The Apache Tomcat Servlet/JSP Container

Apache Tomcat 6.0

Version 6.0.47, Oct 13 2016
Apache Logo

Links

Top Level Elements

Executors

Connectors

Containers

Nested Components

Cluster Elements

web.xml

Other

Apache Tomcat Configuration Reference

The Valve Component

Table of Contents
Introduction

A Valve element represents a component that will be inserted into the request processing pipeline for the associated Catalina container (Engine, Host, or Context). Individual Valves have distinct processing capabilities, and are described individually below.

The description below uses the variable name $CATALINA_BASE to refer the base directory against which most relative paths are resolved. If you have not configured Tomcat 6 for multiple instances by setting a CATALINA_BASE directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME, the directory into which you have installed Tomcat 6.

Access Log Valve
Introduction

The Access Log Valve creates log files in the same format as those created by standard web servers. These logs can later be analyzed by standard log analysis tools to track page hit counts, user session activity, and so on. The files produces by this Valve are rolled over nightly at midnight. This Valve may be associated with any Catalina container (Context, Host, or Engine), and will record ALL requests processed by that container.

Some requests may be handled by Tomcat before they are passed to a container. These include redirects from /foo to /foo/ and the rejection of invalid requests. Where Tomcat can identify the Context that would have handled the request, the request/response will be logged in the AccessLog(s) associated Context, Host and Engine. Where Tomcat cannot identify the Context that would have handled the request, e.g. in cases where the URL is invalid, Tomcat will look first in the Engine, then the default Host for the Engine and finally the ROOT (or default) Context for the default Host for an AccessLog implementation. Tomcat will use the first AccessLog implementation found to log those requests that are rejected before they are passed to a container.

Attributes

The Access Log Valve supports the following configuration attributes:

AttributeDescription
className

Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.AccessLogValve to use the default access log valve.

directory

Absolute or relative pathname of a directory in which log files created by this valve will be placed. If a relative path is specified, it is interpreted as relative to $CATALINA_BASE. If no directory attribute is specified, the default value is "logs" (relative to $CATALINA_BASE).

encoding

Character set used to write the log file. An empty string means to use the system default character set. Default value: use the system default character set.

pattern

A formatting layout identifying the various information fields from the request and response to be logged, or the word common or combined to select a standard format. See below for more information on configuring this attribute. Note that the optimized access does only support common and combined as the value for this attribute.

prefix

The prefix added to the start of each log file's name. If not specified, the default value is "access_log.". To specify no prefix, use a zero-length string.

resolveHosts

Set to true to convert the IP address of the remote host into the corresponding host name via a DNS lookup. Set to false to skip this lookup, and report the remote IP address instead.

suffix

The suffix added to the end of each log file's name. If not specified, the default value is "". To specify no suffix, use a zero-length string.

rotatable

Flag to determine if log rotation should occur. If set to false, then this file is never rotated and fileDateFormat is ignored. Use with caution! Default value: true

condition

Turns on conditional logging. If set, requests will be logged only if ServletRequest.getAttribute() is null. For example, if this value is set to junk, then a particular request will only be logged if ServletRequest.getAttribute("junk") == null. The use of Filters is an easy way to set/unset the attribute in the ServletRequest on many different requests.

fileDateFormat

Allows a customized date format in the access log file name. The date format also decides how often the file is rotated. If you wish to rotate every hour, then set this value to: yyyy-MM-dd.HH

buffered

Flag to determine if logging will be buffered. If set to false, then access logging will be written after each request. Default value: true

Values for the pattern attribute are made up of literal text strings, combined with pattern identifiers prefixed by the "%" character to cause replacement by the corresponding variable value from the current request and response. The following pattern codes are supported:

  • %a - Remote IP address
  • %A - Local IP address
  • %b - Bytes sent, excluding HTTP headers, or '-' if zero
  • %B - Bytes sent, excluding HTTP headers
  • %h - Remote host name (or IP address if resolveHosts is false)
  • %H - Request protocol
  • %l - Remote logical username from identd (always returns '-')
  • %m - Request method (GET, POST, etc.)
  • %p - Local port on which this request was received
  • %q - Query string (prepended with a '?' if it exists)
  • %r - First line of the request (method and request URI)
  • %s - HTTP status code of the response
  • %S - User session ID
  • %t - Date and time, in Common Log Format
  • %u - Remote user that was authenticated (if any), else '-'
  • %U - Requested URL path
  • %v - Local server name
  • %D - Time taken to process the request, in millis
  • %T - Time taken to process the request, in seconds
  • %I - Current request thread name (can compare later with stacktraces)

