Attachment 24471 Details for Bug 47330 – Fixed Tomcat 7 patch with successful test case

[patch] Fixed Tomcat 7 patch with successful test case

bug47330-tc7-valve-v3.patch (text/plain), 52.39 KB, created by Cyrille Le Clerc on 2009-11-04 01:04:03 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Cyrille Le Clerc

Created: 2009-11-04 01:04:03 UTC

Size: 52.39 KB

patch

obsolete

>Index: webapps/docs/config/valve.xml
>===================================================================
>--- webapps/docs/config/valve.xml	(revision 832111)
>+++ webapps/docs/config/valve.xml	(working copy)
>@@ -624,6 +624,88 @@
> </section>
> 
> 
>+<section name="Remote IP Valve">
>+
>+ <subsection name="Introduction">
>+ 
>+ Tomcat port of
>+ <a href="http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html">mod_remoteip</a>,
>+ this valve replaces the apparent client remote IP address and hostname for
>+ the request with the IP address list presented by a proxy or a load balancer
>+ via a request headers (e.g. &quot;X-Forwarded-For&quot;).
>+
>+ Another feature of this valve is to replace the apparent scheme
>+ (http/https) and server port with the scheme presented by a proxy or a load
>+ balancer via a request header (e.g. &quot;X-Forwarded-Proto&quot;).
>+ 
>+ This Valve may be used at the <code>Engine</code>, <code>Host</code> or
>+ <code>Context</code> level as required. Normally, this Valve would be used
>+ at the <code>Engine</code> level.
>+
>+ </subsection>
>+
>+ <subsection name="Attributes">
>+
>+ The Remote IP Valve supports the
>+ following configuration attributes:
>+
>+ <attributes>
>+
>+ <attribute name="className" required="true">
>+ Java class name of the implementation to use. This MUST be set to
>+ org.apache.catalina.valves.RemoteIpValve.
>+ </attribute>
>+
>+ <attribute name="remoteIPHeader" required="false">
>+ Name of the HTTP Header read by this valve that holds the list of
>+ traversed IP addresses starting from the requesting client. If not
>+ specified, the default of <code>x-forwarded-for</code> is used.
>+ </attribute>
>+
>+ <attribute name="internalProxies" required="false">
>+ List of internal proxies' IP addresses as comma separated regular
>+ expressions. If they appear in the remoteIpHeader
>+ value, they will be trusted and will not appear in the
>+ proxiesHeader value. If not specified the default value
>+ of <code>10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3},
>+ 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3}</code> will
>+ be used.
>+ </attribute>
>+
>+ <attribute name="proxiesHeader" required="false">
>+ Name of the HTTP header created by this valve to hold the list of
>+ proxies that have been processed in the incoming
>+ remoteIpHeader. If not specified, the default of
>+ <code>x-forwarded-by</code> is used.
>+ </attribute>
>+
>+ <attribute name="trustedProxies" required="false">
>+ List of trusted proxies' IP addresses as comma separated regular
>+ expressions. If they appear in the remoteIpHeader
>+ value, they will be trusted and will appear in the
>+ proxiesHeader value. If not specified, no proxies will
>+ be trusted.
>+ </attribute>
>+
>+ <attribute name="protocolHeader" required="false">
>+ Name of the HTTP Header read by this valve that holds the protocol
>+ used by the client to connect to the proxy. If not specified, the
>+ default of <code>null</code> is used.
>+ </attribute>
>+
>+ <attribute name="protocolHeaderHttpsValue" required="false">
>+ Value of the protocolHeader to indicate that it is
>+ an HTTPS request. If not specified, the default of <code>https</code> is
>+ used.
>+ </attribute>
>+
>+ </attributes>
>+
>+ </subsection>
>+
>+</section>
>+
>+
> </body>
> 
> 
>Index: test/org/apache/catalina/valves/RemoteIpValveTest.java
>===================================================================
>--- test/org/apache/catalina/valves/RemoteIpValveTest.java	(revision 0)
>+++ test/org/apache/catalina/valves/RemoteIpValveTest.java	(revision 0)
>@@ -0,0 +1,386 @@
>+/*
>+ * Licensed to the Apache Software Foundation (ASF) under one or more
>+ * contributor license agreements. See the NOTICE file distributed with
>+ * this work for additional information regarding copyright ownership.
>+ * The ASF licenses this file to You under the Apache License, Version 2.0
>+ * (the "License"); you may not use this file except in compliance with
>+ * the License. You may obtain a copy of the License at
>+ * 
>+ * http://www.apache.org/licenses/LICENSE-2.0
>+ * 
>+ * Unless required by applicable law or agreed to in writing, software
>+ * distributed under the License is distributed on an "AS IS" BASIS,
>+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>+ * See the License for the specific language governing permissions and
>+ * limitations under the License.
