-/*\r
- * Licensed to the Apache Software Foundation (ASF) under one or more\r
- * contributor license agreements. See the NOTICE file distributed with\r
- * this work for additional information regarding copyright ownership.\r
- * The ASF licenses this file to You under the Apache License, Version 2.0\r
- * (the "License"); you may not use this file except in compliance with\r
- * the License. You may obtain a copy of the License at\r
- * \r
- * http://www.apache.org/licenses/LICENSE-2.0\r
- * \r
- * Unless required by applicable law or agreed to in writing, software\r
- * distributed under the License is distributed on an "AS IS" BASIS,\r
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * See the License for the specific language governing permissions and\r
- * limitations under the License.\r
- */\r
-\r
-package org.apache.catalina.valves;\r
-\r
-import java.io.IOException;\r
-import java.util.ArrayList;\r
-import java.util.Iterator;\r
-import java.util.LinkedList;\r
-import java.util.List;\r
-import java.util.regex.Pattern;\r
-import java.util.regex.PatternSyntaxException;\r
-\r
-import javax.servlet.ServletException;\r
-\r
-import org.apache.tomcat.util.res.StringManager;\r
-import org.apache.catalina.connector.Request;\r
-import org.apache.catalina.connector.Response;\r
-import org.apache.catalina.valves.Constants;\r
-import org.apache.catalina.valves.RequestFilterValve;\r
-import org.apache.catalina.valves.ValveBase;\r
-import org.apache.juli.logging.Log;\r
-import org.apache.juli.logging.LogFactory;\r
-\r
-/**\r
- * <p>\r
- * Tomcat port of <a href="http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html">mod_remoteip</a>, this valve replaces the apparent\r
- * client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request\r
- * headers (e.g. "X-Forwarded-For").\r
- * </p>\r
- * <p>\r
- * Another feature of this valve is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a\r
- * load balancer via a request header (e.g. "X-Forwarded-Proto").\r
- * </p>\r
- * <p>\r
- * This valve proceeds as follows:\r
- * </p>\r
- * <p>\r
- * If the incoming <code>request.getRemoteAddr()</code> matches the valve's list of internal proxies :\r
- * <ul>\r
- * <li>Loop on the comma delimited list of IPs and hostnames passed by the preceding load balancer or proxy in the given request's Http\r
- * header named <code>$remoteIPHeader</code> (default value <code>x-forwarded-for</code>). Values are processed in right-to-left order.</li>\r
- * <li>For each ip/host of the list:\r
- * <ul>\r
- * <li>if it matches the internal proxies list, the ip/host is swallowed</li>\r
- * <li>if it matches the trusted proxies list, the ip/host is added to the created proxies header</li>\r
- * <li>otherwise, the ip/host is declared to be the remote ip and looping is stopped.</li>\r
- * </ul>\r
- * </li>\r
- * <li>If the request http header named <code>$protocolHeader</code> (e.g. <code>x-forwarded-for</code>) equals to the value of\r
- * <code>protocolHeaderHttpsValue</code> configuration parameter (default <code>https</code>) then <code>request.isSecure = true</code>,\r
- * <code>request.scheme = https</code> and <code>request.serverPort = 443</code>. Note that 443 can be overwritten with the\r
- * <code>$httpsServerPort</code> configuration parameter.</li>\r
- * </ul>\r
- * </p>\r
- * <p>\r
- * <strong>Configuration parameters:</strong>\r
- * <table border="1">\r
- * <tr>\r
- * <th>RemoteIpValve property</th>\r
- * <th>Description</th>\r
- * <th>Equivalent mod_remoteip directive</th>\r
- * <th>Format</th>\r
- * <th>Default Value</th>\r
- * </tr>\r
- * <tr>\r
- * <td>remoteIPHeader</td>\r
- * <td>Name of the Http Header read by this valve that holds the list of traversed IP addresses starting from the requesting client</td>\r
- * <td>RemoteIPHeader</td>\r
- * <td>Compliant http header name</td>\r
- * <td>x-forwarded-for</td>\r
- * </tr>\r
- * <tr>\r
- * <td>internalProxies</td>\r
- * <td>List of internal proxies ip adress. If they appear in the <code>remoteIpHeader</code> value, they will be trusted and will not appear\r
- * in the <code>proxiesHeader</code> value</td>\r
- * <td>RemoteIPInternalProxy</td>\r
- * <td>Comma delimited list of regular expressions (in the syntax supported by the {@link java.util.regex.Pattern} library)</td>\r
- * <td>10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3} <br/>\r
- * By default, 10/8, 192.168/16, 169.254/16 and 127/8 are allowed ; 172.16/12 has not been enabled by default because it is complex to\r
- * describe with regular expressions</td>\r
- * </tr>\r
- * </tr>\r
- * <tr>\r
- * <td>proxiesHeader</td>\r
- * <td>Name of the http header created by this valve to hold the list of proxies that have been processed in the incoming\r
- * <code>remoteIPHeader</code></td>\r
- * <td>RemoteIPProxiesHeader</td>\r
- * <td>Compliant http header name</td>\r
- * <td>x-forwarded-by</td>\r
- * </tr>\r
- * <tr>\r
- * <td>trustedProxies</td>\r
- * <td>List of trusted proxies ip adress. If they appear in the <code>remoteIpHeader</code> value, they will be trusted and will appear\r
- * in the <code>proxiesHeader</code> value</td>\r
- * <td>RemoteIPTrustedProxy</td>\r
- * <td>Comma delimited list of regular expressions (in the syntax supported by the {@link java.util.regex.Pattern} library)</td>\r
- * <td> </td>\r
- * </tr>\r
- * <tr>\r
- * <td>protocolHeader</td>\r
- * <td>Name of the http header read by this valve that holds the flag that this request </td>\r
- * <td>N/A</td>\r
- * <td>Compliant http header name like <code>X-Forwarded-Proto</code>, <code>X-Forwarded-Ssl</code> or <code>Front-End-Https</code></td>\r
- * <td><code>null</code></td>\r
- * </tr>\r
- * <tr>\r
- * <td>protocolHeaderHttpsValue</td>\r
- * <td>Value of the <code>protocolHeader</code> to indicate that it is an Https request</td>\r
- * <td>N/A</td>\r
- * <td>String like <code>https</code> or <code>ON</code></td>\r
- * <td><code>https</code></td>\r
- * </tr>\r
- * <tr>\r
- * </table>\r
- * </p>\r
- * <p>\r
- * <p>\r
- * This Valve may be attached to any Container, depending on the granularity of the filtering you wish to perform.\r
- * </p>\r
- * <p>\r
- * <strong>Regular expression vs. IP address blocks:</strong> <code>mod_remoteip</code> allows to use address blocks (e.g.\r
- * <code>192.168/16</code>) to configure <code>RemoteIPInternalProxy</code> and <code>RemoteIPTrustedProxy</code> ; as Tomcat doesn't have a\r
- * library similar to <a\r
- * href="http://apr.apache.org/docs/apr/1.3/group__apr__network__io.html#gb74d21b8898b7c40bf7fd07ad3eb993d">apr_ipsubnet_test</a>,\r
- * <code>RemoteIpValve</code> uses regular expression to configure <code>internalProxies</code> and <code>trustedProxies</code> in the same\r
- * fashion as {@link RequestFilterValve} does.\r
- * </p>\r
- * <hr/>\r
- * <p>\r
- * <strong>Sample with internal proxies</strong>\r
- * </p>\r
- * <p>\r
- * RemoteIpValve configuration:\r
- * </p>\r
- * <code><pre>\r
- * <Valve \r
- * className="org.apache.catalina.connector.RemoteIpValve"\r
- * internalProxies="192\.168\.0\.10, 192\.168\.0\.11"\r
- * remoteIPHeader="x-forwarded-for"\r
- * remoteIPProxiesHeader="x-forwarded-by"\r
- * protocolHeader="x-forwarded-proto"\r
- * /></pre></code>\r
- * <p>\r
- * Request values:\r
- * <table border="1">\r
- * <tr>\r
- * <th>property</th>\r
- * <th>Value Before RemoteIpValve</th>\r
- * <th>Value After RemoteIpValve</th>\r
- * </tr>\r
- * <tr>\r
- * <td>request.remoteAddr</td>\r
- * <td>192.168.0.10</td>\r
- * <td>140.211.11.130</td>\r
- * </tr>\r
- * <tr>\r
- * <td>request.header['x-forwarded-for']</td>\r
- * <td>140.211.11.130, 192.168.0.10</td>\r
- * <td>null</td>\r
- * </tr>\r
- * <tr>\r
- * <td>request.header['x-forwarded-by']</td>\r
- * <td>null</td>\r
- * <td>null</td>\r
- * </tr>\r
- * <tr>\r
- * <td>request.header['x-forwarded-proto']</td>\r
- * <td>https</td>\r
- * <td>https</td>\r
- * </tr>\r
- * <tr>\r
- * <td>request.scheme</td>\r
- * <td>http</td>\r
- * <td>https</td>\r
- * </tr>\r
- * <tr>\r
- * <td>request.secure</td>\r
- * <td>false</td>\r
- * <td>true</td>\r
- * </tr>\r
- * <tr>\r
- * <td>request.serverPort</td>\r
- * <td>80</td>\r
- * <td>443</td>\r
- * </tr>\r
- * </table>\r
- * Note : <code>x-forwarded-by</code> header is null because only internal proxies as been traversed by the request.\r
- * <code>x-forwarded-by</code> is null because all the proxies are trusted or internal.\r
- * </p>\r
- * <hr/>\r
- * <p>\r
- * <strong>Sample with trusted proxies</strong>\r
- * </p>\r
- * <p>\r
- * RemoteIpValve configuration:\r
- * </p>\r
- * <code><pre>\r
- * <Valve \r
- * className="org.apache.catalina.connector.RemoteIpValve"\r
- * internalProxies="192\.168\.0\.10, 192\.168\.0\.11"\r
