValue[idx];
+ remoteIp = currentRemoteIp;
+ if (matchesOne(currentRemoteIp, internalProxies)) {
+ // do nothing, internalProxies IPs are not appended to the
+ } else if (matchesOne(currentRemoteIp, trustedProxies)) {
+ proxiesHeaderValue.addFirst(currentRemoteIp);
+ } else {
+ idx--; // decrement idx because break statement doesn't do it
+ break;
+ }
+ }
+ // continue to loop on remoteIPHeaderValue to build the new value of the
remoteIPHeader
+ LinkedList<String> newRemoteIpHeaderValue = new
LinkedList<String>();
+ for (; idx >= 0; idx--) {
+ String currentRemoteIp = remoteIPHeaderValue[idx];
+ newRemoteIpHeaderValue.addFirst(currentRemoteIp);
+ }
+
+ XForwardedRequest xRequest = new XForwardedRequest(request);
+ if (remoteIp != null) {
+
+ xRequest.setRemoteAddr(remoteIp);
+ xRequest.setRemoteHost(remoteIp);
+
+ if (proxiesHeaderValue.size() == 0) {
+ xRequest.removeHeader(proxiesHeader);
+ } else {
+ String commaDelimitedListOfProxies =
listToCommaDelimitedString(proxiesHeaderValue);
+ xRequest.setHeader(proxiesHeader, commaDelimitedListOfProxies);
+ }
+ if (newRemoteIpHeaderValue.size() == 0) {
+ xRequest.removeHeader(remoteIPHeader);
+ } else {
+ String commaDelimitedRemoteIpHeaderValue =
listToCommaDelimitedString(newRemoteIpHeaderValue);
+ xRequest.setHeader(remoteIPHeader,
commaDelimitedRemoteIpHeaderValue);
+ }
+ }
+
+ if (protocolHeader != null) {
+ String protocolHeaderValue = request.getHeader(protocolHeader);
+ if (protocolHeaderValue == null) {
+ // don't modify the secure,scheme and serverPort attributes of
the request
+ } else if
(protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue)) {
+ xRequest.setSecure(true);
+ xRequest.setScheme("https");
+ xRequest.setServerPort(httpsServerPort);
+ } else {
+ xRequest.setSecure(false);
+ xRequest.setScheme("http");
+ xRequest.setServerPort(httpServerPort);
+ }
+ }
+
+ chain.doFilter(xRequest, response);
+ } else {
+ chain.doFilter(request, response);
+ }
+
+ }
+
+ /**
+ * Wrap the incoming <code>request</code> in a {@link XForwardedRequest}
if the http header <code>x-forwareded-for</code> is not empty.
+ */
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain
chain) throws IOException, ServletException {
+ if (request instanceof HttpServletRequest && response instanceof
HttpServletResponse) {
+ doFilter((HttpServletRequest)request, (HttpServletResponse)response, chain);
+ } else {
+ chain.doFilter(request, response);
+ }
+ }
+
+ public int getHttpsServerPort() {
+ return httpsServerPort;
+ }
+
+ public Pattern[] getInternalProxies() {
+ return internalProxies;
+ }
+
+ public String getProtocolHeader() {
+ return protocolHeader;
+ }
+
+ public String getProtocolHeaderHttpsValue() {
+ return protocolHeaderHttpsValue;
+ }
+
+ public String getProxiesHeader() {
+ return proxiesHeader;
+ }
+
+ public String getRemoteIPHeader() {
+ return remoteIPHeader;
+ }
+
+ public Pattern[] getTrustedProxies() {
+ return trustedProxies;
+ }
+
+ public void init(FilterConfig filterConfig) throws ServletException {
