Author: markt
Date: Wed Oct 26 15:02:01 2011
New Revision: 1189256
URL: http://svn.apache.org/viewvc?rev=1189256&view=rev
Log:
Make configuration issues for security related valves and filters result in the
failure of the valve or filter rather than just a warning message.
Modified:
tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
tomcat/trunk/java/org/apache/catalina/filters/FilterBase.java
tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java
tomcat/trunk/java/org/apache/catalina/valves/LocalStrings.properties
tomcat/trunk/java/org/apache/catalina/valves/RequestFilterValve.java
Modified:
tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=1189256&r1=1189255&r2=1189256&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Wed
Oct 26 15:02:01 2011
@@ -186,6 +186,13 @@ public class CsrfPreventionFilter extend
chain.doFilter(request, wResponse);
}
+
+ @Override
+ protected boolean isConfigProblemFatal() {
+ return true;
+ }
+
+
/**
* Generate a once time token (nonce) for authenticating subsequent
* requests. This will also add the token to the session. The nonce
Modified: tomcat/trunk/java/org/apache/catalina/filters/FilterBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/FilterBase.java?rev=1189256&r1=1189255&r2=1189256&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/FilterBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/FilterBase.java Wed Oct 26
15:02:01 2011
@@ -47,8 +47,13 @@ public abstract class FilterBase impleme
String paramName = paramNames.nextElement();
if (!IntrospectionUtils.setProperty(this, paramName,
filterConfig.getInitParameter(paramName))) {
- getLogger().warn(sm.getString("filterbase.noSuchProperty",
- paramName, this.getClass().getName()));
+ String msg = sm.getString("filterbase.noSuchProperty",
+ paramName, this.getClass().getName());
+ if (isConfigProblemFatal()) {
+ throw new ServletException(msg);
+ } else {
+ getLogger().warn(msg);
+ }
}
}
}
@@ -58,4 +63,15 @@ public abstract class FilterBase impleme
// NOOP
}
+ /**
+ * Determines if an exception when calling a setter or an unknown
+ * configuration attribute triggers the failure of the this filter which in
+ * turn will prevent the web application from starting.
+ *
+ * @return <code>true</true> if a problem should trigger the failure of
this
+ * filter, else <code>false</code>
+ */
+ protected boolean isConfigProblemFatal() {
+ return false;
+ }
}
Modified: tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java?rev=1189256&r1=1189255&r2=1189256&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java Wed Oct 26
15:02:01 2011
@@ -158,6 +158,12 @@ public abstract class RequestFilter exte
// ------------------------------------------------------ Protected Methods
+ @Override
+ protected boolean isConfigProblemFatal() {
+ return true;
+ }
+
+
/**
* Perform the filtering that has been configured for this Filter, matching
* against the specified request property.
@@ -185,6 +191,7 @@ public abstract class RequestFilter exte
}
}
+
/**
* Perform the filtering that has been configured for this Filter, matching
* against the specified request property.
Modified: tomcat/trunk/java/org/apache/catalina/valves/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/valves/LocalStrings.properties?rev=1189256&r1=1189255&r2=1189256&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/valves/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/catalina/valves/LocalStrings.properties Wed
Oct 26 15:02:01 2011
@@ -40,6 +40,8 @@ errorReportValve.rootCauseInLogs=The ful
# Remote IP valve
remoteIpValve.invalidPortHeader=Invalid value [{0}] found for port in HTTP
header [{1}]
+requestFilterValve.configInvalid=One or more invalid configuration settings
were provided for the Remote[Host|Ip]Valve which prevented the Valve and its
parent containers from starting
+
sslValve.certError=Failed to process certificate string [{0}] to create a
java.security.cert.X509Certificate object
sslValve.invalidProvider=The SSL provider specified on the connector
associated with this request of [{0}] is invalid. The certificate data could
not be processed.
Modified: tomcat/trunk/java/org/apache/catalina/valves/RequestFilterValve.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/valves/RequestFilterValve.java?rev=1189256&r1=1189255&r2=1189256&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/valves/RequestFilterValve.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/valves/RequestFilterValve.java Wed
Oct 26 15:02:01 2011
@@ -23,6 +23,7 @@ import java.util.regex.Pattern;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
+import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
@@ -71,12 +72,14 @@ public abstract class RequestFilterValve
* The regular expression used to test for allowed requests.
*/
protected volatile Pattern allow = null;
+ protected volatile boolean allowValid = true;
/**
* The regular expression used to test for denied requests.
*/
protected volatile Pattern deny = null;
+ protected volatile boolean denyValid = true;
// ------------------------------------------------------------- Properties
@@ -105,8 +108,15 @@ public abstract class RequestFilterValve
public void setAllow(String allow) {
if (allow == null || allow.length() == 0) {
this.allow = null;
+ allowValid = true;
} else {
- this.allow = Pattern.compile(allow);
+ boolean success = false;
+ try {
+ this.allow = Pattern.compile(allow);
+ success = true;
+ } finally {
+ allowValid = success;
+ }
}
}
@@ -134,8 +144,15 @@ public abstract class RequestFilterValve
public void setDeny(String deny) {
if (deny == null || deny.length() == 0) {
this.deny = null;
+ denyValid = true;
} else {
- this.deny = Pattern.compile(deny);
+ boolean success = false;
+ try {
+ this.deny = Pattern.compile(deny);
+ success = true;
+ } finally {
+ denyValid = success;
+ }
}
}
@@ -162,6 +179,16 @@ public abstract class RequestFilterValve
// ------------------------------------------------------ Protected Methods
+ @Override
+ protected void initInternal() throws LifecycleException {
+ super.initInternal();
+ if (!allowValid || !denyValid) {
+ throw new LifecycleException(
+ sm.getString("requestFilterValve.configInvalid"));
+ }
+ }
+
+
/**
* Perform the filtering that has been configured for this Valve, matching
* against the specified request property.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
