The Valve Component
Table of Contents
Introduction
A Valve element represents a component that will be inserted into the request processing pipeline for the associated Catalina container (Engine, Host, or Context). Individual Valves have distinct processing capabilities, and are described individually below.
The description below uses the variable name $CATALINA_BASE to refer the base directory against which most relative paths are resolved. If you have not configured Tomcat for multiple instances by setting a CATALINA_BASE directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME, the directory into which you have installed Tomcat.
Access Logging
Access logging is performed by valves that implement org.apache.catalina.AccessLog interface.
Access Log Valve
Introduction
The Access Log Valve creates log files in the
same format as those created by standard web servers. These logs
can later be analyzed by standard log analysis tools to track page
hit counts, user session activity, and so on. This Valve
uses self-contained logic to write its log files, which can be
automatically rolled over at midnight each day. (The essential
requirement for access logging is to handle a large continuous
stream of data with low overhead. This Valve
does not
use Apache Commons Logging, thus avoiding additional overhead and
potentially complex configuration).
This Valve
may be associated with any Catalina container
(Context
, Host
, or Engine
), and
will record ALL requests processed by that container.
Some requests may be handled by Tomcat before they are passed to a
container. These include redirects from /foo to /foo/ and the rejection of
invalid requests. Where Tomcat can identify the Context
that
would have handled the request, the request/response will be logged in the
AccessLog
(s) associated Context
, Host
and Engine
. Where Tomcat cannot identify the
Context
that would have handled the request, e.g. in cases
where the URL is invalid, Tomcat will look first in the Engine
,
then the default Host
for the Engine
and finally
the ROOT (or default) Context
for the default Host
for an AccessLog
implementation. Tomcat will use the first
AccessLog
implementation found to log those requests that are
rejected before they are passed to a container.
The output file will be placed in the directory given by the
directory
attribute. The name of the file is composed
by concatenation of the configured prefix
, timestamp and
suffix
. The format of the timestamp in the file name can be
set using the fileDateFormat
attribute. This timestamp will
be omitted if the file rotation is switched off by setting
rotatable
to false
.
Warning: If multiple AccessLogValve instances are used, they should be configured to use different output files.
If sendfile is used, the response bytes will be written asynchronously in a separate thread and the access log valve will not know how many bytes were actually written. In this case, the number of bytes that was passed to the sendfile thread for writing will be recorded in the access log valve.
Attributes
The Access Log Valve supports the following configuration attributes:
Attribute | Description |
---|---|
buffered |
Flag to determine if logging will be buffered.
If set to |
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.AccessLogValve to use the default access log valve. |
condition |
The same as |
conditionIf |
Turns on conditional logging. If set, requests will be
logged only if |
conditionUnless |
Turns on conditional logging. If set, requests will be
logged only if |
directory |
Absolute or relative pathname of a directory in which log files created by this valve will be placed. If a relative path is specified, it is interpreted as relative to $CATALINA_BASE. If no directory attribute is specified, the default value is "logs" (relative to $CATALINA_BASE). |
encoding |
Character set used to write the log file. An empty string means to use the default character set. Default value: UTF-8. |
fileDateFormat |
Allows a customized timestamp in the access log file name.
The file is rotated whenever the formatted timestamp changes.
The default value is |
ipv6Canonical |
Flag to determine if IPv6 addresses should be represented in canonical
representation format as defined by RFC 5952. If set to |
locale |
The locale used to format timestamps in the access log
lines. Any timestamps configured using an
explicit SimpleDateFormat pattern ( |
maxDays |
The maximum number of days rotated access logs will be retained for
before being deleted. If not specified, the default value of
|
maxLogMessageBufferSize |
Log message buffers are usually recycled and re-used. To prevent
excessive memory usage, if a buffer grows beyond this size it will be
discarded. The default is |
pattern |
A formatting layout identifying the various information fields
from the request and response to be logged, or the word
|
prefix |
The prefix added to the start of each log file's name. If not specified, the default value is "access_log". |
renameOnRotate |
By default for a rotatable log the active access log file name
will contain the current timestamp in |
requestAttributesEnabled |
Set to |
resolveHosts |
This attribute is no longer supported. Use the connector
attribute If you have |
rotatable |
Flag to determine if log rotation should occur.
If set to |
suffix |
The suffix added to the end of each log file's name. If not specified, the default value is "" (a zero-length string), meaning that no suffix will be added. |
Values for the pattern
attribute are made up of literal
text strings, combined with pattern identifiers prefixed by the "%"
character to cause replacement by the corresponding variable value from
the current request and response. The following pattern codes are
supported:
%a
- Remote IP address. See also%{xxx}a
below.%A
- Local IP address%b
- Bytes sent, excluding HTTP headers, or '-' if zero%B
- Bytes sent, excluding HTTP headers%h
- Remote host name (or IP address ifenableLookups
for the connector is false)%H
- Request protocol%l
- Remote logical username from identd (always returns '-')%m
- Request method (GET, POST, etc.)%p
- Local port on which this request was received. See also%{xxx}p
below.%q
- Query string (prepended with a '?' if it exists)%r
- First line of the request (method and request URI)%s
- HTTP status code of the response%S
- User session ID%t
- Date and time, in Common Log Format%u
- Remote user that was authenticated (if any), else '-' (escaped if required)%U
- Requested URL path%v
- Local server name%D
- Time taken to process the request in millis. Note: In httpd %D is microseconds. Behaviour will be aligned to httpd in Tomcat 10 onwards.%T
- Time taken to process the request, in seconds. Note: This value has millisecond resolution whereas in httpd it has second resolution. Behaviour will be align to httpd in Tomcat 10 onwards.%F
- Time taken to commit the response, in milliseconds%I
- Current request thread name (can compare later with stacktraces)%X
- Connection status when response is completed:X
= Connection aborted before the response completed.+
= Connection may be kept alive after the response is sent.-
= Connection will be closed after the response is sent.