>+ */
>+
>+package org.apache.catalina.valves;
>+
>+import java.io.IOException;
>+import java.util.ArrayList;
>+import java.util.Arrays;
>+import java.util.List;
>+
>+import javax.servlet.ServletException;
>+
>+import junit.framework.TestCase;
>+
>+import org.apache.catalina.connector.Request;
>+import org.apache.catalina.connector.Response;
>+import org.apache.catalina.valves.ValveBase;
>+
>+/**
>+ * {@link RemoteIpValve} Tests
>+ */
>+public class RemoteIpValveTest extends TestCase {
>+ 
>+ static class RemoteAddrAndHostTrackerValve extends ValveBase {
>+ private String remoteAddr;
>+ private String remoteHost;
>+ 
>+ public String getRemoteAddr() {
>+ return remoteAddr;
>+ }
>+ 
>+ public String getRemoteHost() {
>+ return remoteHost;
>+ }
>+ 
>+ @Override
>+ public void invoke(Request request, Response response) throws IOException, ServletException {
>+ this.remoteHost = request.getRemoteHost();
>+ this.remoteAddr = request.getRemoteAddr();
>+ }
>+ }
>+ 
>+ public void testCommaDelimitedListToStringArray() {
>+ List<String> elements = Arrays.asList("element1", "element2", "element3");
>+ String actual = RemoteIpValve.listToCommaDelimitedString(elements);
>+ assertEquals("element1, element2, element3", actual);
>+ }
>+ 
>+ public void testCommaDelimitedListToStringArrayEmptyList() {
>+ List<String> elements = new ArrayList<String>();
>+ String actual = RemoteIpValve.listToCommaDelimitedString(elements);
>+ assertEquals("", actual);
>+ }
>+ 
>+ public void testCommaDelimitedListToStringArrayNullList() {
>+ String actual = RemoteIpValve.listToCommaDelimitedString(null);
>+ assertEquals("", actual);
>+ }
>+ 
>+ public void testInvokeAllowedRemoteAddrWithNullRemoteIpHeader() throws Exception {
>+ // PREPARE
>+ RemoteIpValve remoteIpValve = new RemoteIpValve();
>+ remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");
>+ remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");
>+ remoteIpValve.setRemoteIpHeader("x-forwarded-for");
>+ remoteIpValve.setProxiesHeader("x-forwarded-by");
>+ RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();
>+ remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
>+ 
>+ Request request = new Request();
>+ request.setCoyoteRequest(new org.apache.coyote.Request());
>+ request.setRemoteAddr("192.168.0.10");
>+ request.setRemoteHost("remote-host-original-value");
>+ 
>+ // TEST
>+ remoteIpValve.invoke(request, null);
>+ 
>+ // VERIFY
>+ String actualXForwardedFor = request.getHeader("x-forwarded-for");
>+ assertNull("x-forwarded-for must be null", actualXForwardedFor);
>+ 
>+ String actualXForwardedBy = request.getHeader("x-forwarded-by");
>+ assertNull("x-forwarded-by must be null", actualXForwardedBy);
>+ 
>+ String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();
>+ assertEquals("remoteAddr", "192.168.0.10", actualRemoteAddr);
>+ 
>+ String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();
>+ assertEquals("remoteHost", "remote-host-original-value", actualRemoteHost);
>+ 
>+ String actualPostInvokeRemoteAddr = request.getRemoteAddr();
>+ assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);
>+ 
>+ String actualPostInvokeRemoteHost = request.getRemoteHost();
>+ assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);
>+ 
>+ }
>+ 
>+ public void testInvokeAllProxiesAreTrusted() throws Exception {
>+ 
>+ // PREPARE
>+ RemoteIpValve remoteIpValve = new RemoteIpValve();
>+ remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");
>+ remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");
>+ remoteIpValve.setRemoteIpHeader("x-forwarded-for");
>+ remoteIpValve.setProxiesHeader("x-forwarded-by");
>+ RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();
>+ remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
>+ 
>+ Request request = new Request();
>+ request.setCoyoteRequest(new org.apache.coyote.Request());
>+ request.setRemoteAddr("192.168.0.10");
>+ request.setRemoteHost("remote-host-original-value");
>+ request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2");
>+ 
>+ // TEST
>+ remoteIpValve.invoke(request, null);
>+ 
>+ // VERIFY
>+ String actualXForwardedFor = request.getHeader("x-forwarded-for");
>+ assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor);
>+ 
>+ String actualXForwardedBy = request.getHeader("x-forwarded-by");
>+ assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy);
>+ 
>+ String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();
>+ assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr);
>+ 
>+ String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();
>+ assertEquals("remoteHost", "140.211.11.130", actualRemoteHost);
>+ 
>+ String actualPostInvokeRemoteAddr = request.getRemoteAddr();
>+ assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);
>+ 
>+ String actualPostInvokeRemoteHost = request.getRemoteHost();
>+ assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);
>+ }
>+ 
>+ public void testInvokeAllProxiesAreTrustedOrInternal() throws Exception {
>+ 
>+ // PREPARE
>+ RemoteIpValve remoteIpValve = new RemoteIpValve();
>+ remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");
>+ remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");
>+ remoteIpValve.setRemoteIpHeader("x-forwarded-for");
>+ remoteIpValve.setProxiesHeader("x-forwarded-by");
>+ RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();
>+ remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
>+ 
>+ Request request = new Request();
>+ request.setCoyoteRequest(new org.apache.coyote.Request());
>+ request.setRemoteAddr("192.168.0.10");
>+ request.setRemoteHost("remote-host-original-value");
>+ request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for")
>+ .setString("140.211.11.130, proxy1, proxy2, 192.168.0.10, 192.168.0.11");
>+ 
>+ // TEST
>+ remoteIpValve.invoke(request, null);
>+ 
>+ // VERIFY
>+ String actualXForwardedFor = request.getHeader("x-forwarded-for");
>+ assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor);
>+ 
>+ String actualXForwardedBy = request.getHeader("x-forwarded-by");
>+ assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy);
>+ 
>+ String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();
>+ assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr);
>+ 
>+ String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();
>+ assertEquals("remoteHost", "140.211.11.130", actualRemoteHost);
>+ 
>+ String actualPostInvokeRemoteAddr = request.getRemoteAddr();
>+ assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);
>+ 
>+ String actualPostInvokeRemoteHost = request.getRemoteHost();
>+ assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);
>+ }
>+ 
>+ public void testInvokeAllProxiesAreInternal() throws Exception {
>+ 
>+ // PREPARE
>+ RemoteIpValve remoteIpValve = new RemoteIpValve();
>+ remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");
>+ remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");
>+ remoteIpValve.setRemoteIpHeader("x-forwarded-for");
>+ remoteIpValve.setProxiesHeader("x-forwarded-by");
>+ RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();
>+ remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
>+ 
>+ Request request = new Request();
>+ request.setCoyoteRequest(new org.apache.coyote.Request());
>+ request.setRemoteAddr("192.168.0.10");
>+ request.setRemoteHost("remote-host-original-value");
>+ request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, 192.168.0.10, 192.168.0.11");
>+ 
>+ // TEST
>+ remoteIpValve.invoke(request, null);
>+ 
>+ // VERIFY
>+ String actualXForwardedFor = request.getHeader("x-forwarded-for");
>+ assertNull("all proxies are internal, x-forwarded-for must be null", actualXForwardedFor);