- * remoteIPHeader="x-forwarded-for"\r
- * remoteIPProxiesHeader="x-forwarded-by"\r
- * trustedProxies="proxy1, proxy2"\r
- * /></pre></code>\r
- * <p>\r
- * Request values:\r
- * <table border="1">\r
- * <tr>\r
- * <th>property</th>\r
- * <th>Value Before RemoteIpValve</th>\r
- * <th>Value After RemoteIpValve</th>\r
- * </tr>\r
- * <tr>\r
- * <td>request.remoteAddr</td>\r
- * <td>192.168.0.10</td>\r
- * <td>140.211.11.130</td>\r
- * </tr>\r
- * <tr>\r
- * <td>request.header['x-forwarded-for']</td>\r
- * <td>140.211.11.130, proxy1, proxy2</td>\r
- * <td>null</td>\r
- * </tr>\r
- * <tr>\r
- * <td>request.header['x-forwarded-by']</td>\r
- * <td>null</td>\r
- * <td>proxy1, proxy2</td>\r
- * </tr>\r
- * </table>\r
- * Note : <code>proxy1</code> and <code>proxy2</code> are both trusted proxies that come in <code>x-forwarded-for</code> header, they both\r
- * are migrated in <code>x-forwarded-by</code> header. <code>x-forwarded-by</code> is null because all the proxies are trusted or internal.\r
- * </p>\r
- * <hr/>\r
- * <p>\r
- * <strong>Sample with internal and trusted proxies</strong>\r
- * </p>\r
- * <p>\r
- * RemoteIpValve configuration:\r
- * </p>\r
- * <code><pre>\r
- * <Valve \r
- * className="org.apache.catalina.connector.RemoteIpValve"\r
- * internalProxies="192\.168\.0\.10, 192\.168\.0\.11"\r
- * remoteIPHeader="x-forwarded-for"\r
- * remoteIPProxiesHeader="x-forwarded-by"\r
- * trustedProxies="proxy1, proxy2"\r
- * /></pre></code>\r
- * <p>\r
- * Request values:\r
- * <table border="1">\r
- * <tr>\r
- * <th>property</th>\r
- * <th>Value Before RemoteIpValve</th>\r
- * <th>Value After RemoteIpValve</th>\r
- * </tr>\r
- * <tr>\r
- * <td>request.remoteAddr</td>\r
- * <td>192.168.0.10</td>\r
- * <td>140.211.11.130</td>\r
- * </tr>\r
- * <tr>\r
- * <td>request.header['x-forwarded-for']</td>\r
- * <td>140.211.11.130, proxy1, proxy2, 192.168.0.10</td>\r
- * <td>null</td>\r
- * </tr>\r
- * <tr>\r
- * <td>request.header['x-forwarded-by']</td>\r
- * <td>null</td>\r
- * <td>proxy1, proxy2</td>\r
- * </tr>\r
- * </table>\r
- * Note : <code>proxy1</code> and <code>proxy2</code> are both trusted proxies that come in <code>x-forwarded-for</code> header, they both\r
- * are migrated in <code>x-forwarded-by</code> header. As <code>192.168.0.10</code> is an internal proxy, it does not appear in\r
- * <code>x-forwarded-by</code>. <code>x-forwarded-by</code> is null because all the proxies are trusted or internal.\r
- * </p>\r
- * <hr/>\r
- * <p>\r
- * <strong>Sample with an untrusted proxy</strong>\r
- * </p>\r
- * <p>\r
- * RemoteIpValve configuration:\r
- * </p>\r
- * <code><pre>\r
- * <Valve \r
- * className="org.apache.catalina.connector.RemoteIpValve"\r
- * internalProxies="192\.168\.0\.10, 192\.168\.0\.11"\r
- * remoteIPHeader="x-forwarded-for"\r
- * remoteIPProxiesHeader="x-forwarded-by"\r
- * trustedProxies="proxy1, proxy2"\r
- * /></pre></code>\r
- * <p>\r
- * Request values:\r
- * <table border="1">\r
- * <tr>\r
- * <th>property</th>\r
- * <th>Value Before RemoteIpValve</th>\r
- * <th>Value After RemoteIpValve</th>\r
- * </tr>\r
- * <tr>\r
- * <td>request.remoteAddr</td>\r
- * <td>192.168.0.10</td>\r
- * <td>untrusted-proxy</td>\r
- * </tr>\r
- * <tr>\r
- * <td>request.header['x-forwarded-for']</td>\r
- * <td>140.211.11.130, untrusted-proxy, proxy1</td>\r
- * <td>140.211.11.130</td>\r
- * </tr>\r
- * <tr>\r
- * <td>request.header['x-forwarded-by']</td>\r
- * <td>null</td>\r
- * <td>proxy1</td>\r
- * </tr>\r
- * </table>\r
- * Note : <code>x-forwarded-by</code> holds the trusted proxy <code>proxy1</code>. <code>x-forwarded-by</code> holds\r
- * <code>140.211.11.130</code> because <code>untrusted-proxy</code> is not trusted and thus, we can not trust that\r
- * <code>untrusted-proxy</code> is the actual remote ip. <code>request.remoteAddr</code> is <code>untrusted-proxy</code> that is an IP\r
- * verified by <code>proxy1</code>.\r
- * </p>\r
- */\r
-public class RemoteIpValve extends ValveBase {\r
- \r
- /**\r
- * {@link Pattern} for a comma delimited string that support whitespace characters\r
- */\r
- private static final Pattern commaSeparatedValuesPattern = Pattern.compile("\\s*,\\s*");\r
- \r
- /**\r
- * The descriptive information related to this implementation.\r
- */\r
- private static final String info = "org.apache.catalina.connector.RemoteIpValve/1.0";\r
- \r
- /**\r
- * Logger\r
- */\r
- private static Log log = LogFactory.getLog(RemoteIpValve.class);\r
- \r
- /**\r
- * The StringManager for this package.\r
- */\r
- protected static StringManager sm = StringManager.getManager(Constants.Package);\r
- \r
- /**\r
- * Convert a given comma delimited list of regular expressions into an array of compiled {@link Pattern}\r
- * \r
- * @return array of patterns (not <code>null</code>)\r
- */\r
- protected static Pattern[] commaDelimitedListToPatternArray(String commaDelimitedPatterns) {\r
- String[] patterns = commaDelimitedListToStringArray(commaDelimitedPatterns);\r
- List<Pattern> patternsList = new ArrayList<Pattern>();\r
- for (String pattern : patterns) {\r
- try {\r
- patternsList.add(Pattern.compile(pattern));\r
- } catch (PatternSyntaxException e) {\r
- throw new IllegalArgumentException(sm.getString("remoteIpValve.syntax", pattern), e);\r
- }\r
- }\r
- return patternsList.toArray(new Pattern[0]);\r
- }\r
- \r
- /**\r
- * Convert a given comma delimited list of regular expressions into an array of String\r
- * \r
- * @return array of patterns (non <code>null</code>)\r
- */\r
- protected static String[] commaDelimitedListToStringArray(String commaDelimitedStrings) {\r
- return (commaDelimitedStrings == null || commaDelimitedStrings.length() == 0) ? new String[0] : commaSeparatedValuesPattern\r
- .split(commaDelimitedStrings);\r
- }\r
- \r
- /**\r
- * Convert an array of strings in a comma delimited string\r
- */\r
- protected static String listToCommaDelimitedString(List<String> stringList) {\r
- if (stringList == null) {\r
- return "";\r
- }\r
- StringBuilder result = new StringBuilder();\r
- for (Iterator<String> it = stringList.iterator(); it.hasNext();) {\r
- Object element = it.next();\r
- if (element != null) {\r
- result.append(element);\r
- if (it.hasNext()) {\r
- result.append(", ");\r
- }\r
- }\r
- }\r
- return result.toString();\r
- }\r
- \r
- /**\r
- * Return <code>true</code> if the given <code>str</code> matches at least one of the given <code>patterns</code>.\r
- */\r
- protected static boolean matchesOne(String str, Pattern... patterns) {\r
- for (Pattern pattern : patterns) {\r
- if (pattern.matcher(str).matches()) {\r
- return true;\r
- }\r
- }\r
- return false;\r
- }\r
- \r
- /**\r
- * @see #setHttpsServerPort(int)\r
- */\r
- private int httpsServerPort = 443;\r
- \r
- /**\r
- * @see #setInternalProxies(String)\r
- */\r
- private Pattern[] internalProxies = new Pattern[] {\r
- Pattern.compile("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"), Pattern.compile("192\\.168\\.\\d{1,3}\\.\\d{1,3}"),\r
- Pattern.compile("169\\.254\\.\\d{1,3}\\.\\d{1,3}"), Pattern.compile("127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}")\r
- };\r
- \r
- /**\r
- * @see #setProtocolHeader(String)\r
- */\r
- private String protocolHeader = null;\r
- \r
- /**\r
- * @see #setProtocolHeaderHttpsValue(String)\r
- */\r
- private String protocolHeaderHttpsValue = "https";\r
- \r
- /**\r
- * @see #setProxiesHeader(String)\r
- */\r
- private String proxiesHeader = "X-Forwarded-By";\r
- \r
- /**\r
- * @see #setRemoteIpHeader(String)\r
- */\r
- private String remoteIpHeader = "X-Forwarded-For";\r
- \r
- /**\r
- * @see RemoteIpValve#setTrustedProxies(String)\r
- */\r
- private Pattern[] trustedProxies = new Pattern[0];\r
- \r
- public int getHttpsServerPort() {\r
- return httpsServerPort;\r
- }\r
- \r
- /**\r
- * Return descriptive information about this Valve implementation.\r
- */\r
- @Override\r
- public String getInfo() {\r
- return info;\r
- }\r
- \r
- /**\r
- * @see #setInternalProxies(String)\r
- * @return comma delimited list of internal proxies\r
- */\r
- public String getInternalProxies() {\r
- List<String> internalProxiesAsStringList = new ArrayList<String>();\r
- for (Pattern internalProxyPattern : internalProxies) {\r
- internalProxiesAsStringList.add(String.valueOf(internalProxyPattern));\r
- }\r
- return listToCommaDelimitedString(internalProxiesAsStringList);\r
- }\r
- \r
- /**\r
- * @see #setProtocolHeader(String)\r
- * @return the protocol header (e.g. "X-Forwarded-Proto")\r
- */\r
- public String getProtocolHeader() {\r
- return protocolHeader;\r
- }\r
- \r
- /**\r
- * @see RemoteIpValve#setProtocolHeaderHttpsValue(String)\r
- * @return the value of the protocol header for incoming https request (e.g. "https")\r
- */\r