There is also support to write information incoming or outgoing
headers, cookies, session or request attributes and special
timestamp formats.
It is modeled after the
Apache HTTP Server log configuration
syntax. Each of them can be used multiple times with different xxx
keys:
%{xxx}a
write remote address (client) (xxx==remote
) or connection peer address (xxx=peer
)%{xxx}i
write value of incoming header with namexxx
(escaped if required)%{xxx}o
write value of outgoing header with namexxx
(escaped if required)%{xxx}c
write value of cookie(s) with namexxx
(comma separated and escaped if required)%{xxx}r
write value of ServletRequest attribute with namexxx
(escaped if required)%{xxx}s
write value of HttpSession attribute with namexxx
(escaped if required)%{xxx}p
write local (server) port (xxx==local
) or remote (client) port (xxx=remote
)%{xxx}t
write timestamp at the end of the request formatted using the enhanced SimpleDateFormat patternxxx
All formats supported by SimpleDateFormat are allowed in %{xxx}t
.
In addition the following extensions have been added:
sec
- number of seconds since the epochmsec
- number of milliseconds since the epochmsec_frac
- millisecond fraction
These formats cannot be mixed with SimpleDateFormat formats in the same format token.
Furthermore one can define whether to log the timestamp for the request start time or the response finish time:
begin
or prefixbegin:
chooses the request start timeend
or prefixend:
chooses the response finish time
By adding multiple %{xxx}t
tokens to the pattern, one can
also log both timestamps.
Escaping is applied as follows:
"
is escaped as\"
\
is escaped as\\
- Standard C escaping are used for
\f
,\n
,\r
,\t
and\v
- Any other control characters or characters with code points above 127
are encoded using the standard Java unicode escaping
(
\uXXXX
)
The shorthand pattern pattern="common"
corresponds to the Common Log Format defined by
'%h %l %u %t "%r" %s %b'.
The shorthand pattern pattern="combined"
appends the values of the Referer
and User-Agent
headers, each in double quotes, to the common
pattern.
When Tomcat is operating behind a reverse proxy, the client information logged by the Access Log Valve may represent the reverse proxy, the browser or some combination of the two depending on the configuration of Tomcat and the reverse proxy. For Tomcat configuration options see Proxies Support and the Proxy How-To. For reverse proxies that use mod_jk, see the generic proxy documentation. For other reverse proxies, consult their documentation.
Extended Access Log Valve
Introduction
The Extended Access Log Valve extends the
Access Log Valve class, and so
uses the same self-contained logging logic. This means it
implements many of the same file handling attributes. The main
difference to the standard AccessLogValve
is that
ExtendedAccessLogValve
creates log files which
conform to the Working Draft for the
Extended Log File Format
defined by the W3C.
Attributes
The Extended Access Log Valve supports all
configuration attributes of the standard
Access Log Valve. Only the
values used for className
and pattern
differ.
Attribute | Description |
---|---|
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.ExtendedAccessLogValve to use the extended access log valve. |
pattern |
A formatting layout identifying the various information fields from the request and response to be logged. See below for more information on configuring this attribute. |
Values for the pattern
attribute are made up of
format tokens. Some of the tokens need an additional prefix. Possible
prefixes are c
for "client", s
for "server",
cs
for "client to server", sc
for
"server to client" or x
for "application specific".
Furthermore some tokens are completed by an additional selector.
See the W3C specification
for more information about the format.
The following format tokens are supported:
- bytes - Bytes sent, excluding HTTP headers, or '-' if zero
- c-dns - Remote host name (or IP address if
enableLookups
for the connector is false) - c-ip - Remote IP address
- cs-method - Request method (GET, POST, etc.)