There is also support to write information from the cookie, incoming header, the Session or something else in the ServletRequest. It is modeled after the Apache HTTP Server log configuration syntax:

  • %{xxx}i for incoming headers
  • %{xxx}o for outgoing response headers
  • %{xxx}c for a specific cookie
  • %{xxx}r xxx is an attribute in the ServletRequest
  • %{xxx}s xxx is an attribute in the HttpSession

The shorthand pattern name common (which is also the default) corresponds to '%h %l %u %t "%r" %s %b'.

The shorthand pattern name combined appends the values of the Referer and User-Agent headers, each in double quotes, to the common pattern described in the previous paragraph.

When Tomcat is operating behind a reverse proxy, the client information logged by the Access Log Valve may represent the reverse proxy, the browser or some combination of the two depending on the configuration of Tomcat and the reverse proxy. For Tomcat configuration options see the Proxy How-To. For reverse proxies that use mod_jk, see the generic proxy documentation. For other reverse proxies, consult their documentation.

Remote Address Filter
Introduction

The Remote Address Filter allows you to compare the IP address of the client that submitted this request against one or more regular expressions, and either allow the request to continue or refuse to process the request from this client. A Remote Address Filter can be associated with any Catalina container (Engine, Host, or Context), and must accept any request presented to this container for processing before it will be passed on.

The syntax for regular expressions is different than that for 'standard' wildcard matching. Tomcat uses the java.util.regex package. Please consult the Java documentation for details of the expressions supported.

Optionally one can append the server connector port separated with a comma (";") to allow different expressions for each connector.

See also: Remote Host Filter, Remote IP Valve.

Attributes

The Remote Address Filter supports the following configuration attributes:

AttributeDescription
className

Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.RemoteAddrValve.

allow

A comma-separated list of regular expression patterns that the remote client's IP address is compared to. If this attribute is specified, the remote address MUST match for this request to be accepted. If this attribute is not specified, all requests will be accepted UNLESS the remote address matches a deny pattern.

deny

A comma-separated list of regular expression patterns that the remote client's IP address is compared to. If this attribute is specified, the remote address MUST NOT match for this request to be accepted. If this attribute is not specified, request acceptance is governed solely by the allow attribute.

denyStatus

HTTP response status code that is used when rejecting denied request. The default value is 403. For example, it can be set to the value 404.

addConnectorPort

Append the server connector port to the client IP address separated with a semicolon (";"). If this is set to true, the expressions configured with allow and deny is compared against ADDRESS;PORT where ADDRESS is the client IP address and PORT is the Tomcat connector port which received the request. The default value is false.

Example

To allow unrestricted access for the clients connecting from localhost but for all other clients only to port 8443:

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
   addConnectorPort="true"
   allow="127\.\d+\.\d+\.\d+;\d*,::1;\d*,0:0:0:0:0:0:0:1;\d*,.*;8443"/>
Remote Host Filter
Introduction

The Remote Host Filter allows you to compare the hostname of the client that submitted this request against one or more regular expressions, and either allow the request to continue or refuse to process the request from this client. A Remote Host Filter can be associated with any Catalina container (Engine, Host, or Context), and must accept any request presented to this container for processing before it will be passed on.

The syntax for regular expressions is different than that for 'standard' wildcard matching. Tomcat uses the java.util.regex package. Please consult the Java documentation for details of the expressions supported.

Optionally one can append the server connector port separated with a comma (";") to allow different expressions for each connector.

Note: This filter processes the value returned by method ServletRequest.getRemoteHost(). To allow the method to return proper host names, you have to enable "DNS lookups" feature on a Connector.

See also: Remote Address Filter, HTTP Connector configuration.