- public String getProtocolHeaderHttpsValue() {\r
- return protocolHeaderHttpsValue;\r
- }\r
- \r
- /**\r
- * @see #setProxiesHeader(String)\r
- * @return the proxies header name (e.g. "X-Forwarded-By")\r
- */\r
- public String getProxiesHeader() {\r
- return proxiesHeader;\r
- }\r
- \r
- /**\r
- * @see #setRemoteIpHeader(String)\r
- * @return the remote IP header name (e.g. "X-Forwarded-For")\r
- */\r
- public String getRemoteIpHeader() {\r
- return remoteIpHeader;\r
- }\r
- \r
- /**\r
- * @see #setTrustedProxies(String)\r
- * @return comma delimited list of trusted proxies\r
- */\r
- public String getTrustedProxies() {\r
- List<String> trustedProxiesAsStringList = new ArrayList<String>();\r
- for (Pattern trustedProxy : trustedProxies) {\r
- trustedProxiesAsStringList.add(String.valueOf(trustedProxy));\r
- }\r
- return listToCommaDelimitedString(trustedProxiesAsStringList);\r
- }\r
- \r
- /**\r
- * {@inheritDoc}\r
- */\r
- @Override\r
- public void invoke(Request request, Response response) throws IOException, ServletException {\r
- final String originalRemoteAddr = request.getRemoteAddr();\r
- final String originalRemoteHost = request.getRemoteHost();\r
- final String originalScheme = request.getScheme();\r
- final boolean originalSecure = request.isSecure();\r
- final int originalServerPort = request.getServerPort();\r
- \r
- if (matchesOne(originalRemoteAddr, internalProxies)) {\r
- String remoteIp = null;\r
- // In java 6, proxiesHeaderValue should be declared as a java.util.Deque\r
- LinkedList<String> proxiesHeaderValue = new LinkedList<String>();\r
- \r
- String[] remoteIPHeaderValue = commaDelimitedListToStringArray(request.getHeader(remoteIpHeader));\r
- int idx;\r
- // loop on remoteIPHeaderValue to find the first trusted remote ip and to build the proxies chain\r
- for (idx = remoteIPHeaderValue.length - 1; idx >= 0; idx--) {\r
- String currentRemoteIp = remoteIPHeaderValue[idx];\r
- remoteIp = currentRemoteIp;\r
- if (matchesOne(currentRemoteIp, internalProxies)) {\r
- // do nothing, internalProxies IPs are not appended to the\r
- } else if (matchesOne(currentRemoteIp, trustedProxies)) {\r
- proxiesHeaderValue.addFirst(currentRemoteIp);\r
- } else {\r
- idx--; // decrement idx because break statement doesn't do it\r
- break;\r
- }\r
- }\r
- // continue to loop on remoteIPHeaderValue to build the new value of the remoteIPHeader\r
- LinkedList<String> newRemoteIpHeaderValue = new LinkedList<String>();\r
- for (; idx >= 0; idx--) {\r
- String currentRemoteIp = remoteIPHeaderValue[idx];\r
- newRemoteIpHeaderValue.addFirst(currentRemoteIp);\r
- }\r
- if (remoteIp != null) {\r
- \r
- request.setRemoteAddr(remoteIp);\r
- request.setRemoteHost(remoteIp);\r
- \r
- // use request.coyoteRequest.mimeHeaders.setValue(str).setString(str) because request.addHeader(str, str) is no-op in Tomcat\r
- // 6.0\r
- if (proxiesHeaderValue.size() == 0) {\r
- request.getCoyoteRequest().getMimeHeaders().removeHeader(proxiesHeader);\r
- } else {\r
- String commaDelimitedListOfProxies = listToCommaDelimitedString(proxiesHeaderValue);\r
- request.getCoyoteRequest().getMimeHeaders().setValue(proxiesHeader).setString(commaDelimitedListOfProxies);\r
- }\r
- if (newRemoteIpHeaderValue.size() == 0) {\r
- request.getCoyoteRequest().getMimeHeaders().removeHeader(remoteIpHeader);\r
- } else {\r
- String commaDelimitedRemoteIpHeaderValue = listToCommaDelimitedString(newRemoteIpHeaderValue);\r
- request.getCoyoteRequest().getMimeHeaders().setValue(remoteIpHeader).setString(commaDelimitedRemoteIpHeaderValue);\r
- }\r
- }\r
- \r
- if (protocolHeader != null) {\r
- String protocolHeaderValue = request.getHeader(protocolHeader);\r
- if (protocolHeaderValue != null && protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue)) {\r
- request.setSecure(true);\r
- // use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0\r
- request.getCoyoteRequest().scheme().setString("https");\r
- \r
- request.setServerPort(httpsServerPort);\r
- }\r
- }\r
- \r
- if (log.isDebugEnabled()) {\r
- log.debug("Incoming request " + request.getRequestURI() + " with originalRemoteAddr '" + originalRemoteAddr\r
- + "', originalRemoteHost='" + originalRemoteHost + "', originalSecure='" + originalSecure + "', originalScheme='"\r
- + originalScheme + "' will be seen as newRemoteAddr='" + request.getRemoteAddr() + "', newRemoteHost='"\r
- + request.getRemoteHost() + "', newScheme='" + request.getScheme() + "', newSecure='" + request.isSecure() + "'");\r
- }\r
- }\r
- try {\r
- getNext().invoke(request, response);\r
- } finally {\r
- request.setRemoteAddr(originalRemoteAddr);\r
- request.setRemoteHost(originalRemoteHost);\r
- \r
- request.setSecure(originalSecure);\r
- \r
- // use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0\r
- request.getCoyoteRequest().scheme().setString(originalScheme);\r
- \r
- request.setServerPort(originalServerPort);\r
- }\r
- }\r
- \r
- /**\r
- * <p>\r
- * Server Port value if the {@link #protocolHeader} indicates HTTPS\r
- * </p>\r
- * <p>\r
- * Default value : 443\r
- * </p>\r
- */\r
- public void setHttpsServerPort(int httpsServerPort) {\r
- this.httpsServerPort = httpsServerPort;\r
- }\r
- \r
- /**\r
- * <p>\r
- * Comma delimited list of internal proxies. Can be expressed with regular expressions.\r
- * </p>\r
- * <p>\r
- * Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3}\r
- * </p>\r
- */\r
- public void setInternalProxies(String commaDelimitedInternalProxies) {\r
- this.internalProxies = commaDelimitedListToPatternArray(commaDelimitedInternalProxies);\r
- }\r
- \r
- /**\r
- * <p>\r
- * Header that holds the incoming protocol, usally named <code>X-Forwarded-Proto</code>. If <code>null</code>, request.scheme and\r
- * request.secure will not be modified.\r
- * </p>\r
- * <p>\r
- * Default value : <code>null</code>\r
- * </p>\r
- */\r
- public void setProtocolHeader(String protocolHeader) {\r
- this.protocolHeader = protocolHeader;\r
- }\r
- \r
- /**\r
- * <p>\r
- * Case insensitive value of the protocol header to indicate that the incoming http request uses SSL.\r
- * </p>\r
- * <p>\r
- * Default value : <code>https</code>\r
- * </p>\r
- */\r
- public void setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue) {\r
- this.protocolHeaderHttpsValue = protocolHeaderHttpsValue;\r
- }\r
- \r
- /**\r
- * <p>\r
- * The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP\r
- * addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header,\r
- * while any intermediate RemoteIPInternalProxy addresses are discarded.\r
- * </p>\r
- * <p>\r
- * Name of the http header that holds the list of trusted proxies that has been traversed by the http request.\r
- * </p>\r
- * <p>\r
- * The value of this header can be comma delimited.\r
- * </p>\r
- * <p>\r
- * Default value : <code>X-Forwarded-By</code>\r
- * </p>\r
- */\r
- public void setProxiesHeader(String proxiesHeader) {\r
- this.proxiesHeader = proxiesHeader;\r
- }\r
- \r
- /**\r
- * <p>\r
- * Name of the http header from which the remote ip is extracted.\r
- * </p>\r
- * <p>\r
- * The value of this header can be comma delimited.\r
- * </p>\r
- * <p>\r
- * Default value : <code>X-Forwarded-For</code>\r
- * </p>\r
- * \r
- * @param remoteIPHeader\r
- */\r
- public void setRemoteIpHeader(String remoteIpHeader) {\r
- this.remoteIpHeader = remoteIpHeader;\r
- }\r
- \r
- /**\r
- * <p>\r
- * Comma delimited list of proxies that are trusted when they appear in the {@link #remoteIPHeader} header. Can be expressed as a\r
- * regular expression.\r
- * </p>\r
- * <p>\r
- * Default value : empty list, no external proxy is trusted.\r
- * </p>\r
- */\r
- public void setTrustedProxies(String commaDelimitedTrustedProxies) {\r
- this.trustedProxies = commaDelimitedListToPatternArray(commaDelimitedTrustedProxies);\r
- }\r
-}\r
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.catalina.valves;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.regex.Pattern;
+import java.util.regex.PatternSyntaxException;
+
+import javax.servlet.ServletException;
+
+import org.apache.tomcat.util.res.StringManager;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.valves.Constants;
+import org.apache.catalina.valves.RequestFilterValve;
+import org.apache.catalina.valves.ValveBase;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+
+/**
+ * <p>
+ * Tomcat port of <a href="http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html">mod_remoteip</a>, this valve replaces the apparent
+ * client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request
+ * headers (e.g. "X-Forwarded-For").
+ * </p>
+ * <p>
+ * Another feature of this valve is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a
+ * load balancer via a request header (e.g. "X-Forwarded-Proto").