- cs-uri - Request URI
- cs-uri-query - Query string (prepended with a '?' if it exists)
- cs-uri-stem - Requested URL path
- date - The date in yyyy-mm-dd format for GMT
- s-dns - Local host name
- s-ip - Local IP address
- sc-status - HTTP status code of the response
- time - Time the request was served in HH:mm:ss format for GMT
- time-taken - Time (in seconds as floating point) taken to serve the request
- x-threadname - Current request thread name (can compare later with stacktraces)
For any of the x-H(XXX)
the following method will be called from the
HttpServletRequest object:
x-H(authType)
: getAuthTypex-H(characterEncoding)
: getCharacterEncodingx-H(contentLength)
: getContentLengthx-H(locale)
: getLocalex-H(protocol)
: getProtocolx-H(remoteUser)
: getRemoteUserx-H(requestedSessionId)
: getRequestedSessionIdx-H(requestedSessionIdFromCookie)
: isRequestedSessionIdFromCookiex-H(requestedSessionIdValid)
: isRequestedSessionIdValidx-H(scheme)
: getSchemex-H(secure)
: isSecure
There is also support to write information about headers cookies, context, request or session attributes and request parameters.
cs(XXX)
for incoming request headers with name XXXsc(XXX)
for outgoing response headers with name XXXx-A(XXX)
for the servlet context attribute with name XXXx-C(XXX)
for the cookie(s) with name XXX (comma separated if required)x-O(XXX)
for a concatenation of all outgoing response headers with name XXXx-P(XXX)
for the URL encoded (using UTF-8) request parameter with name XXXx-R(XXX)
for the request attribute with name XXXx-S(XXX)
for the session attribute with name XXX
Access Control
Remote Address Valve
Introduction
The Remote Address Valve allows you to compare the IP address of the client that submitted this request against one or more regular expressions, and either allow the request to continue or refuse to process the request from this client. A Remote Address Valve can be associated with any Catalina container (Engine, Host, or Context), and must accept any request presented to this container for processing before it will be passed on.
The syntax for regular expressions is different than that for
'standard' wildcard matching. Tomcat uses the java.util.regex
package. Please consult the Java documentation for details of the
expressions supported.
After setting the attribute addConnectorPort
to
true
, one can append the server connector port separated with a
semicolon (";") to allow different expressions for each connector.
By setting the attribute usePeerAddress
to
true
, the valve will use the connection peer address in its
checks. This will differ from the client IP, if a reverse proxy is used
in front of Tomcat in combination with either the AJP protocol, or the
HTTP protocol plus the RemoteIp(Valve|Filter)
.
A refused request will be answered a response with status code
403
. This status code can be overwritten using the attribute
denyStatus
.
By setting the attribute invalidAuthenticationWhenDeny
to
true
, the behavior when a request is refused can be changed
to not deny but instead set an invalid authentication
header. This is useful in combination with the context attribute
preemptiveAuthentication="true"
.
Note: There is a caveat when using this valve with
IPv6 addresses. Format of the IP address that this valve is processing
depends on the API that was used to obtain it. If the address was obtained
from Java socket using Inet6Address class, its format will be
x:x:x:x:x:x:x:x
. That is, the IP address for localhost
will be 0:0:0:0:0:0:0:1
instead of the more widely used
::1
. Consult your access logs for the actual value.
See also: Remote Host Valve, Remote CIDR Valve, Remote IP Valve, HTTP Connector configuration.
Attributes
The Remote Address Valve supports the following configuration attributes:
Attribute | Description |
---|---|
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.RemoteAddrValve. |
allow |
A regular expression (using |
deny |
A regular expression (using |
denyStatus |
HTTP response status code that is used when rejecting denied
request. The default value is |
addConnectorPort |
Append the server connector port to the client IP address separated
with a semicolon (";"). If this is set to |
invalidAuthenticationWhenDeny |
When a request should be denied, do not deny but instead
set an invalid This can be combined with |
usePeerAddress |
Use the connection peer address instead of the client IP address.
They will differ, if a reverse proxy is used in front of Tomcat in
combination with either the AJP protocol, or the HTTP protocol plus
the |
Example 1
To allow access only for the clients connecting from localhost:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>
Example 2
To allow unrestricted access for the clients connecting from localhost but for all other clients only to port 8443:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
addConnectorPort="true"
allow="127\.\d+\.\d+\.\d+;\d*|::1;\d*|0:0:0:0:0:0:0:1;\d*|.*;8443"/>
Example 3
To allow unrestricted access to port 8009, but trigger basic authentication if the application is accessed on another port:
<Context>
...
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
addConnectorPort="true"
invalidAuthenticationWhenDeny="true"
allow=".*;8009"/>
<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" />
...
</Context>
Remote Host Valve
Introduction
The Remote Host Valve allows you to compare the hostname of the client that submitted this request against one or more regular expressions, and either allow the request to continue or refuse to process the request from this client. A Remote Host Valve can be associated with any Catalina container (Engine, Host, or Context), and must accept any request presented to this container for processing before it will be passed on.
The syntax for regular expressions is different than that for
'standard' wildcard matching. Tomcat uses the java.util.regex
package. Please consult the Java documentation for details of the
expressions supported.
After setting the attribute addConnectorPort
to
true
, one can append the server connector port separated with a
semicolon (";") to allow different expressions for each connector.
A refused request will be answered a response with status code
403
. This status code can be overwritten using the attribute
denyStatus
.
By setting the attribute invalidAuthenticationWhenDeny
to
true
, the behavior when a request is refused can be changed
to not deny but instead set an invalid authentication
header. This is useful in combination with the context attribute
preemptiveAuthentication="true"
.
Note: This valve processes the value returned by
method ServletRequest.getRemoteHost()
. To allow the method
to return proper host names, you have to enable "DNS lookups" feature on
a Connector.
See also: Remote Address Valve, Remote CIDR Valve, Remote IP Valve, HTTP Connector configuration.