>+ 
>+ String actualXForwardedBy = request.getHeader("x-forwarded-by");
>+ assertNull("all proxies are internal, x-forwarded-by must be null", actualXForwardedBy);
>+ 
>+ String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();
>+ assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr);
>+ 
>+ String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();
>+ assertEquals("remoteHost", "140.211.11.130", actualRemoteHost);
>+ 
>+ String actualPostInvokeRemoteAddr = request.getRemoteAddr();
>+ assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);
>+ 
>+ String actualPostInvokeRemoteHost = request.getRemoteHost();
>+ assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);
>+ }
>+ 
>+ public void testInvokeAllProxiesAreTrustedAndRemoteAddrMatchRegexp() throws Exception {
>+ 
>+ // PREPARE
>+ RemoteIpValve remoteIpValve = new RemoteIpValve();
>+ remoteIpValve.setInternalProxies("127\\.0\\.0\\.1, 192\\.168\\..*, another-internal-proxy");
>+ remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");
>+ remoteIpValve.setRemoteIpHeader("x-forwarded-for");
>+ remoteIpValve.setProxiesHeader("x-forwarded-by");
>+ RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();
>+ remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
>+ 
>+ Request request = new Request();
>+ request.setCoyoteRequest(new org.apache.coyote.Request());
>+ request.setRemoteAddr("192.168.0.10");
>+ request.setRemoteHost("remote-host-original-value");
>+ request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2");
>+ 
>+ // TEST
>+ remoteIpValve.invoke(request, null);
>+ 
>+ // VERIFY
>+ String actualXForwardedFor = request.getHeader("x-forwarded-for");
>+ assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor);
>+ 
>+ String actualXForwardedBy = request.getHeader("x-forwarded-by");
>+ assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy);
>+ 
>+ String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();
>+ assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr);
>+ 
>+ String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();
>+ assertEquals("remoteHost", "140.211.11.130", actualRemoteHost);
>+ 
>+ String actualPostInvokeRemoteAddr = request.getRemoteAddr();
>+ assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);
>+ 
>+ String actualPostInvokeRemoteHost = request.getRemoteHost();
>+ assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);
>+ }
>+ 
>+ public void testInvokeNotAllowedRemoteAddr() throws Exception {
>+ // PREPARE
>+ RemoteIpValve remoteIpValve = new RemoteIpValve();
>+ remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");
>+ remoteIpValve.setTrustedProxies("proxy1,proxy2,proxy3");
>+ remoteIpValve.setRemoteIpHeader("x-forwarded-for");
>+ remoteIpValve.setProxiesHeader("x-forwarded-by");
>+ RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();
>+ remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
>+ 
>+ Request request = new Request();
>+ request.setCoyoteRequest(new org.apache.coyote.Request());
>+ request.setRemoteAddr("not-allowed-internal-proxy");
>+ request.setRemoteHost("not-allowed-internal-proxy-host");
>+ request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2");
>+ 
>+ // TEST
>+ remoteIpValve.invoke(request, null);
>+ 
>+ // VERIFY
>+ String actualXForwardedFor = request.getHeader("x-forwarded-for");
>+ assertEquals("x-forwarded-for must be unchanged", "140.211.11.130, proxy1, proxy2", actualXForwardedFor);
>+ 
>+ String actualXForwardedBy = request.getHeader("x-forwarded-by");
>+ assertNull("x-forwarded-by must be null", actualXForwardedBy);
>+ 
>+ String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();
>+ assertEquals("remoteAddr", "not-allowed-internal-proxy", actualRemoteAddr);
>+ 
>+ String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();
>+ assertEquals("remoteHost", "not-allowed-internal-proxy-host", actualRemoteHost);
>+ 
>+ String actualPostInvokeRemoteAddr = request.getRemoteAddr();
>+ assertEquals("postInvoke remoteAddr", "not-allowed-internal-proxy", actualPostInvokeRemoteAddr);
>+ 
>+ String actualPostInvokeRemoteHost = request.getRemoteHost();
>+ assertEquals("postInvoke remoteAddr", "not-allowed-internal-proxy-host", actualPostInvokeRemoteHost);
>+ }
>+ 
>+ public void testInvokeUntrustedProxyInTheChain() throws Exception {
>+ // PREPARE
>+ RemoteIpValve remoteIpValve = new RemoteIpValve();
>+ remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");
>+ remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");
>+ remoteIpValve.setRemoteIpHeader("x-forwarded-for");
>+ remoteIpValve.setProxiesHeader("x-forwarded-by");
>+ RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();
>+ remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
>+ 
>+ Request request = new Request();
>+ request.setCoyoteRequest(new org.apache.coyote.Request());
>+ request.setRemoteAddr("192.168.0.10");
>+ request.setRemoteHost("remote-host-original-value");
>+ request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for")
>+ .setString("140.211.11.130, proxy1, untrusted-proxy, proxy2");
>+ 
>+ // TEST
>+ remoteIpValve.invoke(request, null);
>+ 
>+ // VERIFY
>+ String actualXForwardedFor = request.getHeader("x-forwarded-for");
>+ assertEquals("ip/host before untrusted-proxy must appear in x-forwarded-for", "140.211.11.130, proxy1", actualXForwardedFor);
>+ 
>+ String actualXForwardedBy = request.getHeader("x-forwarded-by");
>+ assertEquals("ip/host after untrusted-proxy must appear in x-forwarded-by", "proxy2", actualXForwardedBy);
>+ 
>+ String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();
>+ assertEquals("remoteAddr", "untrusted-proxy", actualRemoteAddr);
>+ 
>+ String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();
>+ assertEquals("remoteHost", "untrusted-proxy", actualRemoteHost);
>+ 
>+ String actualPostInvokeRemoteAddr = request.getRemoteAddr();
>+ assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);
>+ 
>+ String actualPostInvokeRemoteHost = request.getRemoteHost();
>+ assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);
>+ }
>+ 
>+ public void testListToCommaDelimitedString() {
>+ String[] actual = RemoteIpValve.commaDelimitedListToStringArray("element1, element2, element3");
>+ String[] expected = new String[] {
>+ "element1", "element2", "element3"
>+ };
>+ assertArrayEquals(expected, actual);
>+ }
>+ 
>+ public void testListToCommaDelimitedStringMixedSpaceChars() {
>+ String[] actual = RemoteIpValve.commaDelimitedListToStringArray("element1 , element2,\t element3");
>+ String[] expected = new String[] {
>+ "element1", "element2", "element3"
>+ };
>+ assertArrayEquals(expected, actual);
>+ }
>+ 
>+ private void assertArrayEquals(String[] expected, String[] actual) {
>+ if (expected == null) {
>+ assertNull(actual);
>+ return;
>+ }
>+ assertNotNull(actual);
>+ assertEquals(expected.length, actual.length);
>+ List<String> e = new ArrayList<String>();
>+ e.addAll(Arrays.asList(expected));
>+ List<String> a = new ArrayList<String>();
>+ a.addAll(Arrays.asList(actual));
>+ 
>+ for (String entry : e) {
>+ assertTrue(a.remove(entry));
>+ }
>+ assertTrue(a.isEmpty());
>+ }
>+}
>Index: java/org/apache/catalina/valves/RemoteIpValve.java
>===================================================================
>--- java/org/apache/catalina/valves/RemoteIpValve.java	(revision 0)
>+++ java/org/apache/catalina/valves/RemoteIpValve.java	(revision 0)
>@@ -0,0 +1,711 @@
>+/*
>+ * Licensed to the Apache Software Foundation (ASF) under one or more
>+ * contributor license agreements. See the NOTICE file distributed with
>+ * this work for additional information regarding copyright ownership.