+ * </p>
+ * <p>
+ * This valve proceeds as follows:
+ * </p>
+ * <p>
+ * If the incoming <code>request.getRemoteAddr()</code> matches the valve's list of internal proxies :
+ * <ul>
+ * <li>Loop on the comma delimited list of IPs and hostnames passed by the preceding load balancer or proxy in the given request's Http
+ * header named <code>$remoteIPHeader</code> (default value <code>x-forwarded-for</code>). Values are processed in right-to-left order.</li>
+ * <li>For each ip/host of the list:
+ * <ul>
+ * <li>if it matches the internal proxies list, the ip/host is swallowed</li>
+ * <li>if it matches the trusted proxies list, the ip/host is added to the created proxies header</li>
+ * <li>otherwise, the ip/host is declared to be the remote ip and looping is stopped.</li>
+ * </ul>
+ * </li>
+ * <li>If the request http header named <code>$protocolHeader</code> (e.g. <code>x-forwarded-for</code>) equals to the value of
+ * <code>protocolHeaderHttpsValue</code> configuration parameter (default <code>https</code>) then <code>request.isSecure = true</code>,
+ * <code>request.scheme = https</code> and <code>request.serverPort = 443</code>. Note that 443 can be overwritten with the
+ * <code>$httpsServerPort</code> configuration parameter.</li>
+ * </ul>
+ * </p>
+ * <p>
+ * <strong>Configuration parameters:</strong>
+ * <table border="1">
+ * <tr>
+ * <th>RemoteIpValve property</th>
+ * <th>Description</th>
+ * <th>Equivalent mod_remoteip directive</th>
+ * <th>Format</th>
+ * <th>Default Value</th>
+ * </tr>
+ * <tr>
+ * <td>remoteIPHeader</td>
+ * <td>Name of the Http Header read by this valve that holds the list of traversed IP addresses starting from the requesting client</td>
+ * <td>RemoteIPHeader</td>
+ * <td>Compliant http header name</td>
+ * <td>x-forwarded-for</td>
+ * </tr>
+ * <tr>
+ * <td>internalProxies</td>
+ * <td>List of internal proxies ip adress. If they appear in the <code>remoteIpHeader</code> value, they will be trusted and will not appear
+ * in the <code>proxiesHeader</code> value</td>
+ * <td>RemoteIPInternalProxy</td>
+ * <td>Comma delimited list of regular expressions (in the syntax supported by the {@link java.util.regex.Pattern} library)</td>
+ * <td>10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3} <br/>
+ * By default, 10/8, 192.168/16, 169.254/16 and 127/8 are allowed ; 172.16/12 has not been enabled by default because it is complex to
+ * describe with regular expressions</td>
+ * </tr>
+ * </tr>
+ * <tr>
+ * <td>proxiesHeader</td>
+ * <td>Name of the http header created by this valve to hold the list of proxies that have been processed in the incoming
+ * <code>remoteIPHeader</code></td>
+ * <td>RemoteIPProxiesHeader</td>
+ * <td>Compliant http header name</td>
+ * <td>x-forwarded-by</td>
+ * </tr>
+ * <tr>
+ * <td>trustedProxies</td>
+ * <td>List of trusted proxies ip adress. If they appear in the <code>remoteIpHeader</code> value, they will be trusted and will appear
+ * in the <code>proxiesHeader</code> value</td>
+ * <td>RemoteIPTrustedProxy</td>
+ * <td>Comma delimited list of regular expressions (in the syntax supported by the {@link java.util.regex.Pattern} library)</td>
+ * <td> </td>
+ * </tr>
+ * <tr>
+ * <td>protocolHeader</td>
+ * <td>Name of the http header read by this valve that holds the flag that this request </td>
+ * <td>N/A</td>
+ * <td>Compliant http header name like <code>X-Forwarded-Proto</code>, <code>X-Forwarded-Ssl</code> or <code>Front-End-Https</code></td>
+ * <td><code>null</code></td>
+ * </tr>
+ * <tr>
+ * <td>protocolHeaderHttpsValue</td>
+ * <td>Value of the <code>protocolHeader</code> to indicate that it is an Https request</td>
+ * <td>N/A</td>
+ * <td>String like <code>https</code> or <code>ON</code></td>
+ * <td><code>https</code></td>
+ * </tr>
+ * <tr>
+ * </table>
+ * </p>
+ * <p>
+ * <p>
+ * This Valve may be attached to any Container, depending on the granularity of the filtering you wish to perform.
+ * </p>
+ * <p>
+ * <strong>Regular expression vs. IP address blocks:</strong> <code>mod_remoteip</code> allows to use address blocks (e.g.
+ * <code>192.168/16</code>) to configure <code>RemoteIPInternalProxy</code> and <code>RemoteIPTrustedProxy</code> ; as Tomcat doesn't have a
+ * library similar to <a
+ * href="http://apr.apache.org/docs/apr/1.3/group__apr__network__io.html#gb74d21b8898b7c40bf7fd07ad3eb993d">apr_ipsubnet_test</a>,
+ * <code>RemoteIpValve</code> uses regular expression to configure <code>internalProxies</code> and <code>trustedProxies</code> in the same
+ * fashion as {@link RequestFilterValve} does.
+ * </p>
+ * <hr/>
+ * <p>
+ * <strong>Sample with internal proxies</strong>
+ * </p>
+ * <p>
+ * RemoteIpValve configuration:
+ * </p>
+ * <code><pre>
+ * <Valve
+ * className="org.apache.catalina.connector.RemoteIpValve"
+ * internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
+ * remoteIPHeader="x-forwarded-for"
+ * remoteIPProxiesHeader="x-forwarded-by"
+ * protocolHeader="x-forwarded-proto"
+ * /></pre></code>
+ * <p>
+ * Request values:
+ * <table border="1">
+ * <tr>
+ * <th>property</th>
+ * <th>Value Before RemoteIpValve</th>
+ * <th>Value After RemoteIpValve</th>
+ * </tr>
+ * <tr>
+ * <td>request.remoteAddr</td>
+ * <td>192.168.0.10</td>
+ * <td>140.211.11.130</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-for']</td>
+ * <td>140.211.11.130, 192.168.0.10</td>
+ * <td>null</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-by']</td>
+ * <td>null</td>
+ * <td>null</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-proto']</td>
+ * <td>https</td>
+ * <td>https</td>
+ * </tr>
+ * <tr>
+ * <td>request.scheme</td>
+ * <td>http</td>
+ * <td>https</td>
+ * </tr>
+ * <tr>
+ * <td>request.secure</td>
+ * <td>false</td>
+ * <td>true</td>
+ * </tr>
+ * <tr>
+ * <td>request.serverPort</td>
+ * <td>80</td>
+ * <td>443</td>
+ * </tr>
+ * </table>
+ * Note : <code>x-forwarded-by</code> header is null because only internal proxies as been traversed by the request.
+ * <code>x-forwarded-by</code> is null because all the proxies are trusted or internal.
+ * </p>
+ * <hr/>
+ * <p>
+ * <strong>Sample with trusted proxies</strong>
+ * </p>
+ * <p>
+ * RemoteIpValve configuration:
+ * </p>
+ * <code><pre>
+ * <Valve
+ * className="org.apache.catalina.connector.RemoteIpValve"
+ * internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
+ * remoteIPHeader="x-forwarded-for"
+ * remoteIPProxiesHeader="x-forwarded-by"
+ * trustedProxies="proxy1, proxy2"
+ * /></pre></code>
+ * <p>
+ * Request values:
+ * <table border="1">
+ * <tr>
+ * <th>property</th>
+ * <th>Value Before RemoteIpValve</th>
+ * <th>Value After RemoteIpValve</th>
+ * </tr>
+ * <tr>
+ * <td>request.remoteAddr</td>
+ * <td>192.168.0.10</td>
+ * <td>140.211.11.130</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-for']</td>
+ * <td>140.211.11.130, proxy1, proxy2</td>
+ * <td>null</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-by']</td>
+ * <td>null</td>
+ * <td>proxy1, proxy2</td>
+ * </tr>
+ * </table>
+ * Note : <code>proxy1</code> and <code>proxy2</code> are both trusted proxies that come in <code>x-forwarded-for</code> header, they both
+ * are migrated in <code>x-forwarded-by</code> header. <code>x-forwarded-by</code> is null because all the proxies are trusted or internal.
+ * </p>
+ * <hr/>
+ * <p>
+ * <strong>Sample with internal and trusted proxies</strong>
+ * </p>
+ * <p>
+ * RemoteIpValve configuration:
+ * </p>
+ * <code><pre>
+ * <Valve
+ * className="org.apache.catalina.connector.RemoteIpValve"
+ * internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
+ * remoteIPHeader="x-forwarded-for"
+ * remoteIPProxiesHeader="x-forwarded-by"
+ * trustedProxies="proxy1, proxy2"
+ * /></pre></code>
+ * <p>
+ * Request values:
+ * <table border="1">
+ * <tr>
+ * <th>property</th>
+ * <th>Value Before RemoteIpValve</th>
+ * <th>Value After RemoteIpValve</th>
+ * </tr>
+ * <tr>
+ * <td>request.remoteAddr</td>
+ * <td>192.168.0.10</td>
+ * <td>140.211.11.130</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-for']</td>
+ * <td>140.211.11.130, proxy1, proxy2, 192.168.0.10</td>
+ * <td>null</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-by']</td>
+ * <td>null</td>
+ * <td>proxy1, proxy2</td>
+ * </tr>
+ * </table>
+ * Note : <code>proxy1</code> and <code>proxy2</code> are both trusted proxies that come in <code>x-forwarded-for</code> header, they both
+ * are migrated in <code>x-forwarded-by</code> header. As <code>192.168.0.10</code> is an internal proxy, it does not appear in
+ * <code>x-forwarded-by</code>. <code>x-forwarded-by</code> is null because all the proxies are trusted or internal.
+ * </p>
+ * <hr/>
+ * <p>
+ * <strong>Sample with an untrusted proxy</strong>
+ * </p>
+ * <p>
+ * RemoteIpValve configuration:
+ * </p>
+ * <code><pre>
+ * <Valve
+ * className="org.apache.catalina.connector.RemoteIpValve"
+ * internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
+ * remoteIPHeader="x-forwarded-for"
+ * remoteIPProxiesHeader="x-forwarded-by"
+ * trustedProxies="proxy1, proxy2"
+ * /></pre></code>
+ * <p>
+ * Request values:
+ * <table border="1">
+ * <tr>
+ * <th>property</th>
+ * <th>Value Before RemoteIpValve</th>
+ * <th>Value After RemoteIpValve</th>
+ * </tr>
+ * <tr>
+ * <td>request.remoteAddr</td>
+ * <td>192.168.0.10</td>
+ * <td>untrusted-proxy</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-for']</td>
+ * <td>140.211.11.130, untrusted-proxy, proxy1</td>
+ * <td>140.211.11.130</td>
+ * </tr>
+ * <tr>
+ * <td>request.header['x-forwarded-by']</td>
+ * <td>null</td>
+ * <td>proxy1</td>
+ * </tr>
+ * </table>
+ * Note : <code>x-forwarded-by</code> holds the trusted proxy <code>proxy1</code>. <code>x-forwarded-by</code> holds
+ * <code>140.211.11.130</code> because <code>untrusted-proxy</code> is not trusted and thus, we can not trust that
+ * <code>untrusted-proxy</code> is the actual remote ip. <code>request.remoteAddr</code> is <code>untrusted-proxy</code> that is an IP
+ * verified by <code>proxy1</code>.