Attributes
The Remote Host Valve supports the following configuration attributes:
Attribute | Description |
---|---|
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.RemoteHostValve. |
allow |
A regular expression (using |
deny |
A regular expression (using |
denyStatus |
HTTP response status code that is used when rejecting denied
request. The default value is |
addConnectorPort |
Append the server connector port to the client hostname separated
with a semicolon (";"). If this is set to |
invalidAuthenticationWhenDeny |
When a request should be denied, do not deny but instead
set an invalid This can be combined with |
Remote CIDR Valve
Introduction
The Remote CIDR Valve allows you to compare the IP address of the client that submitted this request against one or more netmasks following the CIDR notation, and either allow the request to continue or refuse to process the request from this client. IPv4 and IPv6 are both fully supported. A Remote CIDR Valve can be associated with any Catalina container (Engine, Host, or Context), and must accept any request presented to this container for processing before it will be passed on.
This valve mimics Apache's Order
,
Allow from
and Deny from
directives,
with the following limitations:
Order
will always beallow, deny
;- dotted quad notations for netmasks are not supported (that is, you
cannot write
192.168.1.0/255.255.255.0
, you must write192.168.1.0/24
; - shortcuts, like
10.10.
, which is equivalent to10.10.0.0/16
, are not supported; - as the valve name says, this is a CIDR only valve,
therefore subdomain notations like
.mydomain.com
are not supported either.
After setting the attribute addConnectorPort
to
true
, one can append the server connector port separated with a
semicolon (";") to allow different expressions for each connector.
By setting the attribute usePeerAddress
to
true
, the valve will use the connection peer address in its
checks. This will differ from the client IP, if a reverse proxy is used
in front of Tomcat in combination with either the AJP protocol, or the
HTTP protocol plus the RemoteIp(Valve|Filter)
.
A refused request will be answered a response with status code
403
. This status code can be overwritten using the attribute
denyStatus
.
By setting the attribute invalidAuthenticationWhenDeny
to
true
, the behavior when a request is refused can be changed
to not deny but instead set an invalid authentication
header. This is useful in combination with the context attribute
preemptiveAuthentication="true"
.
Some more features of this valve are:
- if you omit the CIDR prefix, this valve becomes a single IP valve;
- unlike the Remote Host Valve,
it can handle IPv6 addresses in condensed form (
::1
,fe80::/71
, etc).
See also: Remote Address Valve, Remote Host Valve, Remote IP Valve, HTTP Connector configuration.
Attributes
The Remote CIDR Valve supports the following configuration attributes:
Attribute | Description |
---|---|
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.RemoteCIDRValve. |
allow |
A comma-separated list of IPv4 or IPv6 netmasks or addresses
that the remote client's IP address is matched against.
If this attribute is specified, the remote address MUST match
for this request to be accepted. If this attribute is not specified,
all requests will be accepted UNLESS the remote IP is matched by a
netmask in the |
deny |
A comma-separated list of IPv4 or IPv6 netmasks or addresses
that the remote client's IP address is matched against.
If this attribute is specified, the remote address MUST NOT match
for this request to be accepted. If this attribute is not specified,
request acceptance is governed solely by the |
denyStatus |
HTTP response status code that is used when rejecting denied
request. The default value is |
addConnectorPort |
Append the server connector port to the client IP address separated
with a semicolon (";"). If this is set to |
invalidAuthenticationWhenDeny |
When a request should be denied, do not deny but instead
set an invalid This can be combined with |
usePeerAddress |
Use the connection peer address instead of the client IP address.
They will differ, if a reverse proxy is used in front of Tomcat in
combination with either the AJP protocol, or the HTTP protocol plus
the |
Example 1
To allow access only for the clients connecting from localhost:
<Valve className="org.apache.catalina.valves.RemoteCIDRValve"
allow="127.0.0.1, ::1"/>
Example 2
To allow unrestricted access for the clients connecting from the local network but for all clients in network 10. only to port 8443:
<Valve className="org.apache.catalina.valves.RemoteCIDRValve"
addConnectorPort="true"
allow="127.0.0.1;\d*|::1;\d*|10.0.0.0/8;8443"/>
Example 3
To allow access to port 8009 from network 10., but trigger basic authentication if the application is accessed on another port:
<Context>
...
<Valve className="org.apache.catalina.valves.RemoteCIDRValve"
addConnectorPort="true"
invalidAuthenticationWhenDeny="true"
allow="10.0.0.0/8;8009"/>
<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" />
...
</Context>
Proxies Support
Load Balancer Draining Valve
Introduction
When using mod_jk or mod_proxy_ajp, the client's session id is used to determine which back-end server will be used to serve the request. If the target node is being "drained" (in mod_jk, this is the DISABLED state; in mod_proxy_ajp, this is the Drain (N) state), requests for expired sessions can actually cause the draining node to fail to drain.
Unfortunately, AJP-based load-balancers cannot prove whether the client-provided session id is valid or not and therefore will send any requests for a session that appears to be targeted to that node to the disabled (or "draining") node, causing the "draining" process to take longer than necessary.
This Valve detects requests for invalid sessions, strips the session information from the request, and redirects back to the same URL, where the load-balancer should choose a different (active) node to handle the request. This will accelerate the "draining" process for the disabled node(s).