>+ * The ASF licenses this file to You under the Apache License, Version 2.0
>+ * (the "License"); you may not use this file except in compliance with
>+ * the License. You may obtain a copy of the License at
>+ * 
>+ * http://www.apache.org/licenses/LICENSE-2.0
>+ * 
>+ * Unless required by applicable law or agreed to in writing, software
>+ * distributed under the License is distributed on an "AS IS" BASIS,
>+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>+ * See the License for the specific language governing permissions and
>+ * limitations under the License.
>+ */
>+
>+package org.apache.catalina.valves;
>+
>+import java.io.IOException;
>+import java.util.ArrayList;
>+import java.util.Iterator;
>+import java.util.LinkedList;
>+import java.util.List;
>+import java.util.regex.Pattern;
>+import java.util.regex.PatternSyntaxException;
>+
>+import javax.servlet.ServletException;
>+
>+import org.apache.tomcat.util.res.StringManager;
>+import org.apache.catalina.connector.Request;
>+import org.apache.catalina.connector.Response;
>+import org.apache.catalina.valves.Constants;
>+import org.apache.catalina.valves.RequestFilterValve;
>+import org.apache.catalina.valves.ValveBase;
>+import org.apache.juli.logging.Log;
>+import org.apache.juli.logging.LogFactory;
>+
>+/**
>+ * 
>+ * Tomcat port of <a href="http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html">mod_remoteip</a>, this valve replaces the apparent
>+ * client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request
>+ * headers (e.g. "X-Forwarded-For").
>+ * 
>+ * 
>+ * Another feature of this valve is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a
>+ * load balancer via a request header (e.g. "X-Forwarded-Proto").
>+ * 
>+ * 
>+ * This valve proceeds as follows:
>+ * 
>+ * 
>+ * If the incoming <code>request.getRemoteAddr()</code> matches the valve's list of internal proxies :
>+ * <ul>
>+ * <li>Loop on the comma delimited list of IPs and hostnames passed by the preceding load balancer or proxy in the given request's Http
>+ * header named <code>$remoteIPHeader</code> (default value <code>x-forwarded-for</code>). Values are processed in right-to-left order.</li>
>+ * <li>For each ip/host of the list:
>+ * <ul>
>+ * <li>if it matches the internal proxies list, the ip/host is swallowed</li>
>+ * <li>if it matches the trusted proxies list, the ip/host is added to the created proxies header</li>
>+ * <li>otherwise, the ip/host is declared to be the remote ip and looping is stopped.</li>
>+ * </ul>
>+ * </li>
>+ * <li>If the request http header named <code>$protocolHeader</code> (e.g. <code>x-forwarded-for</code>) equals to the value of
>+ * <code>protocolHeaderHttpsValue</code> configuration parameter (default <code>https</code>) then <code>request.isSecure = true</code>,
>+ * <code>request.scheme = https</code> and <code>request.serverPort = 443</code>. Note that 443 can be overwritten with the
>+ * <code>$httpsServerPort</code> configuration parameter.</li>
>+ * </ul>
>+ * 
>+ * 
>+ * Configuration parameters:
>+ * <table border="1">
>+ * <tr>
>+ * <th>RemoteIpValve property</th>
>+ * <th>Description</th>
>+ * <th>Equivalent mod_remoteip directive</th>
>+ * <th>Format</th>
>+ * <th>Default Value</th>
>+ * </tr>
>+ * <tr>
>+ * <td>remoteIPHeader</td>
>+ * <td>Name of the Http Header read by this valve that holds the list of traversed IP addresses starting from the requesting client</td>
>+ * <td>RemoteIPHeader</td>
>+ * <td>Compliant http header name</td>
>+ * <td>x-forwarded-for</td>
>+ * </tr>
>+ * <tr>
>+ * <td>internalProxies</td>
>+ * <td>List of internal proxies ip adress. If they appear in the <code>remoteIpHeader</code> value, they will be trusted and will not appear
>+ * in the <code>proxiesHeader</code> value</td>
>+ * <td>RemoteIPInternalProxy</td>
>+ * <td>Comma delimited list of regular expressions (in the syntax supported by the {@link java.util.regex.Pattern} library)</td>
>+ * <td>10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3} 
>+ * By default, 10/8, 192.168/16, 169.254/16 and 127/8 are allowed ; 172.16/12 has not been enabled by default because it is complex to
>+ * describe with regular expressions</td>
>+ * </tr>
>+ * </tr>
>+ * <tr>
>+ * <td>proxiesHeader</td>
>+ * <td>Name of the http header created by this valve to hold the list of proxies that have been processed in the incoming
>+ * <code>remoteIPHeader</code></td>
>+ * <td>RemoteIPProxiesHeader</td>
>+ * <td>Compliant http header name</td>
>+ * <td>x-forwarded-by</td>
>+ * </tr>
>+ * <tr>
>+ * <td>trustedProxies</td>
>+ * <td>List of trusted proxies ip adress. If they appear in the <code>remoteIpHeader</code> value, they will be trusted and will appear
>+ * in the <code>proxiesHeader</code> value</td>
>+ * <td>RemoteIPTrustedProxy</td>
>+ * <td>Comma delimited list of regular expressions (in the syntax supported by the {@link java.util.regex.Pattern} library)</td>
>+ * <td>&nbsp;</td>
>+ * </tr>
>+ * <tr>
>+ * <td>protocolHeader</td>
>+ * <td>Name of the http header read by this valve that holds the flag that this request </td>
>+ * <td>N/A</td>
>+ * <td>Compliant http header name like <code>X-Forwarded-Proto</code>, <code>X-Forwarded-Ssl</code> or <code>Front-End-Https</code></td>
>+ * <td><code>null</code></td>
>+ * </tr>
>+ * <tr>
>+ * <td>protocolHeaderHttpsValue</td>
>+ * <td>Value of the <code>protocolHeader</code> to indicate that it is an Https request</td>
>+ * <td>N/A</td>
>+ * <td>String like <code>https</code> or <code>ON</code></td>
>+ * <td><code>https</code></td>
>+ * </tr>
>+ * <tr>
>+ * </table>
>+ * 
>+ * 
>+ * 
>+ * This Valve may be attached to any Container, depending on the granularity of the filtering you wish to perform.