+ * </p>
+ */
+public class RemoteIpValve extends ValveBase {
+
+ /**
+ * {@link Pattern} for a comma delimited string that support whitespace characters
+ */
+ private static final Pattern commaSeparatedValuesPattern = Pattern.compile("\\s*,\\s*");
+
+ /**
+ * The descriptive information related to this implementation.
+ */
+ private static final String info = "org.apache.catalina.connector.RemoteIpValve/1.0";
+
+ /**
+ * Logger
+ */
+ private static Log log = LogFactory.getLog(RemoteIpValve.class);
+
+ /**
+ * The StringManager for this package.
+ */
+ protected static StringManager sm = StringManager.getManager(Constants.Package);
+
+ /**
+ * Convert a given comma delimited list of regular expressions into an array of compiled {@link Pattern}
+ *
+ * @return array of patterns (not <code>null</code>)
+ */
+ protected static Pattern[] commaDelimitedListToPatternArray(String commaDelimitedPatterns) {
+ String[] patterns = commaDelimitedListToStringArray(commaDelimitedPatterns);
+ List<Pattern> patternsList = new ArrayList<Pattern>();
+ for (String pattern : patterns) {
+ try {
+ patternsList.add(Pattern.compile(pattern));
+ } catch (PatternSyntaxException e) {
+ throw new IllegalArgumentException(sm.getString("remoteIpValve.syntax", pattern), e);
+ }
+ }
+ return patternsList.toArray(new Pattern[0]);
+ }
+
+ /**
+ * Convert a given comma delimited list of regular expressions into an array of String
+ *
+ * @return array of patterns (non <code>null</code>)
+ */
+ protected static String[] commaDelimitedListToStringArray(String commaDelimitedStrings) {
+ return (commaDelimitedStrings == null || commaDelimitedStrings.length() == 0) ? new String[0] : commaSeparatedValuesPattern
+ .split(commaDelimitedStrings);
+ }
+
+ /**
+ * Convert an array of strings in a comma delimited string
+ */
+ protected static String listToCommaDelimitedString(List<String> stringList) {
+ if (stringList == null) {
+ return "";
+ }
+ StringBuilder result = new StringBuilder();
+ for (Iterator<String> it = stringList.iterator(); it.hasNext();) {
+ Object element = it.next();
+ if (element != null) {
+ result.append(element);
+ if (it.hasNext()) {
+ result.append(", ");
+ }
+ }
+ }
+ return result.toString();
+ }
+
+ /**
+ * Return <code>true</code> if the given <code>str</code> matches at least one of the given <code>patterns</code>.
+ */
+ protected static boolean matchesOne(String str, Pattern... patterns) {
+ for (Pattern pattern : patterns) {
+ if (pattern.matcher(str).matches()) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ /**
+ * @see #setHttpsServerPort(int)
+ */
+ private int httpsServerPort = 443;
+
+ /**
+ * @see #setInternalProxies(String)
+ */
+ private Pattern[] internalProxies = new Pattern[] {
+ Pattern.compile("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"), Pattern.compile("192\\.168\\.\\d{1,3}\\.\\d{1,3}"),
+ Pattern.compile("169\\.254\\.\\d{1,3}\\.\\d{1,3}"), Pattern.compile("127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}")
+ };
+
+ /**
+ * @see #setProtocolHeader(String)
+ */
+ private String protocolHeader = null;
+
+ /**
+ * @see #setProtocolHeaderHttpsValue(String)
+ */
+ private String protocolHeaderHttpsValue = "https";
+
+ /**
+ * @see #setProxiesHeader(String)
+ */
+ private String proxiesHeader = "X-Forwarded-By";
+
+ /**
+ * @see #setRemoteIpHeader(String)
+ */
+ private String remoteIpHeader = "X-Forwarded-For";
+
+ /**
+ * @see RemoteIpValve#setTrustedProxies(String)
+ */
+ private Pattern[] trustedProxies = new Pattern[0];
+
+ public int getHttpsServerPort() {
+ return httpsServerPort;
+ }
+
+ /**
+ * Return descriptive information about this Valve implementation.
+ */
+ @Override
+ public String getInfo() {
+ return info;
+ }
+
+ /**
+ * @see #setInternalProxies(String)
+ * @return comma delimited list of internal proxies
+ */
+ public String getInternalProxies() {
+ List<String> internalProxiesAsStringList = new ArrayList<String>();
+ for (Pattern internalProxyPattern : internalProxies) {
+ internalProxiesAsStringList.add(String.valueOf(internalProxyPattern));
+ }
+ return listToCommaDelimitedString(internalProxiesAsStringList);
+ }
+
+ /**
+ * @see #setProtocolHeader(String)
+ * @return the protocol header (e.g. "X-Forwarded-Proto")
+ */
+ public String getProtocolHeader() {
+ return protocolHeader;
+ }
+
+ /**
+ * @see RemoteIpValve#setProtocolHeaderHttpsValue(String)
+ * @return the value of the protocol header for incoming https request (e.g. "https")
+ */
+ public String getProtocolHeaderHttpsValue() {
+ return protocolHeaderHttpsValue;
+ }
+
+ /**
+ * @see #setProxiesHeader(String)
+ * @return the proxies header name (e.g. "X-Forwarded-By")
+ */
+ public String getProxiesHeader() {
+ return proxiesHeader;
+ }
+
+ /**
+ * @see #setRemoteIpHeader(String)
+ * @return the remote IP header name (e.g. "X-Forwarded-For")
+ */
+ public String getRemoteIpHeader() {
+ return remoteIpHeader;
+ }
+
+ /**
+ * @see #setTrustedProxies(String)
+ * @return comma delimited list of trusted proxies
+ */
+ public String getTrustedProxies() {
+ List<String> trustedProxiesAsStringList = new ArrayList<String>();
+ for (Pattern trustedProxy : trustedProxies) {
+ trustedProxiesAsStringList.add(String.valueOf(trustedProxy));
+ }
+ return listToCommaDelimitedString(trustedProxiesAsStringList);
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public void invoke(Request request, Response response) throws IOException, ServletException {
+ final String originalRemoteAddr = request.getRemoteAddr();
+ final String originalRemoteHost = request.getRemoteHost();
+ final String originalScheme = request.getScheme();
+ final boolean originalSecure = request.isSecure();
+ final int originalServerPort = request.getServerPort();
+
+ if (matchesOne(originalRemoteAddr, internalProxies)) {
+ String remoteIp = null;
+ // In java 6, proxiesHeaderValue should be declared as a java.util.Deque
+ LinkedList<String> proxiesHeaderValue = new LinkedList<String>();
+
+ String[] remoteIPHeaderValue = commaDelimitedListToStringArray(request.getHeader(remoteIpHeader));
+ int idx;
+ // loop on remoteIPHeaderValue to find the first trusted remote ip and to build the proxies chain
+ for (idx = remoteIPHeaderValue.length - 1; idx >= 0; idx--) {
+ String currentRemoteIp = remoteIPHeaderValue[idx];
+ remoteIp = currentRemoteIp;
+ if (matchesOne(currentRemoteIp, internalProxies)) {
+ // do nothing, internalProxies IPs are not appended to the
+ } else if (matchesOne(currentRemoteIp, trustedProxies)) {
+ proxiesHeaderValue.addFirst(currentRemoteIp);
+ } else {
+ idx--; // decrement idx because break statement doesn't do it
+ break;
+ }
+ }
+ // continue to loop on remoteIPHeaderValue to build the new value of the remoteIPHeader
+ LinkedList<String> newRemoteIpHeaderValue = new LinkedList<String>();
+ for (; idx >= 0; idx--) {
+ String currentRemoteIp = remoteIPHeaderValue[idx];
+ newRemoteIpHeaderValue.addFirst(currentRemoteIp);
+ }
+ if (remoteIp != null) {
+
+ request.setRemoteAddr(remoteIp);
+ request.setRemoteHost(remoteIp);
+
+ // use request.coyoteRequest.mimeHeaders.setValue(str).setString(str) because request.addHeader(str, str) is no-op in Tomcat
+ // 6.0
+ if (proxiesHeaderValue.size() == 0) {
+ request.getCoyoteRequest().getMimeHeaders().removeHeader(proxiesHeader);
+ } else {
+ String commaDelimitedListOfProxies = listToCommaDelimitedString(proxiesHeaderValue);
+ request.getCoyoteRequest().getMimeHeaders().setValue(proxiesHeader).setString(commaDelimitedListOfProxies);
+ }
+ if (newRemoteIpHeaderValue.size() == 0) {
+ request.getCoyoteRequest().getMimeHeaders().removeHeader(remoteIpHeader);
+ } else {
+ String commaDelimitedRemoteIpHeaderValue = listToCommaDelimitedString(newRemoteIpHeaderValue);
+ request.getCoyoteRequest().getMimeHeaders().setValue(remoteIpHeader).setString(commaDelimitedRemoteIpHeaderValue);
+ }
+ }
+
+ if (protocolHeader != null) {
+ String protocolHeaderValue = request.getHeader(protocolHeader);
+ if (protocolHeaderValue != null && protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue)) {
+ request.setSecure(true);
+ // use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0
+ request.getCoyoteRequest().scheme().setString("https");
+
+ request.setServerPort(httpsServerPort);
+ }
+ }
+
+ if (log.isDebugEnabled()) {
+ log.debug("Incoming request " + request.getRequestURI() + " with originalRemoteAddr '" + originalRemoteAddr
+ + "', originalRemoteHost='" + originalRemoteHost + "', originalSecure='" + originalSecure + "', originalScheme='"
+ + originalScheme + "' will be seen as newRemoteAddr='" + request.getRemoteAddr() + "', newRemoteHost='"
+ + request.getRemoteHost() + "', newScheme='" + request.getScheme() + "', newSecure='" + request.isSecure() + "'");
+ }
+ }
+ try {
+ getNext().invoke(request, response);
+ } finally {
+ request.setRemoteAddr(originalRemoteAddr);
+ request.setRemoteHost(originalRemoteHost);
+
+ request.setSecure(originalSecure);
+
+ // use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0
+ request.getCoyoteRequest().scheme().setString(originalScheme);
+
+ request.setServerPort(originalServerPort);
+ }
+ }
+
+ /**
+ * <p>
+ * Server Port value if the {@link #protocolHeader} indicates HTTPS
+ * </p>
+ * <p>
+ * Default value : 443
+ * </p>
+ */
+ public void setHttpsServerPort(int httpsServerPort) {
+ this.httpsServerPort = httpsServerPort;
+ }
+
+ /**
+ * <p>
+ * Comma delimited list of internal proxies. Can be expressed with regular expressions.