The activation state of the node is sent by the load-balancer in the request, so no state change on the node being disabled is necessary. Simply configure this Valve in your valve pipeline and it will take action when the activation state is set to "disabled".
You should take care to register this Valve earlier in the Valve pipeline than any authentication Valves, because this Valve should be able to redirect a request before any authentication Valve saves a request to a protected resource. If this happens, a new session will be created and the draining process will stall because a new, valid session will be established.
Attributes
The Load Balancer Draining Valve supports the following configuration attributes:
Attribute | Description |
---|---|
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.LoadBalancerDrainingValve. |
redirectStatusCode |
Allows setting a custom redirect code to be used when the client is redirected to be re-balanced by the load-balancer. The default is 307 TEMPORARY_REDIRECT. |
ignoreCookieName |
When used with |
ignoreCookieValue |
When used with |
Remote IP Valve
Introduction
Tomcat port of mod_remoteip, this valve replaces the apparent client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request headers (e.g. "X-Forwarded-For").
Another feature of this valve is to replace the apparent scheme
(http/https), server port and request.secure
with the scheme presented
by a proxy or a load balancer via a request header
(e.g. "X-Forwarded-Proto").
This Valve may be used at the Engine
, Host
or
Context
level as required. Normally, this Valve would be used
at the Engine
level.
If used in conjunction with Remote Address/Host valves then this valve should be defined first to ensure that the correct client IP address is presented to the Remote Address/Host valves.
Note: By default this valve has no effect on the
values that are written into access log. The original values are restored
when request processing leaves the valve and that always happens earlier
than access logging. To pass the remote address, remote host, server port
and protocol values set by this valve to the access log,
they are put into request attributes. Publishing these values here
is enabled by default, but AccessLogValve
should be explicitly
configured to use them. See documentation for
requestAttributesEnabled
attribute of
AccessLogValve
.
The names of request attributes that are set by this valve and can be used by access logging are the following:
org.apache.catalina.AccessLog.RemoteAddr
org.apache.catalina.AccessLog.RemoteHost
org.apache.catalina.AccessLog.Protocol
org.apache.catalina.AccessLog.ServerPort
org.apache.tomcat.remoteAddr
Attributes
The Remote IP Valve supports the following configuration attributes:
Attribute | Description |
---|---|
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.RemoteIpValve. |
remoteIpHeader |
Name of the HTTP Header read by this valve that holds the list of
traversed IP addresses starting from the requesting client. If not
specified, the default of |
internalProxies |
Regular expression (using |
proxiesHeader |
Name of the HTTP header created by this valve to hold the list of
proxies that have been processed in the incoming
remoteIpHeader. If not specified, the default of
|
requestAttributesEnabled |
Set to |
trustedProxies |
Regular expression (using |
protocolHeader |
Name of the HTTP Header read by this valve that holds the protocol
used by the client to connect to the proxy. If not specified, the
default of |
hostHeader |
Name of the HTTP Header read by this valve that holds the host
used by the client to connect to the proxy. If not specified, the
default of |
portHeader |
Name of the HTTP Header read by this valve that holds the port
used by the client to connect to the proxy. If not specified, the
default of |
protocolHeaderHttpsValue |
Value of the protocolHeader to indicate that it is
an HTTPS request. If not specified, the default of |
httpServerPort |
Value returned by |
httpsServerPort |
Value returned by |
changeLocalName |
If |
changeLocalPort |
If |
SSL Valve
Introduction
When using mod_proxy_http, the client SSL information is not included in the protocol (unlike mod_jk and mod_proxy_ajp). To make the client SSL information available to Tomcat, some additional configuration is required. In httpd, mod_headers is used to add the SSL information as HTTP headers. In Tomcat, this valve is used to read the information from the HTTP headers and insert it into the request.
Note: Ensure that the headers are always set by httpd for all requests to prevent a client spoofing SSL information by sending fake headers.
To configure httpd to set the necessary headers, add the following:
<IfModule ssl_module>
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"
</IfModule>
Attributes
The SSL Valve supports the following configuration attribute:
Attribute | Description |
---|---|
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.SSLValve. |
sslClientCertHeader |
Allows setting a custom name for the ssl_client_cert header.
If not specified, the default of |
sslClientEscapedCertHeader |
Allows setting a custom name for the ssl_client_escaped_cert header.
If not specified, the default of This header is useful for Nginx proxying, and takes precedence over the ssl_client_cert header. |
sslCipherHeader |
Allows setting a custom name for the ssl_cipher header.
If not specified, the default of |
sslSessionIdHeader |
Allows setting a custom name for the ssl_session_id header.
If not specified, the default of |
sslCipherUserKeySizeHeader |
Allows setting a custom name for the ssl_cipher_usekeysize header.
If not specified, the default of |
Single Sign On Valve
Introduction
The Single Sign On Valve is utilized when you wish to give users the ability to sign on to any one of the web applications associated with your virtual host, and then have their identity recognized by all other web applications on the same virtual host.
See the Single Sign On special feature on the Host element for more information.