>+ * 
>+ * 
>+ * Regular expression vs. IP address blocks: <code>mod_remoteip</code> allows to use address blocks (e.g.
>+ * <code>192.168/16</code>) to configure <code>RemoteIPInternalProxy</code> and <code>RemoteIPTrustedProxy</code> ; as Tomcat doesn't have a
>+ * library similar to <a
>+ * href="http://apr.apache.org/docs/apr/1.3/group__apr__network__io.html#gb74d21b8898b7c40bf7fd07ad3eb993d">apr_ipsubnet_test</a>,
>+ * <code>RemoteIpValve</code> uses regular expression to configure <code>internalProxies</code> and <code>trustedProxies</code> in the same
>+ * fashion as {@link RequestFilterValve} does.
>+ * 
>+ * <hr/>
>+ * 
>+ * Sample with internal proxies
>+ * 
>+ * 
>+ * RemoteIpValve configuration:
>+ * 
>+ * <code><pre>
>+ * &lt;Valve 
>+ * className="org.apache.catalina.connector.RemoteIpValve"
>+ * internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
>+ * remoteIPHeader="x-forwarded-for"
>+ * remoteIPProxiesHeader="x-forwarded-by"
>+ * protocolHeader="x-forwarded-proto"
>+ * /&gt;</pre></code>
>+ * 
>+ * Request values:
>+ * <table border="1">
>+ * <tr>
>+ * <th>property</th>
>+ * <th>Value Before RemoteIpValve</th>
>+ * <th>Value After RemoteIpValve</th>
>+ * </tr>
>+ * <tr>
>+ * <td>request.remoteAddr</td>
>+ * <td>192.168.0.10</td>
>+ * <td>140.211.11.130</td>
>+ * </tr>
>+ * <tr>
>+ * <td>request.header['x-forwarded-for']</td>
>+ * <td>140.211.11.130, 192.168.0.10</td>
>+ * <td>null</td>
>+ * </tr>
>+ * <tr>
>+ * <td>request.header['x-forwarded-by']</td>
>+ * <td>null</td>
>+ * <td>null</td>
>+ * </tr>
>+ * <tr>
>+ * <td>request.header['x-forwarded-proto']</td>
>+ * <td>https</td>
>+ * <td>https</td>
>+ * </tr>
>+ * <tr>
>+ * <td>request.scheme</td>
>+ * <td>http</td>
>+ * <td>https</td>
>+ * </tr>
>+ * <tr>
>+ * <td>request.secure</td>
>+ * <td>false</td>
>+ * <td>true</td>
>+ * </tr>
>+ * <tr>
>+ * <td>request.serverPort</td>
>+ * <td>80</td>
>+ * <td>443</td>
>+ * </tr>
>+ * </table>
>+ * Note : <code>x-forwarded-by</code> header is null because only internal proxies as been traversed by the request.
>+ * <code>x-forwarded-by</code> is null because all the proxies are trusted or internal.
>+ * 
>+ * <hr/>
>+ * 
>+ * Sample with trusted proxies
>+ * 
>+ * 
>+ * RemoteIpValve configuration:
>+ * 
>+ * <code><pre>
>+ * &lt;Valve 
>+ * className="org.apache.catalina.connector.RemoteIpValve"
>+ * internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
>+ * remoteIPHeader="x-forwarded-for"
>+ * remoteIPProxiesHeader="x-forwarded-by"
>+ * trustedProxies="proxy1, proxy2"
>+ * /&gt;</pre></code>
>+ * 
>+ * Request values:
>+ * <table border="1">
>+ * <tr>
>+ * <th>property</th>
>+ * <th>Value Before RemoteIpValve</th>
>+ * <th>Value After RemoteIpValve</th>
>+ * </tr>
>+ * <tr>
>+ * <td>request.remoteAddr</td>
>+ * <td>192.168.0.10</td>
>+ * <td>140.211.11.130</td>
>+ * </tr>
>+ * <tr>
>+ * <td>request.header['x-forwarded-for']</td>
>+ * <td>140.211.11.130, proxy1, proxy2</td>
>+ * <td>null</td>
>+ * </tr>
>+ * <tr>
>+ * <td>request.header['x-forwarded-by']</td>
>+ * <td>null</td>
>+ * <td>proxy1, proxy2</td>
>+ * </tr>
>+ * </table>
>+ * Note : <code>proxy1</code> and <code>proxy2</code> are both trusted proxies that come in <code>x-forwarded-for</code> header, they both
>+ * are migrated in <code>x-forwarded-by</code> header. <code>x-forwarded-by</code> is null because all the proxies are trusted or internal.
>+ * 
>+ * <hr/>
>+ * 
>+ * Sample with internal and trusted proxies
>+ * 
>+ * 
>+ * RemoteIpValve configuration:
>+ * 
>+ * <code><pre>
>+ * &lt;Valve 
>+ * className="org.apache.catalina.connector.RemoteIpValve"
>+ * internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
>+ * remoteIPHeader="x-forwarded-for"
>+ * remoteIPProxiesHeader="x-forwarded-by"
>+ * trustedProxies="proxy1, proxy2"
>+ * /&gt;</pre></code>
>+ * 
>+ * Request values:
>+ * <table border="1">
>+ * <tr>
>+ * <th>property</th>
>+ * <th>Value Before RemoteIpValve</th>
>+ * <th>Value After RemoteIpValve</th>
>+ * </tr>
>+ * <tr>
>+ * <td>request.remoteAddr</td>
>+ * <td>192.168.0.10</td>
>+ * <td>140.211.11.130</td>
>+ * </tr>
>+ * <tr>
>+ * <td>request.header['x-forwarded-for']</td>
>+ * <td>140.211.11.130, proxy1, proxy2, 192.168.0.10</td>
>+ * <td>null</td>
>+ * </tr>
>+ * <tr>
>+ * <td>request.header['x-forwarded-by']</td>
>+ * <td>null</td>
>+ * <td>proxy1, proxy2</td>
>+ * </tr>
>+ * </table>
>+ * Note : <code>proxy1</code> and <code>proxy2</code> are both trusted proxies that come in <code>x-forwarded-for</code> header, they both
>+ * are migrated in <code>x-forwarded-by</code> header. As <code>192.168.0.10</code> is an internal proxy, it does not appear in
>+ * <code>x-forwarded-by</code>. <code>x-forwarded-by</code> is null because all the proxies are trusted or internal.