+ if (filterConfig.getInitParameter(INTERNAL_PROXIES_PARAMETER) != null) {
+
setInternalProxies(filterConfig.getInitParameter(INTERNAL_PROXIES_PARAMETER));
+ }
+
+ if (filterConfig.getInitParameter(PROTOCOL_HEADER_PARAMETER) != null) {
+ setProtocolHeader(filterConfig.getInitParameter(PROTOCOL_HEADER_PARAMETER));
+ }
+
+ if (filterConfig.getInitParameter(PROTOCOL_HEADER_HTTPS_VALUE_PARAMETER) != null)
{
+
setProtocolHeaderHttpsValue(filterConfig.getInitParameter(PROTOCOL_HEADER_HTTPS_VALUE_PARAMETER));
+ }
+
+ if (filterConfig.getInitParameter(PROXIES_HEADER_PARAMETER) != null) {
+ setProxiesHeader(filterConfig.getInitParameter(PROXIES_HEADER_PARAMETER));
+ }
+
+ if (filterConfig.getInitParameter(REMOTE_IP_HEADER_PARAMETER) != null) {
+
setRemoteIPHeader(filterConfig.getInitParameter(REMOTE_IP_HEADER_PARAMETER));
+ }
+
+ if (filterConfig.getInitParameter(TRUSTED_PROXIES_PARAMETER) != null) {
+ setTrustedProxies(filterConfig.getInitParameter(TRUSTED_PROXIES_PARAMETER));
+ }
+
+ if (filterConfig.getInitParameter(HTTP_SERVER_PORT_PARAMETER) != null) {
+ try {
+
setHttpServerPort(Integer.parseInt(filterConfig.getInitParameter(HTTP_SERVER_PORT_PARAMETER)));
+ } catch (NumberFormatException e) {
+ throw new NumberFormatException("Illegal " +
HTTP_SERVER_PORT_PARAMETER + " : " + e.getMessage());
+ }
+ }
+
+ if (filterConfig.getInitParameter(HTTPS_SERVER_PORT_PARAMETER) != null) {
+ try {
+
setHttpsServerPort(Integer.parseInt(filterConfig.getInitParameter(HTTPS_SERVER_PORT_PARAMETER)));
+ } catch (NumberFormatException e) {
+ throw new NumberFormatException("Illegal " +
HTTPS_SERVER_PORT_PARAMETER + " : " + e.getMessage());
+ }
+ }
+ }
+
+ /**
+ * <p>
+ * Server Port value if the {@link #protocolHeader} indicates HTTP (i.e. {@link
#protocolHeader} is not null and
+ * has a value different of {@link #protocolHeaderHttpsValue}).
+ * </p>
+ * <p>
+ * Default value : 80
+ * </p>
+ */
+ public void setHttpServerPort(int httpServerPort) {
+ this.httpServerPort = httpServerPort;
+ }
+
+ /**
+ * <p>
+ * Server Port value if the {@link #protocolHeader} indicates HTTPS
+ * </p>
+ * <p>
+ * Default value : 443
+ * </p>
+ */
+ public void setHttpsServerPort(int httpsServerPort) {
+ this.httpsServerPort = httpsServerPort;
+ }
+
+ /**
+ * <p>
+ * Comma delimited list of internal proxies. Can be expressed with regular
expressions.
+ * </p>
+ * <p>
+ * Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3},
127\.\d{1,3}\.\d{1,3}\.\d{1,3}
+ * </p>
+ */
+ public void setInternalProxies(String internalProxies) {
+ this.internalProxies = commaDelimitedListToPatternArray(internalProxies);
+ }
+
+ /**
+ * <p>
+ * Header that holds the incoming protocol, usally named
<code>X-Forwarded-Proto</code>. If <code>null</code>,
request.scheme and
+ * request.secure will not be modified.
+ * </p>
+ * <p>
+ * Default value : <code>null</code>
+ * </p>
+ */
+ public void setProtocolHeader(String protocolHeader) {
+ this.protocolHeader = protocolHeader;
+ }
+
+ /**
+ * <p>
+ * Case insensitive value of the protocol header to indicate that the incoming http
request uses HTTPS.