Attributes

The Remote Host Filter supports the following configuration attributes:

AttributeDescription
className

Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.RemoteHostValve.

allow

A comma-separated list of regular expression patterns that the remote client's hostname is compared to. If this attribute is specified, the remote hostname MUST match for this request to be accepted. If this attribute is not specified, all requests will be accepted UNLESS the remote hostname matches a deny pattern.

deny

A comma-separated list of regular expression patterns that the remote client's hostname is compared to. If this attribute is specified, the remote hostname MUST NOT match for this request to be accepted. If this attribute is not specified, request acceptance is governed solely by the allow attribute.

denyStatus

HTTP response status code that is used when rejecting denied request. The default value is 403. For example, it can be set to the value 404.

addConnectorPort

Append the server connector port to the client hostname separated with a comma (";"). If this is set to true, the expressions configured with allow and deny is compared against HOSTNAME;PORT where HOSTNAME is the client hostname and PORT is the Tomcat connector port which received the request. The default value is false.

Request Dumper Valve
Introduction

The Request Dumper Valve is a useful tool in debugging interactions with a client application (or browser) that is sending HTTP requests to your Tomcat-based server. When configured, it causes details about each request processed by its associated Engine, Host, or Context to be logged according to the logging configuration for that container.

WARNING: Using this valve has side-effects. The output from this valve includes any parameters included with the request. The parameters will be decoded using the default platform encoding. Any subsequent calls to request.setCharacterEncoding() within the web application will have no effect. NOTE: Since all parameters are included in the output, the InputStream is consumed for requests made with the method POST and content-type application/x-www-form-urlencoded.

Attributes

The Request Dumper Valve supports the following configuration attributes:

AttributeDescription
className

Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.RequestDumperValve.

Single Sign On Valve
Introduction

The Single Sign On Valve is utilized when you wish to give users the ability to sign on to any one of the web applications associated with your virtual host, and then have their identity recognized by all other web applications on the same virtual host.

See the Single Sign On special feature on the Host element for more information.

Attributes

The Single Sign On Valve supports the following configuration attributes:

AttributeDescription
className

Java class name of the implementation to use. This MUST be set to org.apache.catalina.authenticator.SingleSignOn.

requireReauthentication

Default false. Flag to determine whether each request needs to be reauthenticated to the security Realm. If "true", this Valve uses cached security credentials (username and password) to reauthenticate to the Realm each request associated with an SSO session. If "false", the Valve can itself authenticate requests based on the presence of a valid SSO cookie, without rechecking with the Realm.

cookieDomain

Sets the host domain to be used for sso cookies.

Basic Authenticator Valve
Introduction

The Basic Authenticator Valve is automatically added to any Context that is configured to use BASIC authentication.

If any non-default settings are required, the valve may be configured within Context element with the required values.

Attributes

The Basic Authenticator Valve supports the following configuration attributes:

AttributeDescription
className

Java class name of the implementation to use. This MUST be set to org.apache.catalina.authenticator.BasicAuthenticator.

changeSessionIdOnAuthentication

Controls if the session ID is changed if a session exists at the point where users are authenticated. This is to prevent session fixation attacks. If not set, the default value of true will be used.

disableProxyCaching

Controls the caching of pages that are protected by security constraints. Setting this to false may help work around caching issues in some browsers but will also cause secured pages to be cached by proxies which will almost certainly be a security issue. securePagesWithPragma offers an alternative, secure, workaround for browser caching issues. If not set, the default value of true will be used.

securePagesWithPragma

Controls the caching of pages that are protected by security constraints. Setting this to false may help work around caching issues in some browsers by using Cache-Control: private rather than the default of Pragma: No-cache and Cache-control: No-cache. If not set, the default value of true will be used.

Digest Authenticator Valve
Introduction

The Digest Authenticator Valve is automatically added to any Context that is configured to use DIGEST authentication.

If any non-default settings are required, the valve may be configured within Context element with the required values.

Attributes

The Digest Authenticator Valve supports the following configuration attributes:

AttributeDescription
cache

Should we cache authenticated Principals if the request is part of an HTTP session? If not specified, the default value of false will be used.

className

Java class name of the implementation to use. This MUST be set to org.apache.catalina.authenticator.DigestAuthenticator.

changeSessionIdOnAuthentication

Controls if the session ID is changed if a session exists at the point where users are authenticated. This is to prevent session fixation attacks. If not set, the default value of true will be used.

disableProxyCaching

Controls the caching of pages that are protected by security constraints. Setting this to false may help work around caching issues in some browsers but will also cause secured pages to be cached by proxies which will almost certainly be a security issue. securePagesWithPragma offers an alternative, secure, workaround for browser caching issues. If not set, the default value of true will be used.

key

The secret key used by digest authentication. If not set, a secure random value is generated. This should normally only be set when it is necessary to keep key values constant either across server restarts and/or across a cluster.