>+ * 
>+ * <hr/>
>+ * 
>+ * Sample with an untrusted proxy
>+ * 
>+ * 
>+ * RemoteIpValve configuration:
>+ * 
>+ * <code><pre>
>+ * &lt;Valve 
>+ * className="org.apache.catalina.connector.RemoteIpValve"
>+ * internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
>+ * remoteIPHeader="x-forwarded-for"
>+ * remoteIPProxiesHeader="x-forwarded-by"
>+ * trustedProxies="proxy1, proxy2"
>+ * /&gt;</pre></code>
>+ * 
>+ * Request values:
>+ * <table border="1">
>+ * <tr>
>+ * <th>property</th>
>+ * <th>Value Before RemoteIpValve</th>
>+ * <th>Value After RemoteIpValve</th>
>+ * </tr>
>+ * <tr>
>+ * <td>request.remoteAddr</td>
>+ * <td>192.168.0.10</td>
>+ * <td>untrusted-proxy</td>
>+ * </tr>
>+ * <tr>
>+ * <td>request.header['x-forwarded-for']</td>
>+ * <td>140.211.11.130, untrusted-proxy, proxy1</td>
>+ * <td>140.211.11.130</td>
>+ * </tr>
>+ * <tr>
>+ * <td>request.header['x-forwarded-by']</td>
>+ * <td>null</td>
>+ * <td>proxy1</td>
>+ * </tr>
>+ * </table>
>+ * Note : <code>x-forwarded-by</code> holds the trusted proxy <code>proxy1</code>. <code>x-forwarded-by</code> holds
>+ * <code>140.211.11.130</code> because <code>untrusted-proxy</code> is not trusted and thus, we can not trust that
>+ * <code>untrusted-proxy</code> is the actual remote ip. <code>request.remoteAddr</code> is <code>untrusted-proxy</code> that is an IP
>+ * verified by <code>proxy1</code>.
>+ * 
>+ */
>+public class RemoteIpValve extends ValveBase {
>+ 
>+ /**
>+ * {@link Pattern} for a comma delimited string that support whitespace characters
>+ */
>+ private static final Pattern commaSeparatedValuesPattern = Pattern.compile("\\s*,\\s*");
>+ 
>+ /**
>+ * The descriptive information related to this implementation.
>+ */
>+ private static final String info = "org.apache.catalina.connector.RemoteIpValve/1.0";
>+ 
>+ /**
>+ * Logger
>+ */
>+ private static Log log = LogFactory.getLog(RemoteIpValve.class);
>+ 
>+ /**
>+ * The StringManager for this package.
>+ */
>+ protected static StringManager sm = StringManager.getManager(Constants.Package);
>+ 
>+ /**
>+ * Convert a given comma delimited list of regular expressions into an array of compiled {@link Pattern}
>+ * 
>+ * @return array of patterns (not <code>null</code>)
>+ */
>+ protected static Pattern[] commaDelimitedListToPatternArray(String commaDelimitedPatterns) {
>+ String[] patterns = commaDelimitedListToStringArray(commaDelimitedPatterns);
>+ List<Pattern> patternsList = new ArrayList<Pattern>();
>+ for (String pattern : patterns) {
>+ try {
>+ patternsList.add(Pattern.compile(pattern));
>+ } catch (PatternSyntaxException e) {
>+ throw new IllegalArgumentException(sm.getString("remoteIpValve.syntax", pattern), e);
>+ }
>+ }
>+ return patternsList.toArray(new Pattern[0]);
>+ }
>+ 
>+ /**
>+ * Convert a given comma delimited list of regular expressions into an array of String
>+ * 
>+ * @return array of patterns (non <code>null</code>)
>+ */
>+ protected static String[] commaDelimitedListToStringArray(String commaDelimitedStrings) {
>+ return (commaDelimitedStrings == null || commaDelimitedStrings.length() == 0) ? new String[0] : commaSeparatedValuesPattern
>+ .split(commaDelimitedStrings);
>+ }
>+ 
>+ /**
>+ * Convert an array of strings in a comma delimited string
>+ */
>+ protected static String listToCommaDelimitedString(List<String> stringList) {
>+ if (stringList == null) {
>+ return "";
>+ }
>+ StringBuilder result = new StringBuilder();
>+ for (Iterator<String> it = stringList.iterator(); it.hasNext();) {
>+ Object element = it.next();
>+ if (element != null) {
>+ result.append(element);
>+ if (it.hasNext()) {
>+ result.append(", ");
>+ }
>+ }
>+ }
>+ return result.toString();
>+ }
>+ 
>+ /**
>+ * Return <code>true</code> if the given <code>str</code> matches at least one of the given <code>patterns</code>.
>+ */
>+ protected static boolean matchesOne(String str, Pattern... patterns) {
>+ for (Pattern pattern : patterns) {
>+ if (pattern.matcher(str).matches()) {
>+ return true;
>+ }
>+ }
>+ return false;
>+ }
>+ 
>+ /**
>+ * @see #setHttpsServerPort(int)
>+ */
>+ private int httpsServerPort = 443;
>+ 
>+ /**
>+ * @see #setInternalProxies(String)
>+ */
>+ private Pattern[] internalProxies = new Pattern[] {
>+ Pattern.compile("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"), Pattern.compile("192\\.168\\.\\d{1,3}\\.\\d{1,3}"),
>+ Pattern.compile("169\\.254\\.\\d{1,3}\\.\\d{1,3}"), Pattern.compile("127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}")
>+ };
>+ 
>+ /**
>+ * @see #setProtocolHeader(String)
>+ */
>+ private String protocolHeader = null;
>+ 
>+ /**
>+ * @see #setProtocolHeaderHttpsValue(String)
>+ */
>+ private String protocolHeaderHttpsValue = "https";
>+ 
>+ /**
>+ * @see #setProxiesHeader(String)
>+ */
>+ private String proxiesHeader = "X-Forwarded-By";
>+ 
>+ /**
>+ * @see #setRemoteIpHeader(String)
>+ */
>+ private String remoteIpHeader = "X-Forwarded-For";
>+ 
>+ /**
>+ * @see RemoteIpValve#setTrustedProxies(String)
>+ */
>+ private Pattern[] trustedProxies = new Pattern[0];
>+ 
>+ public int getHttpsServerPort() {
>+ return httpsServerPort;
>+ }
>+ 
>+ /**
>+ * Return descriptive information about this Valve implementation.