+ * </p>
+ * <p>
+ * Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3}
+ * </p>
+ */
+ public void setInternalProxies(String commaDelimitedInternalProxies) {
+ this.internalProxies = commaDelimitedListToPatternArray(commaDelimitedInternalProxies);
+ }
+
+ /**
+ * <p>
+ * Header that holds the incoming protocol, usally named <code>X-Forwarded-Proto</code>. If <code>null</code>, request.scheme and
+ * request.secure will not be modified.
+ * </p>
+ * <p>
+ * Default value : <code>null</code>
+ * </p>
+ */
+ public void setProtocolHeader(String protocolHeader) {
+ this.protocolHeader = protocolHeader;
+ }
+
+ /**
+ * <p>
+ * Case insensitive value of the protocol header to indicate that the incoming http request uses SSL.
+ * </p>
+ * <p>
+ * Default value : <code>https</code>
+ * </p>
+ */
+ public void setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue) {
+ this.protocolHeaderHttpsValue = protocolHeaderHttpsValue;
+ }
+
+ /**
+ * <p>
+ * The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP
+ * addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header,
+ * while any intermediate RemoteIPInternalProxy addresses are discarded.
+ * </p>
+ * <p>
+ * Name of the http header that holds the list of trusted proxies that has been traversed by the http request.
+ * </p>
+ * <p>
+ * The value of this header can be comma delimited.
+ * </p>
+ * <p>
+ * Default value : <code>X-Forwarded-By</code>
+ * </p>
+ */
+ public void setProxiesHeader(String proxiesHeader) {
+ this.proxiesHeader = proxiesHeader;
+ }
+
+ /**
+ * <p>
+ * Name of the http header from which the remote ip is extracted.
+ * </p>
+ * <p>
+ * The value of this header can be comma delimited.
+ * </p>
+ * <p>
+ * Default value : <code>X-Forwarded-For</code>
+ * </p>
+ *
+ * @param remoteIPHeader
+ */
+ public void setRemoteIpHeader(String remoteIpHeader) {
+ this.remoteIpHeader = remoteIpHeader;
+ }
+
+ /**
+ * <p>
+ * Comma delimited list of proxies that are trusted when they appear in the {@link #remoteIPHeader} header. Can be expressed as a
+ * regular expression.
+ * </p>
+ * <p>
+ * Default value : empty list, no external proxy is trusted.
+ * </p>
+ */
+ public void setTrustedProxies(String commaDelimitedTrustedProxies) {
+ this.trustedProxies = commaDelimitedListToPatternArray(commaDelimitedTrustedProxies);
+ }
+}
-/*\r
- * Licensed to the Apache Software Foundation (ASF) under one or more\r
- * contributor license agreements. See the NOTICE file distributed with\r
- * this work for additional information regarding copyright ownership.\r
- * The ASF licenses this file to You under the Apache License, Version 2.0\r
- * (the "License"); you may not use this file except in compliance with\r
- * the License. You may obtain a copy of the License at\r
- * \r
- * http://www.apache.org/licenses/LICENSE-2.0\r
- * \r
- * Unless required by applicable law or agreed to in writing, software\r
- * distributed under the License is distributed on an "AS IS" BASIS,\r
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * See the License for the specific language governing permissions and\r
- * limitations under the License.\r
- */\r
-\r
-package org.apache.catalina.valves;\r
-\r
-import java.io.IOException;\r
-import java.util.ArrayList;\r
-import java.util.Arrays;\r
-import java.util.List;\r
-\r
-import javax.servlet.ServletException;\r
-\r
-import junit.framework.TestCase;\r
-\r
-import org.apache.catalina.connector.Request;\r
-import org.apache.catalina.connector.Response;\r
-import org.apache.catalina.valves.ValveBase;\r
-\r
-/**\r
- * {@link RemoteIpValve} Tests\r
- */\r
-public class RemoteIpValveTest extends TestCase {\r
- \r
- static class RemoteAddrAndHostTrackerValve extends ValveBase {\r
- private String remoteAddr;\r
- private String remoteHost;\r
- \r
- public String getRemoteAddr() {\r
- return remoteAddr;\r
- }\r
- \r
- public String getRemoteHost() {\r
- return remoteHost;\r
- }\r
- \r
- @Override\r
- public void invoke(Request request, Response response) throws IOException, ServletException {\r
- this.remoteHost = request.getRemoteHost();\r
- this.remoteAddr = request.getRemoteAddr();\r
- }\r
- }\r
- \r
- public void testCommaDelimitedListToStringArray() {\r
- List<String> elements = Arrays.asList("element1", "element2", "element3");\r
- String actual = RemoteIpValve.listToCommaDelimitedString(elements);\r
- assertEquals("element1, element2, element3", actual);\r
- }\r
- \r
- public void testCommaDelimitedListToStringArrayEmptyList() {\r
- List<String> elements = new ArrayList<String>();\r
- String actual = RemoteIpValve.listToCommaDelimitedString(elements);\r
- assertEquals("", actual);\r
- }\r
- \r
- public void testCommaDelimitedListToStringArrayNullList() {\r
- String actual = RemoteIpValve.listToCommaDelimitedString(null);\r
- assertEquals("", actual);\r
- }\r
- \r
- public void testInvokeAllowedRemoteAddrWithNullRemoteIpHeader() throws Exception {\r
- // PREPARE\r
- RemoteIpValve remoteIpValve = new RemoteIpValve();\r
- remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");\r
- remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");\r
- remoteIpValve.setRemoteIpHeader("x-forwarded-for");\r
- remoteIpValve.setProxiesHeader("x-forwarded-by");\r
- RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();\r
- remoteIpValve.setNext(remoteAddrAndHostTrackerValve);\r
- \r
- Request request = new Request();\r
- request.setCoyoteRequest(new org.apache.coyote.Request());\r
- request.setRemoteAddr("192.168.0.10");\r
- request.setRemoteHost("remote-host-original-value");\r
- \r
- // TEST\r
- remoteIpValve.invoke(request, null);\r
- \r
- // VERIFY\r
- String actualXForwardedFor = request.getHeader("x-forwarded-for");\r
- assertNull("x-forwarded-for must be null", actualXForwardedFor);\r
- \r
- String actualXForwardedBy = request.getHeader("x-forwarded-by");\r
- assertNull("x-forwarded-by must be null", actualXForwardedBy);\r
- \r
- String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();\r
- assertEquals("remoteAddr", "192.168.0.10", actualRemoteAddr);\r
- \r
- String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();\r
- assertEquals("remoteHost", "remote-host-original-value", actualRemoteHost);\r
- \r
- String actualPostInvokeRemoteAddr = request.getRemoteAddr();\r
- assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);\r
- \r
- String actualPostInvokeRemoteHost = request.getRemoteHost();\r
- assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);\r
- \r
- }\r
- \r
- public void testInvokeAllProxiesAreTrusted() throws Exception {\r
- \r
- // PREPARE\r
- RemoteIpValve remoteIpValve = new RemoteIpValve();\r
- remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");\r
- remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");\r
- remoteIpValve.setRemoteIpHeader("x-forwarded-for");\r
- remoteIpValve.setProxiesHeader("x-forwarded-by");\r
- RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();\r
- remoteIpValve.setNext(remoteAddrAndHostTrackerValve);\r
- \r
- Request request = new Request();\r
- request.setCoyoteRequest(new org.apache.coyote.Request());\r
- request.setRemoteAddr("192.168.0.10");\r
- request.setRemoteHost("remote-host-original-value");\r
- request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2");\r
- \r
- // TEST\r
- remoteIpValve.invoke(request, null);\r
- \r
- // VERIFY\r
- String actualXForwardedFor = request.getHeader("x-forwarded-for");\r
- assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor);\r
- \r
- String actualXForwardedBy = request.getHeader("x-forwarded-by");\r
- assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy);\r
- \r
- String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();\r
- assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr);\r
- \r
- String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();\r
- assertEquals("remoteHost", "140.211.11.130", actualRemoteHost);\r
- \r
- String actualPostInvokeRemoteAddr = request.getRemoteAddr();\r
- assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);\r
- \r
- String actualPostInvokeRemoteHost = request.getRemoteHost();\r
- assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);\r
- }\r
- \r
- public void testInvokeAllProxiesAreTrustedOrInternal() throws Exception {\r
- \r
- // PREPARE\r
- RemoteIpValve remoteIpValve = new RemoteIpValve();\r
- remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");\r
- remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");\r
- remoteIpValve.setRemoteIpHeader("x-forwarded-for");\r
- remoteIpValve.setProxiesHeader("x-forwarded-by");\r
- RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();\r
- remoteIpValve.setNext(remoteAddrAndHostTrackerValve);\r
- \r
- Request request = new Request();\r
- request.setCoyoteRequest(new org.apache.coyote.Request());\r
- request.setRemoteAddr("192.168.0.10");\r
- request.setRemoteHost("remote-host-original-value");\r
- request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for")\r
- .setString("140.211.11.130, proxy1, proxy2, 192.168.0.10, 192.168.0.11");\r
- \r
- // TEST\r
- remoteIpValve.invoke(request, null);\r
- \r
- // VERIFY\r
- String actualXForwardedFor = request.getHeader("x-forwarded-for");\r
- assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor);\r
- \r
- String actualXForwardedBy = request.getHeader("x-forwarded-by");\r
- assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy);\r
- \r
- String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();\r
- assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr);\r
- \r
- String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();\r
- assertEquals("remoteHost", "140.211.11.130", actualRemoteHost);\r
- \r
- String actualPostInvokeRemoteAddr = request.getRemoteAddr();\r
- assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);\r
- \r
- String actualPostInvokeRemoteHost = request.getRemoteHost();\r
- assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);\r
- }\r
- \r
- public void testInvokeAllProxiesAreInternal() throws Exception {\r
- \r
- // PREPARE\r
- RemoteIpValve remoteIpValve = new RemoteIpValve();\r
- remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");\r
- remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");\r
- remoteIpValve.setRemoteIpHeader("x-forwarded-for");\r
- remoteIpValve.setProxiesHeader("x-forwarded-by");\r
- RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();\r
- remoteIpValve.setNext(remoteAddrAndHostTrackerValve);\r
- \r
- Request request = new Request();\r
- request.setCoyoteRequest(new org.apache.coyote.Request());\r
- request.setRemoteAddr("192.168.0.10");\r
- request.setRemoteHost("remote-host-original-value");\r
- request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, 192.168.0.10, 192.168.0.11");\r
- \r
- // TEST\r
- remoteIpValve.invoke(request, null);\r
- \r
- // VERIFY\r