nonceCacheSize

To protect against replay attacks, the DIGEST authenticator tracks server nonce and nonce count values. This attribute controls the size of that cache. If not specified, the default value of 1000 is used.

nonceValidity

The time, in milliseconds, that a server generated nonce will be considered valid for use in authentication. If not specified, the default value of 300000 (5 minutes) will be used.

opaque

The opaque server string used by digest authentication. If not set, a random value is generated. This should normally only be set when it is necessary to keep opaque values constant either across server restarts and/or across a cluster.

securePagesWithPragma

Controls the caching of pages that are protected by security constraints. Setting this to false may help work around caching issues in some browsers by using Cache-Control: private rather than the default of Pragma: No-cache and Cache-control: No-cache. If not set, the default value of true will be used.

validateUri

Should the URI be validated as required by RFC2617? If not specified, the default value of true will be used. This should normally only be set when Tomcat is located behind a reverse proxy and the proxy is modifying the URI passed to Tomcat such that DIGEST authentication always fails.

Form Authenticator Valve
Introduction

The Form Authenticator Valve is automatically added to any Context that is configured to use FORM authentication.

If any non-default settings are required, the valve may be configured within Context element with the required values.

Attributes

The Form Authenticator Valve supports the following configuration attributes:

AttributeDescription
className

Java class name of the implementation to use. This MUST be set to org.apache.catalina.authenticator.FormAuthenticator.

changeSessionIdOnAuthentication

Controls if the session ID is changed if a session exists at the point where users are authenticated. This is to prevent session fixation attacks. If not set, the default value of true will be used.

characterEncoding

Character encoding to use to read the username and password parameters from the request. If not set, the encoding of the request body will be used.

disableProxyCaching

Controls the caching of pages that are protected by security constraints. Setting this to false may help work around caching issues in some browsers but will also cause secured pages to be cached by proxies which will almost certainly be a security issue. securePagesWithPragma offers an alternative, secure, workaround for browser caching issues. If not set, the default value of true will be used.

securePagesWithPragma

Controls the caching of pages that are protected by security constraints. Setting this to false may help work around caching issues in some browsers by using Cache-Control: private rather than the default of Pragma: No-cache and Cache-control: No-cache. If not set, the default value of true will be used.

SSL Authenticator Valve
Introduction

The SSL Authenticator Valve is automatically added to any Context that is configured to use SSL authentication.

If any non-default settings are required, the valve may be configured within Context element with the required values.

Attributes

The SSL Authenticator Valve supports the following configuration attributes:

AttributeDescription
className

Java class name of the implementation to use. This MUST be set to org.apache.catalina.authenticator.SSLAuthenticator.

changeSessionIdOnAuthentication

Controls if the session ID is changed if a session exists at the point where users are authenticated. This is to prevent session fixation attacks. If not set, the default value of true will be used.

disableProxyCaching

Controls the caching of pages that are protected by security constraints. Setting this to false may help work around caching issues in some browsers but will also cause secured pages to be cached by proxies which will almost certainly be a security issue. securePagesWithPragma offers an alternative, secure, workaround for browser caching issues. If not set, the default value of true will be used.

securePagesWithPragma

Controls the caching of pages that are protected by security constraints. Setting this to false may help work around caching issues in some browsers by using Cache-Control: private rather than the default of Pragma: No-cache and Cache-control: No-cache. If not set, the default value of true will be used.

WebDAV Fix Valve
Introduction

Microsoft operating systems have two WebDAV clients. One is used with port 80, the other is used for all other ports. The implementation used with port 80 does not adhere to the WebDAV specification and fails when trying to communicate with the Tomcat WebDAV Servlet. This valve provides a fix for this by forcing the use of the WebDAV implementation that works, even when connecting via port 80.

This Valve may be used at the Engine, Host or Context level as required. Normally, this Valve would be used at the Context level.

Attributes

The WebDAV Fix Valve supports the following configuration attributes:

AttributeDescription
className

Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.WebdavFixValve.

Remote IP Valve
Introduction

Tomcat port of mod_remoteip, this valve replaces the apparent client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request headers (e.g. "X-Forwarded-For").

Another feature of this valve is to replace the apparent scheme (http/https), server port and request.secure with the scheme presented by a proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").

This Valve may be used at the Engine, Host or Context level as required. Normally, this Valve would be used at the Engine level.