Attributes
The Single Sign On Valve supports the following configuration attributes:
Attribute | Description |
---|---|
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.authenticator.SingleSignOn. |
requireReauthentication |
Default false. Flag to determine whether each request needs to be reauthenticated to the security Realm. If "true", this Valve uses cached security credentials (username and password) to reauthenticate to the Realm each request associated with an SSO session. If "false", the Valve can itself authenticate requests based on the presence of a valid SSO cookie, without rechecking with the Realm. |
cookieDomain |
Sets the host domain to be used for sso cookies. |
cookieName |
Sets the cookie name to be used for sso cookies. The default value
is |
Authentication
The valves in this section implement org.apache.catalina.Authenticator interface.
Basic Authenticator Valve
Introduction
Attributes
The Basic Authenticator Valve supports the following configuration attributes:
Attribute | Description |
---|---|
allowCorsPreflight |
Are requests that appear to be CORS preflight requests allowed to
bypass the authenticator as required by the CORS specification. The
allowed values are |
alwaysUseSession |
Should a session always be used once a user is authenticated? This
may offer some performance benefits since the session can then be used
to cache the authenticated Principal, hence removing the need to
authenticate the user via the Realm on every request. This may be of
help for combinations such as BASIC authentication used with the
JNDIRealm or DataSourceRealms. However there will also be the
performance cost of creating and GC'ing the session. If not set, the
default value of |
cache |
Should we cache authenticated Principals if the request is part of an
HTTP session? If not specified, the default value of |
changeSessionIdOnAuthentication |
Controls if the session ID is changed if a session exists at the
point where users are authenticated. This is to prevent session fixation
attacks. If not set, the default value of |
charset |
Controls if the |
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.authenticator.BasicAuthenticator. |
disableProxyCaching |
Controls the caching of pages that are protected by security
constraints. Setting this to |
securePagesWithPragma |
Controls the caching of pages that are protected by security
constraints. Setting this to |
secureRandomAlgorithm |
Name of the algorithm to use to create the
|
secureRandomClass |
Name of the Java class that extends
|
secureRandomProvider |
Name of the provider to use to create the
|
sendAuthInfoResponseHeaders |
Controls whether the auth information (remote user and auth type)
shall be returned as response headers for a forwarded/proxied request.
When the |
trimCredentials |
Controls whether leading and/or trailing whitespace is removed from
the parsed credentials. If not specified, the default value is
|
jaspicCallbackHandlerClass |
Name of the Java class of the
|
Digest Authenticator Valve
Introduction
Attributes
The Digest Authenticator Valve supports the following configuration attributes:
Attribute | Description |
---|---|
allowCorsPreflight |
Are requests that appear to be CORS preflight requests allowed to
bypass the authenticator as required by the CORS specification. The
allowed values are |
alwaysUseSession |
Should a session always be used once a user is authenticated? This
may offer some performance benefits since the session can then be used
to cache the authenticated Principal, hence removing the need to
authenticate the user via the Realm on every request. This may be of
help for combinations such as BASIC authentication used with the
JNDIRealm or DataSourceRealms. However there will also be the
performance cost of creating and GC'ing the session. If not set, the
default value of |
cache |
Should we cache authenticated Principals if the request is part of an
HTTP session? If not specified, the default value of |
changeSessionIdOnAuthentication |
Controls if the session ID is changed if a session exists at the
point where users are authenticated. This is to prevent session fixation
attacks. If not set, the default value of |
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.authenticator.DigestAuthenticator. |
disableProxyCaching |
Controls the caching of pages that are protected by security
constraints. Setting this to |
key |
The secret key used by digest authentication. If not set, a secure random value is generated. This should normally only be set when it is necessary to keep key values constant either across server restarts and/or across a cluster. |
nonceCacheSize |
To protect against replay attacks, the DIGEST authenticator tracks server nonce and nonce count values. This attribute controls the size of that cache. If not specified, the default value of 1000 is used. |
nonceCountWindowSize |
Client requests may be processed out of order which in turn means that the nonce count values may be processed out of order. To prevent authentication failures when nonce counts are presented out of order the authenticator tracks a window of nonce count values. This attribute controls how big that window is. If not specified, the default value of 100 is used. |
nonceValidity |
The time, in milliseconds, that a server generated nonce will be considered valid for use in authentication. If not specified, the default value of 300000 (5 minutes) will be used. |
opaque |
The opaque server string used by digest authentication. If not set, a random value is generated. This should normally only be set when it is necessary to keep opaque values constant either across server restarts and/or across a cluster. |
securePagesWithPragma |
Controls the caching of pages that are protected by security
constraints. Setting this to |
secureRandomAlgorithm |
Name of the algorithm to use to create the
|
secureRandomClass |
Name of the Java class that extends
|
secureRandomProvider |
Name of the provider to use to create the
|
sendAuthInfoResponseHeaders |
Controls whether the auth information (remote user and auth type)
shall be returned as response headers for a forwarded/proxied request.