>+ */
>+ public String getInfo() {
>+ return info;
>+ }
>+ 
>+ /**
>+ * @see #setInternalProxies(String)
>+ * @return comma delimited list of internal proxies
>+ */
>+ public String getInternalProxies() {
>+ List<String> internalProxiesAsStringList = new ArrayList<String>();
>+ for (Pattern internalProxyPattern : internalProxies) {
>+ internalProxiesAsStringList.add(String.valueOf(internalProxyPattern));
>+ }
>+ return listToCommaDelimitedString(internalProxiesAsStringList);
>+ }
>+ 
>+ /**
>+ * @see #setProtocolHeader(String)
>+ * @return the protocol header (e.g. "X-Forwarded-Proto")
>+ */
>+ public String getProtocolHeader() {
>+ return protocolHeader;
>+ }
>+ 
>+ /**
>+ * @see RemoteIpValve#setProtocolHeaderHttpsValue(String)
>+ * @return the value of the protocol header for incoming https request (e.g. "https")
>+ */
>+ public String getProtocolHeaderHttpsValue() {
>+ return protocolHeaderHttpsValue;
>+ }
>+ 
>+ /**
>+ * @see #setProxiesHeader(String)
>+ * @return the proxies header name (e.g. "X-Forwarded-By")
>+ */
>+ public String getProxiesHeader() {
>+ return proxiesHeader;
>+ }
>+ 
>+ /**
>+ * @see #setRemoteIpHeader(String)
>+ * @return the remote IP header name (e.g. "X-Forwarded-For")
>+ */
>+ public String getRemoteIpHeader() {
>+ return remoteIpHeader;
>+ }
>+ 
>+ /**
>+ * @see #setTrustedProxies(String)
>+ * @return comma delimited list of trusted proxies
>+ */
>+ public String getTrustedProxies() {
>+ List<String> trustedProxiesAsStringList = new ArrayList<String>();
>+ for (Pattern trustedProxy : trustedProxies) {
>+ trustedProxiesAsStringList.add(String.valueOf(trustedProxy));
>+ }
>+ return listToCommaDelimitedString(trustedProxiesAsStringList);
>+ }
>+ 
>+ /**
>+ * {@inheritDoc}
>+ */
>+ @Override
>+ public void invoke(Request request, Response response) throws IOException, ServletException {
>+ final String originalRemoteAddr = request.getRemoteAddr();
>+ final String originalRemoteHost = request.getRemoteHost();
>+ final String originalScheme = request.getScheme();
>+ final boolean originalSecure = request.isSecure();
>+ final int originalServerPort = request.getServerPort();
>+ 
>+ if (matchesOne(originalRemoteAddr, internalProxies)) {
>+ String remoteIp = null;
>+ // In java 6, proxiesHeaderValue should be declared as a java.util.Deque
>+ LinkedList<String> proxiesHeaderValue = new LinkedList<String>();
>+ 
>+ String[] remoteIPHeaderValue = commaDelimitedListToStringArray(request.getHeader(remoteIpHeader));
>+ int idx;
>+ // loop on remoteIPHeaderValue to find the first trusted remote ip and to build the proxies chain
>+ for (idx = remoteIPHeaderValue.length - 1; idx >= 0; idx--) {
>+ String currentRemoteIp = remoteIPHeaderValue[idx];
>+ remoteIp = currentRemoteIp;
>+ if (matchesOne(currentRemoteIp, internalProxies)) {
>+ // do nothing, internalProxies IPs are not appended to the
>+ } else if (matchesOne(currentRemoteIp, trustedProxies)) {
>+ proxiesHeaderValue.addFirst(currentRemoteIp);
>+ } else {
>+ idx--; // decrement idx because break statement doesn't do it
>+ break;
>+ }
>+ }
>+ // continue to loop on remoteIPHeaderValue to build the new value of the remoteIPHeader
>+ LinkedList<String> newRemoteIpHeaderValue = new LinkedList<String>();
>+ for (; idx >= 0; idx--) {
>+ String currentRemoteIp = remoteIPHeaderValue[idx];
>+ newRemoteIpHeaderValue.addFirst(currentRemoteIp);
>+ }
>+ if (remoteIp != null) {
>+ 
>+ request.setRemoteAddr(remoteIp);
>+ request.setRemoteHost(remoteIp);
>+ 
>+ // use request.coyoteRequest.mimeHeaders.setValue(str).setString(str) because request.addHeader(str, str) is no-op in Tomcat
>+ // 6.0
>+ if (proxiesHeaderValue.size() == 0) {
>+ request.getCoyoteRequest().getMimeHeaders().removeHeader(proxiesHeader);
>+ } else {
>+ String commaDelimitedListOfProxies = listToCommaDelimitedString(proxiesHeaderValue);
>+ request.getCoyoteRequest().getMimeHeaders().setValue(proxiesHeader).setString(commaDelimitedListOfProxies);
>+ }
>+ if (newRemoteIpHeaderValue.size() == 0) {
>+ request.getCoyoteRequest().getMimeHeaders().removeHeader(remoteIpHeader);
>+ } else {
>+ String commaDelimitedRemoteIpHeaderValue = listToCommaDelimitedString(newRemoteIpHeaderValue);
>+ request.getCoyoteRequest().getMimeHeaders().setValue(remoteIpHeader).setString(commaDelimitedRemoteIpHeaderValue);
>+ }
>+ }
>+ 
>+ if (protocolHeader != null) {
>+ String protocolHeaderValue = request.getHeader(protocolHeader);
>+ if (protocolHeaderValue != null && protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue)) {
>+ request.setSecure(true);
>+ // use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0
>+ request.getCoyoteRequest().scheme().setString("https");
>+ 
>+ request.setServerPort(httpsServerPort);
>+ }
>+ }
>+ 
>+ if (log.isDebugEnabled()) {
>+ log.debug("Incoming request " + request.getRequestURI() + " with originalRemoteAddr '" + originalRemoteAddr
>+ + "', originalRemoteHost='" + originalRemoteHost + "', originalSecure='" + originalSecure + "', originalScheme='"
>+ + originalScheme + "' will be seen as newRemoteAddr='" + request.getRemoteAddr() + "', newRemoteHost='"
>+ + request.getRemoteHost() + "', newScheme='" + request.getScheme() + "', newSecure='" + request.isSecure() + "'");
>+ }
>+ }
>+ try {
>+ getNext().invoke(request, response);
>+ } finally {
>+ request.setRemoteAddr(originalRemoteAddr);
>+ request.setRemoteHost(originalRemoteHost);
>+ 
>+ request.setSecure(originalSecure);
>+ 
>+ // use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0
>+ request.getCoyoteRequest().scheme().setString(originalScheme);
>+ 
>+ request.setServerPort(originalServerPort);
>+ }
>+ }
>+ 
>+ /**
>+ * 
>+ * Server Port value if the {@link #protocolHeader} indicates HTTPS
>+ * 
>+ * 
>+ * Default value : 443
>+ * 
>+ */
>+ public void setHttpsServerPort(int httpsServerPort) {
>+ this.httpsServerPort = httpsServerPort;
>+ }
>+ 
>+ /**
>+ * 
>+ * Comma delimited list of internal proxies. Can be expressed with regular expressions.