- String actualXForwardedFor = request.getHeader("x-forwarded-for");\r
- assertNull("all proxies are internal, x-forwarded-for must be null", actualXForwardedFor);\r
- \r
- String actualXForwardedBy = request.getHeader("x-forwarded-by");\r
- assertNull("all proxies are internal, x-forwarded-by must be null", actualXForwardedBy);\r
- \r
- String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();\r
- assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr);\r
- \r
- String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();\r
- assertEquals("remoteHost", "140.211.11.130", actualRemoteHost);\r
- \r
- String actualPostInvokeRemoteAddr = request.getRemoteAddr();\r
- assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);\r
- \r
- String actualPostInvokeRemoteHost = request.getRemoteHost();\r
- assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);\r
- }\r
- \r
- public void testInvokeAllProxiesAreTrustedAndRemoteAddrMatchRegexp() throws Exception {\r
- \r
- // PREPARE\r
- RemoteIpValve remoteIpValve = new RemoteIpValve();\r
- remoteIpValve.setInternalProxies("127\\.0\\.0\\.1, 192\\.168\\..*, another-internal-proxy");\r
- remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");\r
- remoteIpValve.setRemoteIpHeader("x-forwarded-for");\r
- remoteIpValve.setProxiesHeader("x-forwarded-by");\r
- RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();\r
- remoteIpValve.setNext(remoteAddrAndHostTrackerValve);\r
- \r
- Request request = new Request();\r
- request.setCoyoteRequest(new org.apache.coyote.Request());\r
- request.setRemoteAddr("192.168.0.10");\r
- request.setRemoteHost("remote-host-original-value");\r
- request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2");\r
- \r
- // TEST\r
- remoteIpValve.invoke(request, null);\r
- \r
- // VERIFY\r
- String actualXForwardedFor = request.getHeader("x-forwarded-for");\r
- assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor);\r
- \r
- String actualXForwardedBy = request.getHeader("x-forwarded-by");\r
- assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy);\r
- \r
- String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();\r
- assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr);\r
- \r
- String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();\r
- assertEquals("remoteHost", "140.211.11.130", actualRemoteHost);\r
- \r
- String actualPostInvokeRemoteAddr = request.getRemoteAddr();\r
- assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);\r
- \r
- String actualPostInvokeRemoteHost = request.getRemoteHost();\r
- assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);\r
- }\r
- \r
- public void testInvokeNotAllowedRemoteAddr() throws Exception {\r
- // PREPARE\r
- RemoteIpValve remoteIpValve = new RemoteIpValve();\r
- remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");\r
- remoteIpValve.setTrustedProxies("proxy1,proxy2,proxy3");\r
- remoteIpValve.setRemoteIpHeader("x-forwarded-for");\r
- remoteIpValve.setProxiesHeader("x-forwarded-by");\r
- RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();\r
- remoteIpValve.setNext(remoteAddrAndHostTrackerValve);\r
- \r
- Request request = new Request();\r
- request.setCoyoteRequest(new org.apache.coyote.Request());\r
- request.setRemoteAddr("not-allowed-internal-proxy");\r
- request.setRemoteHost("not-allowed-internal-proxy-host");\r
- request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2");\r
- \r
- // TEST\r
- remoteIpValve.invoke(request, null);\r
- \r
- // VERIFY\r
- String actualXForwardedFor = request.getHeader("x-forwarded-for");\r
- assertEquals("x-forwarded-for must be unchanged", "140.211.11.130, proxy1, proxy2", actualXForwardedFor);\r
- \r
- String actualXForwardedBy = request.getHeader("x-forwarded-by");\r
- assertNull("x-forwarded-by must be null", actualXForwardedBy);\r
- \r
- String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();\r
- assertEquals("remoteAddr", "not-allowed-internal-proxy", actualRemoteAddr);\r
- \r
- String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();\r
- assertEquals("remoteHost", "not-allowed-internal-proxy-host", actualRemoteHost);\r
- \r
- String actualPostInvokeRemoteAddr = request.getRemoteAddr();\r
- assertEquals("postInvoke remoteAddr", "not-allowed-internal-proxy", actualPostInvokeRemoteAddr);\r
- \r
- String actualPostInvokeRemoteHost = request.getRemoteHost();\r
- assertEquals("postInvoke remoteAddr", "not-allowed-internal-proxy-host", actualPostInvokeRemoteHost);\r
- }\r
- \r
- public void testInvokeUntrustedProxyInTheChain() throws Exception {\r
- // PREPARE\r
- RemoteIpValve remoteIpValve = new RemoteIpValve();\r
- remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");\r
- remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");\r
- remoteIpValve.setRemoteIpHeader("x-forwarded-for");\r
- remoteIpValve.setProxiesHeader("x-forwarded-by");\r
- RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();\r
- remoteIpValve.setNext(remoteAddrAndHostTrackerValve);\r
- \r
- Request request = new Request();\r
- request.setCoyoteRequest(new org.apache.coyote.Request());\r
- request.setRemoteAddr("192.168.0.10");\r
- request.setRemoteHost("remote-host-original-value");\r
- request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for")\r
- .setString("140.211.11.130, proxy1, untrusted-proxy, proxy2");\r
- \r
- // TEST\r
- remoteIpValve.invoke(request, null);\r
- \r
- // VERIFY\r
- String actualXForwardedFor = request.getHeader("x-forwarded-for");\r
- assertEquals("ip/host before untrusted-proxy must appear in x-forwarded-for", "140.211.11.130, proxy1", actualXForwardedFor);\r
- \r
- String actualXForwardedBy = request.getHeader("x-forwarded-by");\r
- assertEquals("ip/host after untrusted-proxy must appear in x-forwarded-by", "proxy2", actualXForwardedBy);\r
- \r
- String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();\r
- assertEquals("remoteAddr", "untrusted-proxy", actualRemoteAddr);\r
- \r
- String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();\r
- assertEquals("remoteHost", "untrusted-proxy", actualRemoteHost);\r
- \r
- String actualPostInvokeRemoteAddr = request.getRemoteAddr();\r
- assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);\r
- \r
- String actualPostInvokeRemoteHost = request.getRemoteHost();\r
- assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);\r
- }\r
- \r
- public void testListToCommaDelimitedString() {\r
- String[] actual = RemoteIpValve.commaDelimitedListToStringArray("element1, element2, element3");\r
- String[] expected = new String[] {\r
- "element1", "element2", "element3"\r
- };\r
- assertArrayEquals(expected, actual);\r
- }\r
- \r
- public void testListToCommaDelimitedStringMixedSpaceChars() {\r
- String[] actual = RemoteIpValve.commaDelimitedListToStringArray("element1 , element2,\t element3");\r
- String[] expected = new String[] {\r
- "element1", "element2", "element3"\r
- };\r
- assertArrayEquals(expected, actual);\r
- }\r
- \r
- private void assertArrayEquals(String[] expected, String[] actual) {\r
- if (expected == null) {\r
- assertNull(actual);\r
- return;\r
- }\r
- assertNotNull(actual);\r
- assertEquals(expected.length, actual.length);\r
- List<String> e = new ArrayList<String>();\r
- e.addAll(Arrays.asList(expected));\r
- List<String> a = new ArrayList<String>();\r
- a.addAll(Arrays.asList(actual));\r
- \r
- for (String entry : e) {\r
- assertTrue(a.remove(entry));\r
- }\r
- assertTrue(a.isEmpty());\r
- }\r
-}\r
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.catalina.valves;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import javax.servlet.ServletException;
+
+import junit.framework.TestCase;
+
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.valves.ValveBase;
+
+/**
+ * {@link RemoteIpValve} Tests
+ */
+public class RemoteIpValveTest extends TestCase {
+
+ static class RemoteAddrAndHostTrackerValve extends ValveBase {
+ private String remoteAddr;
+ private String remoteHost;
+
+ public String getRemoteAddr() {
+ return remoteAddr;
+ }
+
+ public String getRemoteHost() {
+ return remoteHost;
+ }
+
+ @Override
+ public void invoke(Request request, Response response) throws IOException, ServletException {
+ this.remoteHost = request.getRemoteHost();
+ this.remoteAddr = request.getRemoteAddr();
+ }
+ }
+
+ public void testCommaDelimitedListToStringArray() {
+ List<String> elements = Arrays.asList("element1", "element2", "element3");
+ String actual = RemoteIpValve.listToCommaDelimitedString(elements);
+ assertEquals("element1, element2, element3", actual);
+ }
+
+ public void testCommaDelimitedListToStringArrayEmptyList() {
+ List<String> elements = new ArrayList<String>();
+ String actual = RemoteIpValve.listToCommaDelimitedString(elements);
+ assertEquals("", actual);
+ }
+
+ public void testCommaDelimitedListToStringArrayNullList() {
+ String actual = RemoteIpValve.listToCommaDelimitedString(null);
+ assertEquals("", actual);
+ }
+
+ public void testInvokeAllowedRemoteAddrWithNullRemoteIpHeader() throws Exception {
+ // PREPARE
+ RemoteIpValve remoteIpValve = new RemoteIpValve();
+ remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");
+ remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");
+ remoteIpValve.setRemoteIpHeader("x-forwarded-for");
+ remoteIpValve.setProxiesHeader("x-forwarded-by");
+ RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();
+ remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
+
+ Request request = new Request();
+ request.setCoyoteRequest(new org.apache.coyote.Request());
+ request.setRemoteAddr("192.168.0.10");
+ request.setRemoteHost("remote-host-original-value");
+
+ // TEST
+ remoteIpValve.invoke(request, null);
+
+ // VERIFY
+ String actualXForwardedFor = request.getHeader("x-forwarded-for");
+ assertNull("x-forwarded-for must be null", actualXForwardedFor);
+
+ String actualXForwardedBy = request.getHeader("x-forwarded-by");
+ assertNull("x-forwarded-by must be null", actualXForwardedBy);
+
+ String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();
+ assertEquals("remoteAddr", "192.168.0.10", actualRemoteAddr);
+
+ String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();
+ assertEquals("remoteHost", "remote-host-original-value", actualRemoteHost);
+
+ String actualPostInvokeRemoteAddr = request.getRemoteAddr();
+ assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);
+
+ String actualPostInvokeRemoteHost = request.getRemoteHost();
+ assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);
+
+ }
+
+ public void testInvokeAllProxiesAreTrusted() throws Exception {
+
+ // PREPARE
+ RemoteIpValve remoteIpValve = new RemoteIpValve();
+ remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");
+ remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");
+ remoteIpValve.setRemoteIpHeader("x-forwarded-for");
+ remoteIpValve.setProxiesHeader("x-forwarded-by");
+ RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();
+ remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
+
+ Request request = new Request();
+ request.setCoyoteRequest(new org.apache.coyote.Request());
+ request.setRemoteAddr("192.168.0.10");
+ request.setRemoteHost("remote-host-original-value");
+ request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2");
+
+ // TEST
+ remoteIpValve.invoke(request, null);
+
+ // VERIFY
+ String actualXForwardedFor = request.getHeader("x-forwarded-for");
+ assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor);
+
+ String actualXForwardedBy = request.getHeader("x-forwarded-by");
+ assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy);
+
+ String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();
+ assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr);
+
+ String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();
+ assertEquals("remoteHost", "140.211.11.130", actualRemoteHost);
+
+ String actualPostInvokeRemoteAddr = request.getRemoteAddr();
+ assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);
+
+ String actualPostInvokeRemoteHost = request.getRemoteHost();
+ assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);
+ }
+
+ public void testInvokeAllProxiesAreTrustedOrInternal() throws Exception {
+
+ // PREPARE
+ RemoteIpValve remoteIpValve = new RemoteIpValve();
+ remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");
+ remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");
+ remoteIpValve.setRemoteIpHeader("x-forwarded-for");
+ remoteIpValve.setProxiesHeader("x-forwarded-by");
+ RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();
+ remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
+
+ Request request = new Request();
+ request.setCoyoteRequest(new org.apache.coyote.Request());
+ request.setRemoteAddr("192.168.0.10");
+ request.setRemoteHost("remote-host-original-value");
+ request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for")
+ .setString("140.211.11.130, proxy1, proxy2, 192.168.0.10, 192.168.0.11");
+
+ // TEST
+ remoteIpValve.invoke(request, null);
+
+ // VERIFY
+ String actualXForwardedFor = request.getHeader("x-forwarded-for");
+ assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor);
+
+ String actualXForwardedBy = request.getHeader("x-forwarded-by");
+ assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy);
+
+ String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();
+ assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr);
+
+ String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();
+ assertEquals("remoteHost", "140.211.11.130", actualRemoteHost);
+
+ String actualPostInvokeRemoteAddr = request.getRemoteAddr();
+ assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);
+
+ String actualPostInvokeRemoteHost = request.getRemoteHost();
+ assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);
+ }
+
+ public void testInvokeAllProxiesAreInternal() throws Exception {
+
+ // PREPARE
+ RemoteIpValve remoteIpValve = new RemoteIpValve();
+ remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");
+ remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");
+ remoteIpValve.setRemoteIpHeader("x-forwarded-for");
+ remoteIpValve.setProxiesHeader("x-forwarded-by");
+ RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();
+ remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
+
+ Request request = new Request();
+ request.setCoyoteRequest(new org.apache.coyote.Request());
+ request.setRemoteAddr("192.168.0.10");
+ request.setRemoteHost("remote-host-original-value");
+ request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, 192.168.0.10, 192.168.0.11");
+
+ // TEST
+ remoteIpValve.invoke(request, null);
+
+ // VERIFY
+ String actualXForwardedFor = request.getHeader("x-forwarded-for");
+ assertNull("all proxies are internal, x-forwarded-for must be null", actualXForwardedFor);
+
+ String actualXForwardedBy = request.getHeader("x-forwarded-by");
+ assertNull("all proxies are internal, x-forwarded-by must be null", actualXForwardedBy);
+
+ String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();
+ assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr);
+
+ String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();
+ assertEquals("remoteHost", "140.211.11.130", actualRemoteHost);
+
+ String actualPostInvokeRemoteAddr = request.getRemoteAddr();
+ assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);
+
+ String actualPostInvokeRemoteHost = request.getRemoteHost();
+ assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);
+ }
+
+ public void testInvokeAllProxiesAreTrustedAndRemoteAddrMatchRegexp() throws Exception {
+
+ // PREPARE
+ RemoteIpValve remoteIpValve = new RemoteIpValve();
+ remoteIpValve.setInternalProxies("127\\.0\\.0\\.1, 192\\.168\\..*, another-internal-proxy");
+ remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");
+ remoteIpValve.setRemoteIpHeader("x-forwarded-for");
+ remoteIpValve.setProxiesHeader("x-forwarded-by");
+ RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();
+ remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
+
+ Request request = new Request();
+ request.setCoyoteRequest(new org.apache.coyote.Request());
+ request.setRemoteAddr("192.168.0.10");
+ request.setRemoteHost("remote-host-original-value");
+ request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2");
+
+ // TEST
+ remoteIpValve.invoke(request, null);
+
+ // VERIFY
+ String actualXForwardedFor = request.getHeader("x-forwarded-for");
+ assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor);
+
+ String actualXForwardedBy = request.getHeader("x-forwarded-by");
+ assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy);
+
+ String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();
+ assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr);
+
+ String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();
+ assertEquals("remoteHost", "140.211.11.130", actualRemoteHost);
+
+ String actualPostInvokeRemoteAddr = request.getRemoteAddr();
+ assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);
+
+ String actualPostInvokeRemoteHost = request.getRemoteHost();
+ assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);
+ }
+
+ public void testInvokeNotAllowedRemoteAddr() throws Exception {
+ // PREPARE
+ RemoteIpValve remoteIpValve = new RemoteIpValve();
+ remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");
+ remoteIpValve.setTrustedProxies("proxy1,proxy2,proxy3");
+ remoteIpValve.setRemoteIpHeader("x-forwarded-for");
+ remoteIpValve.setProxiesHeader("x-forwarded-by");
+ RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();
+ remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
+
+ Request request = new Request();
+ request.setCoyoteRequest(new org.apache.coyote.Request());
+ request.setRemoteAddr("not-allowed-internal-proxy");
+ request.setRemoteHost("not-allowed-internal-proxy-host");
+ request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2");
+
+ // TEST
+ remoteIpValve.invoke(request, null);
+
+ // VERIFY
+ String actualXForwardedFor = request.getHeader("x-forwarded-for");
+ assertEquals("x-forwarded-for must be unchanged", "140.211.11.130, proxy1, proxy2", actualXForwardedFor);
+
+ String actualXForwardedBy = request.getHeader("x-forwarded-by");
+ assertNull("x-forwarded-by must be null", actualXForwardedBy);
+
+ String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();
+ assertEquals("remoteAddr", "not-allowed-internal-proxy", actualRemoteAddr);
+
+ String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();
+ assertEquals("remoteHost", "not-allowed-internal-proxy-host", actualRemoteHost);
+
+ String actualPostInvokeRemoteAddr = request.getRemoteAddr();
+ assertEquals("postInvoke remoteAddr", "not-allowed-internal-proxy", actualPostInvokeRemoteAddr);
+
+ String actualPostInvokeRemoteHost = request.getRemoteHost();
+ assertEquals("postInvoke remoteAddr", "not-allowed-internal-proxy-host", actualPostInvokeRemoteHost);
+ }
+
+ public void testInvokeUntrustedProxyInTheChain() throws Exception {
+ // PREPARE
+ RemoteIpValve remoteIpValve = new RemoteIpValve();
+ remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11");
+ remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3");
+ remoteIpValve.setRemoteIpHeader("x-forwarded-for");
+ remoteIpValve.setProxiesHeader("x-forwarded-by");
+ RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve();
+ remoteIpValve.setNext(remoteAddrAndHostTrackerValve);
+
+ Request request = new Request();
+ request.setCoyoteRequest(new org.apache.coyote.Request());
+ request.setRemoteAddr("192.168.0.10");
+ request.setRemoteHost("remote-host-original-value");
+ request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for")
+ .setString("140.211.11.130, proxy1, untrusted-proxy, proxy2");
+
+ // TEST
+ remoteIpValve.invoke(request, null);
+
+ // VERIFY
+ String actualXForwardedFor = request.getHeader("x-forwarded-for");
+ assertEquals("ip/host before untrusted-proxy must appear in x-forwarded-for", "140.211.11.130, proxy1", actualXForwardedFor);
+
+ String actualXForwardedBy = request.getHeader("x-forwarded-by");
+ assertEquals("ip/host after untrusted-proxy must appear in x-forwarded-by", "proxy2", actualXForwardedBy);
+
+ String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr();
+ assertEquals("remoteAddr", "untrusted-proxy", actualRemoteAddr);
+
+ String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost();
+ assertEquals("remoteHost", "untrusted-proxy", actualRemoteHost);
+
+ String actualPostInvokeRemoteAddr = request.getRemoteAddr();
+ assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr);
+
+ String actualPostInvokeRemoteHost = request.getRemoteHost();
+ assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost);
+ }
+
+ public void testListToCommaDelimitedString() {
+ String[] actual = RemoteIpValve.commaDelimitedListToStringArray("element1, element2, element3");
+ String[] expected = new String[] {
+ "element1", "element2", "element3"
+ };
+ assertArrayEquals(expected, actual);
+ }
+
+ public void testListToCommaDelimitedStringMixedSpaceChars() {
+ String[] actual = RemoteIpValve.commaDelimitedListToStringArray("element1 , element2,\t element3");
+ String[] expected = new String[] {
+ "element1", "element2", "element3"
+ };
+ assertArrayEquals(expected, actual);
+ }
+
+ private void assertArrayEquals(String[] expected, String[] actual) {
+ if (expected == null) {
+ assertNull(actual);
+ return;
+ }
+ assertNotNull(actual);
+ assertEquals(expected.length, actual.length);
+ List<String> e = new ArrayList<String>();
+ e.addAll(Arrays.asList(expected));
+ List<String> a = new ArrayList<String>();
+ a.addAll(Arrays.asList(actual));
+
+ for (String entry : e) {
+ assertTrue(a.remove(entry));
+ }
+ assertTrue(a.isEmpty());
+ }
+}
projects / tomcat7.0 / commitdiff