+ * </p>
+ * <p>
+ * Default value : <code>https</code>
+ * </p>
+ */
+ public void setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue) {
+ this.protocolHeaderHttpsValue = protocolHeaderHttpsValue;
+ }
+
+ /**
+ * <p>
+ * The proxiesHeader directive specifies a header into which mod_remoteip will
collect a list of all of the intermediate client IP
+ * addresses trusted to resolve the actual remote IP. Note that intermediate
RemoteIPTrustedProxy addresses are recorded in this header,
+ * while any intermediate RemoteIPInternalProxy addresses are discarded.
+ * </p>
+ * <p>
+ * Name of the http header that holds the list of trusted proxies that has been
traversed by the http request.
+ * </p>
+ * <p>
+ * The value of this header can be comma delimited.
+ * </p>
+ * <p>
+ * Default value : <code>X-Forwarded-By</code>
+ * </p>
+ */
+ public void setProxiesHeader(String proxiesHeader) {
+ this.proxiesHeader = proxiesHeader;
+ }
+
+ /**
+ * <p>
+ * Name of the http header from which the remote ip is extracted.
+ * </p>
+ * <p>
+ * The value of this header can be comma delimited.
+ * </p>
+ * <p>
+ * Default value : <code>X-Forwarded-For</code>
+ * </p>
+ */
+ public void setRemoteIPHeader(String remoteIPHeader) {
+ this.remoteIPHeader = remoteIPHeader;
+ }
+
+ /**
+ * <p>
+ * Comma delimited list of proxies that are trusted when they appear in the {@link
#remoteIPHeader} header. Can be expressed as a
+ * regular expression.
+ * </p>
+ * <p>
+ * Default value : empty list, no external proxy is trusted.
+ * </p>
+ */
+ public void setTrustedProxies(String trustedProxies) {
+ this.trustedProxies = commaDelimitedListToPatternArray(trustedProxies);
+ }
+}
Added: trunk/java/org/apache/catalina/filters/RequestDumperFilter.java
===================================================================
--- trunk/java/org/apache/catalina/filters/RequestDumperFilter.java
(rev 0)
+++ trunk/java/org/apache/catalina/filters/RequestDumperFilter.java 2010-03-12 18:44:44
UTC (rev 1410)
@@ -0,0 +1,280 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.catalina.filters;
+
+import java.io.IOException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Enumeration;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+
+/**
+ * <p>Implementation of a Filter that logs interesting contents from the
+ * specified Request (before processing) and the corresponding Response
+ * (after processing). It is especially useful in debugging problems
+ * related to headers and cookies.</p>
+ *
+ * <p>When using this Filter, it is strongly recommended that the
+ * <code>org.apache.catalina.filter.RequestDumperFilter</code> logger is
+ * directed to a dedicated file and that the
+ * <code>org.apache.juli.VerbatimFormmater</code> is used.</p>
+ *
+ * @author Craig R. McClanahan
+ */
+
+public class RequestDumperFilter implements Filter {
+
+ private static final String NON_HTTP_REQ_MSG =
+ "Not available. Non-http request.";
+ private static final String NON_HTTP_RES_MSG =
+ "Not available. Non-http response.";
+
+ private ServletContext context;
+
+ private static final ThreadLocal<Timestamp> timestamp =
+ new ThreadLocal<Timestamp>() {
+ @Override
+ protected Timestamp initialValue() {
+ return new Timestamp();
+ }
+ };
+
+ /**
+ * Log the interesting request parameters, invoke the next Filter in the
+ * sequence, and log the interesting response parameters.