>+ * 
>+ * 
>+ * Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3}
>+ * 
>+ */
>+ public void setInternalProxies(String commaDelimitedInternalProxies) {
>+ this.internalProxies = commaDelimitedListToPatternArray(commaDelimitedInternalProxies);
>+ }
>+ 
>+ /**
>+ * 
>+ * Header that holds the incoming protocol, usally named <code>X-Forwarded-Proto</code>. If <code>null</code>, request.scheme and
>+ * request.secure will not be modified.
>+ * 
>+ * 
>+ * Default value : <code>null</code>
>+ * 
>+ */
>+ public void setProtocolHeader(String protocolHeader) {
>+ this.protocolHeader = protocolHeader;
>+ }
>+ 
>+ /**
>+ * 
>+ * Case insensitive value of the protocol header to indicate that the incoming http request uses SSL.
>+ * 
>+ * 
>+ * Default value : <code>https</code>
>+ * 
>+ */
>+ public void setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue) {
>+ this.protocolHeaderHttpsValue = protocolHeaderHttpsValue;
>+ }
>+ 
>+ /**
>+ * 
>+ * The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP
>+ * addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header,
>+ * while any intermediate RemoteIPInternalProxy addresses are discarded.
>+ * 
>+ * 
>+ * Name of the http header that holds the list of trusted proxies that has been traversed by the http request.
>+ * 
>+ * 
>+ * The value of this header can be comma delimited.
>+ * 
>+ * 
>+ * Default value : <code>X-Forwarded-By</code>
>+ * 
>+ */
>+ public void setProxiesHeader(String proxiesHeader) {
>+ this.proxiesHeader = proxiesHeader;
>+ }
>+ 
>+ /**
>+ * 
>+ * Name of the http header from which the remote ip is extracted.
>+ * 
>+ * 
>+ * The value of this header can be comma delimited.
>+ * 
>+ * 
>+ * Default value : <code>X-Forwarded-For</code>
>+ * 
>+ * 
>+ * @param remoteIPHeader
>+ */
>+ public void setRemoteIpHeader(String remoteIpHeader) {
>+ this.remoteIpHeader = remoteIpHeader;
>+ }
>+ 
>+ /**
>+ * 
>+ * Comma delimited list of proxies that are trusted when they appear in the {@link #remoteIPHeader} header. Can be expressed as a
>+ * regular expression.
>+ * 
>+ * 
>+ * Default value : empty list, no external proxy is trusted.
>+ * 
>+ */
>+ public void setTrustedProxies(String commaDelimitedTrustedProxies) {
>+ this.trustedProxies = commaDelimitedListToPatternArray(commaDelimitedTrustedProxies);
>+ }
>+}
>Index: java/org/apache/catalina/valves/LocalStrings.properties
>===================================================================
>--- java/org/apache/catalina/valves/LocalStrings.properties	(revision 832111)
>+++ java/org/apache/catalina/valves/LocalStrings.properties	(working copy)
>@@ -41,6 +41,9 @@
> errorReportValve.note=note
> errorReportValve.rootCauseInLogs=The full stack trace of the root cause is available in the {0} logs.
> 
>+# Remote IP valve
>+remoteIpValve.syntax=Invalid regular expressions [{0}] provided.
>+
> # HTTP status reports
> http.100=The client may continue ({0}).
> http.101=The server is switching protocols according to the "Upgrade" header ({0}).
>Index: java/org/apache/catalina/valves/mbeans-descriptors.xml
>===================================================================
>--- java/org/apache/catalina/valves/mbeans-descriptors.xml	(revision 832111)
>+++ java/org/apache/catalina/valves/mbeans-descriptors.xml	(working copy)
>@@ -355,4 +355,41 @@
> 
> </mbean>
> 
>+ <mbean name="RemoteIpValve"
>+ description="Valve that sets client information (eg IP address) based on data from a trusted proxy"
>+ domain="Catalina"
>+ group="Valve"
>+ type="org.apache.catalina.valves.RemoteIpValve">
>+ 
>+ <attribute name="internalProxies"
>+ description="Comma delimited list of internal proxies"
>+ type="java.lang.String"
>+ writeable="false" />
>+ 
>+ <attribute name="protocolHeader"
>+ description="The protocol header (e.g. &quot;X-Forwarded-Proto&quot;)"
>+ type="java.lang.String"
>+ writeable="false" />
>+ 
>+ <attribute name="protocolHeaderHttpsValue"
>+ description="The value of the protocol header for incoming https request (e.g. &quot;https&quot;)"
>+ type="java.lang.String"
>+ writeable="false" />
>+ 
>+ <attribute name="proxiesHeader"
>+ description="The proxies header name (e.g. &quot;X-Forwarded-By&quot;)"
>+ type="java.lang.String"
>+ writeable="false" />
>+ 
>+ <attribute name="remoteIpHedaer"
>+ description="The remote IP header name (e.g. &quot;X-Forwarded-For&quot;)"
>+ type="java.lang.String"
>+ writeable="false" />
>+ 
>+ <attribute name="trustedProxies"
>+ description="Comma delimited list of trusted proxies"
>+ type="java.lang.String"
>+ writeable="false" />
>+ 
>+ </mbean>
> </mbeans-descriptors>

Actions: View | Diff

Attachments on bug 47330: 23772 | 23773 | 23970 | 24455 | 24465 | 24471 | 24505