If used in conjunction with Remote Address/Host valves then this valve should be defined first to ensure that the correct client IP address is presented to the Remote Address/Host valves.

Attributes

The Remote IP Valve supports the following configuration attributes:

AttributeDescription
className

Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.RemoteIpValve.

remoteIpHeader

Name of the HTTP Header read by this valve that holds the list of traversed IP addresses starting from the requesting client. If not specified, the default of x-forwarded-for is used.

internalProxies

List of internal proxies' IP addresses as comma separated regular expressions. If they appear in the remoteIpHeader value, they will be trusted and will not appear in the proxiesHeader value. If not specified the default value of 10\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?, 192\.168\.\d\d?\d?\.\d\d?\d?, 169\.254\.\d\d?\d?\.\d\d?\d?, 127\.\d\d?\d?\.\d\d?\d?\.\d\d?\d? will be used.

Note that the individual regular expressions must not contain commas themselves, as the internalProxies value is first split by commas, then parsed into separate regular expression patterns.

proxiesHeader

Name of the HTTP header created by this valve to hold the list of proxies that have been processed in the incoming remoteIpHeader. If not specified, the default of x-forwarded-by is used.

trustedProxies

List of trusted proxies' IP addresses as comma separated regular expressions. If they appear in the remoteIpHeader value, they will be trusted and will appear in the proxiesHeader value. If not specified, no proxies will be trusted.

protocolHeader

Name of the HTTP Header read by this valve that holds the protocol used by the client to connect to the proxy. If not specified, the default of null is used.

protocolHeaderHttpsValue

Value of the protocolHeader to indicate that it is an HTTPS request. If not specified, the default of https is used.

httpServerPort

Value returned by ServletRequest.getServerPort() when the protocolHeader indicates http protocol. If not specified, the default of 80 is used.

httpsServerPort

Value returned by ServletRequest.getServerPort() when the protocolHeader indicates https protocol. If not specified, the default of 443 is used.

Stuck Thread Detection Valve
Introduction

This valve allows to detect requests that take a long time to process, which might indicate that the thread that is processing it is stuck.

When such a request is detected, the current stack trace of its thread is written to Tomcat log with a WARN level.

The IDs and names of the stuck threads are available through JMX in the stuckThreadIds and stuckThreadNames attributes. The IDs can be used with the standard Threading JVM MBean (java.lang:type=Threading) to retrieve other information about each stuck thread.

Attributes

The Stuck Thread Detection Valve supports the following configuration attributes:

AttributeDescription
className

Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.StuckThreadDetectionValve.

threshold

Minimum duration in seconds after which a thread is considered stuck. Default is 600 seconds. If set to 0, the detection is disabled.

Note: since the detection is done in the background thread of the Container (Engine, Host or Context) declaring this Valve, the threshold should be higher than the backgroundProcessorDelay of this Container.

SSL Valve
Introduction

When using mod_proxy_http, the client SSL information is not included in the protocol (unlike mod_jk and mod_proxy_ajp). To make the client SSL information available to Tomcat, some additional configuration is required. In httpd, mod_headers is used to add the SSL information as HTTP headers. In Tomcat, this valve is used to read the information from the HTTP headers and insert it into the request.

Note: Ensure that the headers are always set by httpd for all requests to prevent a client spoofing SSL information by sending fake headers.

To configure httpd to set the necessary headers, add the following:

<IfModule ssl_module>
  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
  RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
  RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
  RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"
</IfModule>
Attributes

The SSL Valve supports the following configuration attribute:

AttributeDescription
className

Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.SSLValve.

Semaphore Valve
Introduction

The Semaphore Valve is able to limit the number of concurrent request processing threads.

org.apache.catalina.valves.SemaphoreValve provides methods which may be overridden by a subclass to customize behavior:

  • controlConcurrency may be overridden to add conditions;
  • permitDenied may be overridden to add error handling when a permit isn't granted.
Attributes

The Semaphore Valve supports the following configuration attributes:

AttributeDescription
block

Flag to determine if a thread is blocked until a permit is available. The default value is true.

className

Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.SemaphoreValve.

concurrency

Concurrency level of the semaphore. The default value is 10.

fairness

Fairness of the semaphore. The default value is false.

interruptible

Flag to determine if a thread may be interrupted until a permit is available. The default value is false.


Copyright © 1999-2016, Apache Software Foundation