+ *
+ * @param request The servlet request to be processed
+ * @param response The servlet response to be created
+ * @param chain The filter chain being processed
+ *
+ * @exception IOException if an input/output error occurs
+ * @exception ServletException if a servlet error occurs
+ */
+ public void doFilter(ServletRequest request, ServletResponse response,
+ FilterChain chain)
+ throws IOException, ServletException {
+
+ HttpServletRequest hRequest = null;
+ HttpServletResponse hResponse = null;
+
+ if (request instanceof HttpServletRequest) {
+ hRequest = (HttpServletRequest) request;
+ }
+ if (response instanceof HttpServletResponse) {
+ hResponse = (HttpServletResponse) response;
+ }
+
+ // Log pre-service information
+ doLog("START TIME ", getTimestamp());
+
+ if (hRequest == null) {
+ doLog(" requestURI", NON_HTTP_REQ_MSG);
+ doLog(" authType", NON_HTTP_REQ_MSG);
+ } else {
+ doLog(" requestURI", hRequest.getRequestURI());
+ doLog(" authType", hRequest.getAuthType());
+ }
+
+ doLog(" characterEncoding", request.getCharacterEncoding());
+ doLog(" contentLength",
+ Integer.valueOf(request.getContentLength()).toString());
+ doLog(" contentType", request.getContentType());
+
+ if (hRequest == null) {
+ doLog(" contextPath", NON_HTTP_REQ_MSG);
+ doLog(" cookie", NON_HTTP_REQ_MSG);
+ doLog(" header", NON_HTTP_REQ_MSG);
+ } else {
+ doLog(" contextPath", hRequest.getContextPath());
+ Cookie cookies[] = hRequest.getCookies();
+ if (cookies != null) {
+ for (int i = 0; i < cookies.length; i++)
+ doLog(" cookie", cookies[i].getName() +
+ "=" + cookies[i].getValue());
+ }
+ Enumeration<String> hnames = hRequest.getHeaderNames();
+ while (hnames.hasMoreElements()) {
+ String hname = hnames.nextElement();
+ Enumeration<String> hvalues = hRequest.getHeaders(hname);
+ while (hvalues.hasMoreElements()) {
+ String hvalue = hvalues.nextElement();
+ doLog(" header", hname + "=" +
hvalue);
+ }
+ }
+ }
+
+ doLog(" locale", request.getLocale().toString());
+
+ if (hRequest == null) {
+ doLog(" method", NON_HTTP_REQ_MSG);
+ } else {
+ doLog(" method", hRequest.getMethod());
+ }
+
+ Enumeration<String> pnames = request.getParameterNames();
+ while (pnames.hasMoreElements()) {
+ String pname = pnames.nextElement();
+ String pvalues[] = request.getParameterValues(pname);
+ StringBuilder result = new StringBuilder(pname);
+ result.append('=');
+ for (int i = 0; i < pvalues.length; i++) {
+ if (i > 0)
+ result.append(", ");
+ result.append(pvalues[i]);
+ }
+ doLog(" parameter", result.toString());
+ }
+
+ if (hRequest == null) {
+ doLog(" pathInfo", NON_HTTP_REQ_MSG);
+ } else {
+ doLog(" pathInfo", hRequest.getPathInfo());
+ }
+
+ doLog(" protocol", request.getProtocol());
+
+ if (hRequest == null) {
+ doLog(" queryString", NON_HTTP_REQ_MSG);
+ } else {
+ doLog(" queryString", hRequest.getQueryString());
+ }
+
+ doLog(" remoteAddr", request.getRemoteAddr());
+ doLog(" remoteHost", request.getRemoteHost());
+
+ if (hRequest == null) {
+ doLog(" remoteUser", NON_HTTP_REQ_MSG);
+ doLog("requestedSessionId", NON_HTTP_REQ_MSG);
+ } else {
+ doLog(" remoteUser", hRequest.getRemoteUser());
+ doLog("requestedSessionId", hRequest.getRequestedSessionId());
+ }
+
+ doLog(" scheme", request.getScheme());
+ doLog(" serverName", request.getServerName());
+ doLog(" serverPort",
+ Integer.valueOf(request.getServerPort()).toString());
+
+ if (hRequest == null) {
+ doLog(" servletPath", NON_HTTP_REQ_MSG);
+ } else {
+ doLog(" servletPath", hRequest.getServletPath());
+ }
+
+ doLog(" isSecure",
+ Boolean.valueOf(request.isSecure()).toString());
+ doLog("------------------",