When the |
validateUri |
Should the URI be validated as required by RFC2617? If not specified,
the default value of |
jaspicCallbackHandlerClass |
Name of the Java class of the
|
Form Authenticator Valve
Introduction
Attributes
The Form Authenticator Valve supports the following configuration attributes:
Attribute | Description |
---|---|
allowCorsPreflight |
Are requests that appear to be CORS preflight requests allowed to
bypass the authenticator as required by the CORS specification. The
allowed values are |
changeSessionIdOnAuthentication |
Controls if the session ID is changed if a session exists at the
point where users are authenticated. This is to prevent session fixation
attacks. If not set, the default value of |
characterEncoding |
Character encoding to use to read the username and password parameters from the request. If not set, the encoding of the request body will be used. |
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.authenticator.FormAuthenticator. |
disableProxyCaching |
Controls the caching of pages that are protected by security
constraints. Setting this to |
landingPage |
Controls the behavior of the FORM authentication process if the process is misused, for example by directly requesting the login page or delaying logging in for so long that the session expires. If this attribute is set, rather than returning an error response code, Tomcat will redirect the user to the specified landing page if the login form is submitted with valid credentials. For the login to be processed, the landing page must be a protected resource (i.e. one that requires authentication). If the landing page does not require authentication then the user will not be logged in and will be prompted for their credentials again when they access a protected page. |
securePagesWithPragma |
Controls the caching of pages that are protected by security
constraints. Setting this to |
secureRandomAlgorithm |
Name of the algorithm to use to create the
|
secureRandomClass |
Name of the Java class that extends
|
secureRandomProvider |
Name of the provider to use to create the
|
sendAuthInfoResponseHeaders |
Controls whether the auth information (remote user and auth type)
shall be returned as response headers for a forwarded/proxied request.
When the |
jaspicCallbackHandlerClass |
Name of the Java class of the
|
SSL Authenticator Valve
Introduction
Attributes
The SSL Authenticator Valve supports the following configuration attributes:
Attribute | Description |
---|---|
allowCorsPreflight |
Are requests that appear to be CORS preflight requests allowed to
bypass the authenticator as required by the CORS specification. The
allowed values are |
cache |
Should we cache authenticated Principals if the request is part of an
HTTP session? If not specified, the default value of |
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.authenticator.SSLAuthenticator. |
changeSessionIdOnAuthentication |
Controls if the session ID is changed if a session exists at the
point where users are authenticated. This is to prevent session fixation
attacks. If not set, the default value of |
disableProxyCaching |
Controls the caching of pages that are protected by security
constraints. Setting this to |
securePagesWithPragma |
Controls the caching of pages that are protected by security
constraints. Setting this to |
secureRandomAlgorithm |
Name of the algorithm to use to create the
|
secureRandomClass |
Name of the Java class that extends
|
secureRandomProvider |
Name of the provider to use to create the
|
jaspicCallbackHandlerClass |
Name of the Java class of the
|
SPNEGO Valve
Introduction
Attributes
The SPNEGO Authenticator Valve supports the following configuration attributes:
Attribute | Description |
---|---|
allowCorsPreflight |
Are requests that appear to be CORS preflight requests allowed to
bypass the authenticator as required by the CORS specification. The
allowed values are |
alwaysUseSession |
Should a session always be used once a user is authenticated? This
may offer some performance benefits since the session can then be used
to cache the authenticated Principal, hence removing the need to
authenticate the user on every request. This will also help with clients
that assume that the server will cache the authenticated user. However
there will also be the performance cost of creating and GC'ing the
session. For an alternative solution see
|
applyJava8u40Fix |
A fix introduced in Java 8 update 40 (
JDK-8048194)
onwards broke SPNEGO authentication for IE with Tomcat running on
Windows 2008 R2 servers. This option enables a work-around that allows
SPNEGO authentication to continue working. The work-around should not
impact other configurations so it is enabled by default. If necessary,
the workaround can be disabled by setting this attribute to
|
cache |
Should we cache authenticated Principals if the request is part of an
HTTP session? If not specified, the default value of |
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.authenticator.SpnegoAuthenticator. |
changeSessionIdOnAuthentication |
Controls if the session ID is changed if a session exists at the
point where users are authenticated. This is to prevent session fixation
attacks. If not set, the default value of |
disableProxyCaching |
Controls the caching of pages that are protected by security
constraints. Setting this to |
loginConfigName |
The name of the JAAS login configuration to be used to login as the
service. If not specified, the default of
|
noKeepAliveUserAgents |
Some clients (not most browsers) expect the server to cache the
authenticated user information for a connection and do not resend the
credentials with every request. Tomcat will not do this unless an HTTP
session is available. A session will be available if either the
application creates one or if As an alternative to creating a session, this attribute may be used to define the user agents for which HTTP keep-alive is disabled. This means that a connection will only used for a single request and hence there is no ability to cache authenticated user information per connection. There will be a performance cost in disabling HTTP keep-alive. The attribute should be a regular expression that matches the entire
user-agent string, e.g. |
securePagesWithPragma |
Controls the caching of pages that are protected by security
constraints. Setting this to |
secureRandomAlgorithm |
Name of the algorithm to use to create the
|
secureRandomClass |
Name of the Java class that extends
|
secureRandomProvider |
Name of the provider to use to create the
|
sendAuthInfoResponseHeaders |
Controls whether the auth information (remote user and auth type)
shall be returned as response headers for a forwarded/proxied request.
