From 399327274bf720b5d03ca6deae5d4e2b59f4a3ea Mon Sep 17 00:00:00 2001 From: markt Date: Tue, 2 Feb 2010 13:25:42 +0000 Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48647 RemoteIpFilter : request.secure and request.scheme are not forced to "false" and "http" if X-Forwarded-Proto=http Patch provided by Cyrille Le Clerc git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@905625 13f79535-47bb-0310-9956-ffa450edef68 --- .../apache/catalina/filters/RemoteIpFilter.java | 53 ++++++++++++++++++++-- webapps/docs/config/filter.xml | 19 +++++++- 2 files changed, 67 insertions(+), 5 deletions(-) diff --git a/java/org/apache/catalina/filters/RemoteIpFilter.java b/java/org/apache/catalina/filters/RemoteIpFilter.java index 9f0d20dc8..e54a5effa 100644 --- a/java/org/apache/catalina/filters/RemoteIpFilter.java +++ b/java/org/apache/catalina/filters/RemoteIpFilter.java @@ -138,6 +138,19 @@ import org.apache.juli.logging.LogFactory; * https * * + * httpServerPort + * Value returned by {@link ServletRequest#getServerPort()} when the protocolHeader indicates http protocol + * N/A + * integer + * 80 + * + * + * httpsServerPort + * Value returned by {@link ServletRequest#getServerPort()} when the protocolHeader indicates https protocol + * N/A + * integer + * 443 + * * *

*

@@ -575,6 +588,8 @@ public class RemoteIpFilter implements Filter { */ private static final Pattern commaSeparatedValuesPattern = Pattern.compile("\\s*,\\s*"); + protected static final String HTTP_SERVER_PORT_PARAMETER = "httpServerPort"; + protected static final String HTTPS_SERVER_PORT_PARAMETER = "httpsServerPort"; protected static final String INTERNAL_PROXIES_PARAMETER = "internalProxies"; @@ -655,10 +670,15 @@ public class RemoteIpFilter implements Filter { } /** + * @see #setHttpServerPort(int) + */ + private int httpServerPort = 80; + + /** * @see #setHttpsServerPort(int) */ private int httpsServerPort = 443; - + /** * @see #setInternalProxies(String) */ @@ -744,10 +764,16 @@ public class RemoteIpFilter implements Filter { if (protocolHeader != null) { String protocolHeaderValue = request.getHeader(protocolHeader); - if (protocolHeaderValue != null && protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue)) { + if (protocolHeaderValue == null) { + // don't modify the secure,scheme and serverPort attributes of the request + } else if (protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue)) { xRequest.setSecure(true); xRequest.setScheme("https"); xRequest.setServerPort(httpsServerPort); + } else { + xRequest.setSecure(false); + xRequest.setScheme("http"); + xRequest.setServerPort(httpServerPort); } } @@ -832,17 +858,38 @@ public class RemoteIpFilter implements Filter { setTrustedProxies(filterConfig.getInitParameter(TRUSTED_PROXIES_PARAMETER)); } + if (filterConfig.getInitParameter(HTTP_SERVER_PORT_PARAMETER) != null) { + try { + setHttpServerPort(Integer.parseInt(filterConfig.getInitParameter(HTTP_SERVER_PORT_PARAMETER))); + } catch (NumberFormatException e) { + throw new NumberFormatException("Illegal " + HTTP_SERVER_PORT_PARAMETER + " : " + e.getMessage()); + } + } + if (filterConfig.getInitParameter(HTTPS_SERVER_PORT_PARAMETER) != null) { try { setHttpsServerPort(Integer.parseInt(filterConfig.getInitParameter(HTTPS_SERVER_PORT_PARAMETER))); } catch (NumberFormatException e) { - throw new NumberFormatException("Illegal serverPort : " + e.getMessage()); + throw new NumberFormatException("Illegal " + HTTPS_SERVER_PORT_PARAMETER + " : " + e.getMessage()); } } } /** *

+ * Server Port value if the {@link #protocolHeader} indicates HTTP (i.e. {@link #protocolHeader} is not null and + * has a value different of {@link #protocolHeaderHttpsValue}). + *

+ *

+ * Default value : 80 + *

+ */ + public void setHttpServerPort(int httpServerPort) { + this.httpServerPort = httpServerPort; + } + + /** + *

* Server Port value if the {@link #protocolHeader} indicates HTTPS *

*

diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml index f28ecf31b..1b32abb8a 100644 --- a/webapps/docs/config/filter.xml +++ b/webapps/docs/config/filter.xml @@ -205,8 +205,9 @@ via a request headers (e.g. "X-Forwarded-For").

Another feature of this filter is to replace the apparent scheme - (http/https) and server port with the scheme presented by a proxy or a load - balancer via a request header (e.g. "X-Forwarded-Proto").

+ (http/https), server port and request.secure with the scheme presented + by a proxy or a load balancer via a request header + (e.g. "X-Forwarded-Proto").

If used in conjunction with Remote Address/Host filters then this filter should be defined first to ensure that the correct client IP address is @@ -272,6 +273,20 @@ used.

+ +

Value returned by ServletRequest.getServerPort() + when the protocolHeader indicates http + protocol. If not specified, the default of 80 is + used.

+ + + +

Value returned by ServletRequest.getServerPort() + when the protocolHeader indicates https + protocol. If not specified, the default of 443 is + used.

+ + -- 2.11.0