+ "--------------------------------------------");
+
+ // Perform the request
+ chain.doFilter(request, response);
+
+ // Log post-service information
+ doLog("------------------",
+ "--------------------------------------------");
+ if (hRequest == null) {
+ doLog(" authType", NON_HTTP_REQ_MSG);
+ } else {
+ doLog(" authType", hRequest.getAuthType());
+ }
+
+ doLog(" contentType", response.getContentType());
+
+ if (hResponse == null) {
+ doLog(" header", NON_HTTP_RES_MSG);
+ } else {
+ Iterable<String> rhnames = hResponse.getHeaderNames();
+ for (String rhname : rhnames) {
+ Iterable<String> rhvalues = hResponse.getHeaders(rhname);
+ for (String rhvalue : rhvalues)
+ doLog(" header", rhname + "=" +
rhvalue);
+ }
+ }
+
+ if (hRequest == null) {
+ doLog(" remoteUser", NON_HTTP_REQ_MSG);
+ } else {
+ doLog(" remoteUser", hRequest.getRemoteUser());
+ }
+
+ if (hResponse == null) {
+ doLog(" remoteUser", NON_HTTP_RES_MSG);
+ } else {
+ doLog(" status",
+ Integer.valueOf(hResponse.getStatus()).toString());
+ }
+
+ doLog("END TIME ", getTimestamp());
+ doLog("==================",
+ "============================================");
+ }
+
+ private void doLog(String attribute, String value) {
+ StringBuilder sb = new StringBuilder(80);
+ sb.append(Thread.currentThread().getName());
+ sb.append(' ');
+ sb.append(attribute);
+ sb.append('=');
+ sb.append(value);
+ if (context != null) {
+ context.log(sb.toString());
+ }
+ }
+
+ private String getTimestamp() {
+ Timestamp ts = timestamp.get();
+ long currentTime = System.currentTimeMillis();
+
+ if ((ts.date.getTime() + 999) < currentTime) {
+ ts.date.setTime(currentTime - (currentTime % 1000));
+ ts.update();
+ }
+ return ts.dateString;
+ }
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ context = filterConfig.getServletContext();
+ }
+
+ @Override
+ public void destroy() {
+ context = null;
+ }
+
+ private static final class Timestamp {
+ private Date date = new Date(0);
+ private SimpleDateFormat format =
+ new SimpleDateFormat("dd-MMM-yyyy HH:mm:ss");
+ private String dateString = format.format(date);
+ private void update() {
+ dateString = format.format(date);
+ }
+ }
+}
Added: trunk/java/org/apache/catalina/filters/RequestFilter.java
===================================================================
--- trunk/java/org/apache/catalina/filters/RequestFilter.java (rev
0)
+++ trunk/java/org/apache/catalina/filters/RequestFilter.java 2010-03-12 18:44:44 UTC (rev
1410)
@@ -0,0 +1,313 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package org.apache.catalina.filters;
+
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.regex.Pattern;
+import java.util.regex.PatternSyntaxException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+import org.jboss.servlet.http.HttpEvent;
+import org.jboss.servlet.http.HttpEventFilter;
+import org.jboss.servlet.http.HttpEventFilterChain;
+
+/**
+ * Implementation of a Filter that performs filtering based on comparing the
+ * appropriate request property (selected based on which subclass you choose
+ * to configure into your Container's pipeline) against a set of regular
+ * expressions configured for this Filter.
+ * <p>
+ * This filter is configured by setting the <code>allow</code> and/or
+ * <code>deny</code> properties to a comma-delimited list of regular
+ * expressions (in the syntax supported by the jakarta-regexp library) to
+ * which the appropriate request property will be compared. Evaluation
+ * proceeds as follows:
+ * <ul>
+ * <li>The subclass extracts the request property to be filtered, and
+ * calls the common <code>process()</code> method.