When the |
storeDelegatedCredential |
Controls if the user' delegated credential will be stored in
the user Principal. If available, the delegated credential will be
available to applications (e.g. for onward authentication to external
services) via the |
jaspicCallbackHandlerClass |
Name of the Java class of the
|
Error Report Valve
Introduction
The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to return pre-defined static HTML pages for specific status codes and/or exception types.
NOTE: Disabling both showServerInfo and showReport will only return the HTTP status code.
Attributes
The Error Report Valve supports the following configuration attributes:
Attribute | Description |
---|---|
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.ErrorReportValve to use the default error report valve. |
errorCode.nnn |
The location of the UTF-8 encoded HTML file to return for the HTTP
error code represented by |
exceptionType.fullyQualifiedClassName |
The location of the UTF-8 encoded HTML file to return if an error has
occurred and the |
showReport |
Flag to determine if the error report (custom error message and/or
stack trace) is presented when an error occurs. If set to
|
showServerInfo |
Flag to determine if server information is presented when an error
occurs. If set to |
Json Error Report Valve
Introduction
The Json Error Report Valve is a simple error handler for HTTP status codes that will return Json error messages.
By specifying this class in errorReportValveClass
attribute
in HOST
, it will be used instead of
ErrorReportValve
and will return JSON response instead of HTML.
Attributes
The Json Error Report Valve supports the following configuration attributes:
Attribute | Description |
---|---|
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.JsonErrorReportValve. |
Crawler Session Manager Valve
Introduction
Web crawlers can trigger the creation of many thousands of sessions as they crawl a site which may result in significant memory consumption. This Valve ensures that crawlers are associated with a single session - just like normal users - regardless of whether or not they provide a session token with their requests.
This Valve may be used at the Engine
, Host
or
Context
level as required. Normally, this Valve would be used
at the Engine
level.
If used in conjunction with Remote IP valve then the Remote IP valve should be defined before this valve to ensure that the correct client IP address is presented to this valve.
Attributes
The Crawler Session Manager Valve supports the following configuration attributes:
Attribute | Description |
---|---|
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.CrawlerSessionManagerValve. |
contextAware |
Flag to use the context name together with the client IP to
identify the session to re-use. Can be combined with |
crawlerIps |
Regular expression (using |
crawlerUserAgents |
Regular expression (using |
hostAware |
Flag to use the configured host together with the client IP to
identify the session to re-use. Can be combined with |
sessionInactiveInterval |
The minimum time in seconds that the Crawler Session Manager Valve
should keep the mapping of client IP to session ID in memory without any
activity from the client. The client IP / session cache will be
periodically purged of mappings that have been inactive for longer than
this interval. If not specified the default value of |
Stuck Thread Detection Valve
Introduction
This valve allows to detect requests that take a long time to process, which might indicate that the thread that is processing it is stuck. Additionally it can optionally interrupt such threads to try and unblock them.
When such a request is detected, the current stack trace of its thread is written to Tomcat log with a WARN level.
The IDs and names of the stuck threads are available through JMX in the
stuckThreadIds
and stuckThreadNames
attributes.
The IDs can be used with the standard Threading JVM MBean
(java.lang:type=Threading
) to retrieve other information
about each stuck thread.
Attributes
The Stuck Thread Detection Valve supports the following configuration attributes:
Attribute | Description |
---|---|
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.StuckThreadDetectionValve. |
threshold |
Minimum duration in seconds after which a thread is considered stuck. Default is 600 seconds. If set to 0, the detection is disabled. Note: since the detection (and optional interruption) is done in the
background thread of the Container (Engine, Host or Context) declaring
this Valve, the threshold should be higher than the
|
interruptThreadThreshold |
Minimum duration in seconds after which a stuck thread should be interrupted to attempt to "free" it. Note that there's no guarantee that the thread will get unstuck. This usually works well for threads stuck on I/O or locks, but is probably useless in case of infinite loops. Default is -1 which disables the feature. To enable it, the value
must be greater or equal to |
Semaphore Valve
Introduction
The Semaphore Valve is able to limit the number of concurrent request processing threads.
org.apache.catalina.valves.SemaphoreValve provides methods which may be overridden by a subclass to customize behavior:
controlConcurrency
may be overridden to add conditions;permitDenied
may be overridden to add error handling when a permit isn't granted.
Attributes
The Semaphore Valve supports the following configuration attributes:
Attribute | Description |
---|---|
block |
Flag to determine if a thread is blocked until a permit is available. The default value is true. |
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.SemaphoreValve. |
concurrency |
Concurrency level of the semaphore. The default value is 10. |
fairness |
Fairness of the semaphore. The default value is false. |
interruptible |
Flag to determine if a thread may be interrupted until a permit is available. The default value is false. |
Persistent Valve
Introduction
The PersistentValve that implements per-request session persistence. It is intended to be used with non-sticky load-balancers.
Attributes
The PersistentValve Valve supports the following configuration attributes:
Attribute | Description |
---|---|
className |
Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.PersistentValve. |
filter |
For known file extensions or urls, you can use this filter pattern to
notify the valve that no session required during this request. If the
request matches this filter pattern, the valve assumes there has been no
need to restore session. An example filter would look like |