+ * <li>If there are any deny expressions configured, the property will
+ * be compared to each such expression. If a match is found, this
+ * request will be rejected with a "Forbidden" HTTP response.</li>
+ * <li>If there are any allow expressions configured, the property will
+ * be compared to each such expression. If a match is found, this
+ * request will be allowed to pass through to the next filter in the
+ * current pipeline.</li>
+ * <li>If one or more deny expressions was specified but no allow expressions,
+ * allow this request to pass through (because none of the deny
+ * expressions matched it).
+ * <li>The request will be rejected with a "Forbidden" HTTP
response.</li>
+ * </ul>
+ * <p>
+ * This Filter may be attached to any Container, depending on the granularity
+ * of the filtering you wish to perform.
+ *
+ * @author Craig R. McClanahan
+ *
+ */
+
+public abstract class RequestFilter
+ extends FilterBase implements HttpEventFilter {
+
+
+ // ----------------------------------------------------- Instance Variables
+
+ /**
+ * The comma-delimited set of <code>allow</code> expressions.
+ */
+ protected String allow = null;
+
+
+ /**
+ * The set of <code>allow</code> regular expressions we will evaluate.
+ */
+ protected Pattern allows[] = new Pattern[0];
+
+
+ /**
+ * The set of <code>deny</code> regular expressions we will evaluate.
+ */
+ protected Pattern denies[] = new Pattern[0];
+
+
+ /**
+ * The comma-delimited set of <code>deny</code> expressions.
+ */
+ protected String deny = null;
+
+ /**
+ * mime type -- "text/plain"
+ */
+ private static final String PLAIN_TEXT_MIME_TYPE = "text/plain";
+
+
+ // ------------------------------------------------------------- Properties
+
+
+ /**
+ * Return a comma-delimited set of the <code>allow</code> expressions
+ * configured for this Filter, if any; otherwise, return
<code>null</code>.
+ */
+ public String getAllow() {
+
+ return (this.allow);
+
+ }
+
+
+ /**
+ * Set the comma-delimited set of the <code>allow</code> expressions
+ * configured for this Filter, if any.
+ *
+ * @param allow The new set of allow expressions
+ */
+ public void setAllow(String allow) {
+
+ this.allow = allow;
+ this.allows = precalculate(allow);
+
+ }
+
+
+ /**
+ * Return a comma-delimited set of the <code>deny</code> expressions
+ * configured for this Filter, if any; otherwise, return
<code>null</code>.
+ */
+ public String getDeny() {
+
+ return (this.deny);
+
+ }
+
+
+ /**
+ * Set the comma-delimited set of the <code>deny</code> expressions
+ * configured for this Filter, if any.
+ *
+ * @param deny The new set of deny expressions
+ */
+ public void setDeny(String deny) {
+
+
+ this.deny = deny;
+ this.denies = precalculate(deny);
+
+ }
+
+
+ // --------------------------------------------------------- Public Methods
+
+
+ /**
+ * Extract the desired request property, and pass it (along with the
+ * specified request and response objects) to the protected
+ * <code>process()</code> method to perform the actual filtering.
+ * This method must be implemented by a concrete subclass.
+ *
+ * @param request The servlet request to be processed
+ * @param response The servlet response to be created
+ * @param chain The filter chain
+ *
+ * @exception IOException if an input/output error occurs
+ * @exception ServletException if a servlet error occurs
+ */
+ public abstract void doFilter(ServletRequest request,
+ ServletResponse response, FilterChain chain) throws IOException,
+ ServletException;
+
+
+ // ------------------------------------------------------ Protected Methods
+
+
+ /**
+ * Return an array of regular expression objects initialized from the
+ * specified argument, which must be <code>null</code> or a
comma-delimited
+ * list of regular expression patterns.
+ *
+ * @param list The comma-separated list of patterns
+ *
+ * @exception IllegalArgumentException if one of the patterns has
+ * invalid syntax
+ */
+ protected Pattern[] precalculate(String list) {
+
+ if (list == null)
+ return (new Pattern[0]);
+ list = list.trim();
+ if (list.length() < 1)
+ return (new Pattern[0]);
+ list += ",";
+
+ ArrayList<Pattern> reList = new ArrayList<Pattern>();
+ while (list.length() > 0) {
+ int comma = list.indexOf(',');
+ if (comma < 0)
+ break;
+ String pattern = list.substring(0, comma).trim();
+ try {
+ reList.add(Pattern.compile(pattern));
+ } catch (PatternSyntaxException e) {
+ IllegalArgumentException iae = new IllegalArgumentException
+ (sm.getString("requestFilterFilter.syntax", pattern));
+ iae.initCause(e);
+ throw iae;
+ }
+ list = list.substring(comma + 1);
+ }
+
+ Pattern reArray[] = new Pattern[reList.size()];
+ return reList.toArray(reArray);
+
+ }
+
+
+ /**
+ * Perform the filtering that has been configured for this Filter, matching
+ * against the specified request property.
+ *
+ * @param property The request property on which to filter
+ * @param request The servlet request to be processed
+ * @param response The servlet response to be processed
+ *
+ * @exception IOException if an input/output error occurs
+ * @exception ServletException if a servlet error occurs
+ */
+ protected void process(String property, ServletRequest request,
+ ServletResponse response, FilterChain chain)
+ throws IOException, ServletException {
+
+ if (isAllowed(property)) {
+ chain.doFilter(request, response);
+ } else {
+ if (response instanceof HttpServletResponse) {
+ ((HttpServletResponse) response)
+ .sendError(HttpServletResponse.SC_FORBIDDEN);
+ } else {
+ sendErrorWhenNotHttp(response);
+ }
+ }
+ }
+
+ /**
+ * Perform the filtering that has been configured for this Filter, matching
+ * against the specified request property.
+ *
+ * @param property The property to check against the allow/deny rules
+ * @param event The comet event to be filtered
+ * @param chain The comet filter chain
+ * @exception IOException if an input/output error occurs
+ * @exception ServletException if a servlet error occurs
+ */
+ protected void processCometEvent(String property, HttpEvent event,
HttpEventFilterChain chain)
+ throws IOException, ServletException {
+ HttpServletResponse response = event.getHttpServletResponse();
+
+ if (isAllowed(property)) {
+ chain.doFilterEvent(event);
+ } else {
+ response.sendError(HttpServletResponse.SC_FORBIDDEN);
+ event.close();
+ }
+ }
+
+ /**
+ * Process the allow and deny rules for the provided property.
+ *
+ * @param property The property to test against the allow and deny lists
+ * @return <code>true</code> if this request should be allowed,
+ * <code>false</code> otherwise
+ */
+ private boolean isAllowed(String property) {
+ for (int i = 0; i < this.denies.length; i++) {
+ if (this.denies[i].matcher(property).matches()) {
+ return false;
+ }
+ }
+
+ // Check the allow patterns, if any
+ for (int i = 0; i < this.allows.length; i++) {
+ if (this.allows[i].matcher(property).matches()) {
+ return true;
+ }
+ }
+
+ // Allow if denies specified but not allows
+ if ((this.denies.length > 0) && (this.allows.length == 0)) {
+ return true;
+ }
+
+ // Deny this request
+ return false;
+ }
+
+ private void sendErrorWhenNotHttp(ServletResponse response)
+ throws IOException {
+ response.setContentType(PLAIN_TEXT_MIME_TYPE);
+ response.getWriter().write(sm.getString("http.403"));
+ response.getWriter().flush();
+ }
+
+
+}
Modified: trunk/webapps/docs/changelog.xml
===================================================================
--- trunk/webapps/docs/changelog.xml 2010-03-12 17:44:17 UTC (rev 1409)
+++ trunk/webapps/docs/changelog.xml 2010-03-12 18:44:44 UTC (rev 1410)
@@ -40,6 +40,9 @@
<update>
Drop standalone code: XML parsing, webapp deployer, annotation processing, naming
support. (remm)
</update>
+ <add>
+ Port over Tomcat utility filters. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Coyote">