| <?xml version="1.0"?> |
| <!DOCTYPE document [ |
| <!ENTITY project SYSTEM "project.xml"> |
| ]> |
| <document url="valve.html"> |
| |
| &project; |
| |
| <properties> |
| <author email="craigmcc@apache.org">Craig R. McClanahan</author> |
| <title>The Valve Component</title> |
| </properties> |
| |
| <body> |
| |
| |
| <section name="Introduction"> |
| |
| <p>A <strong>Valve</strong> element represents a component that will be |
| inserted into the request processing pipeline for the associated |
| Catalina container (<a href="engine.html">Engine</a>, |
| <a href="host.html">Host</a>, or <a href="context.html">Context</a>). |
| Individual Valves have distinct processing capabilities, and are |
| described individually below.</p> |
| |
| <blockquote><em> |
| <p>The description below uses the variable name $CATALINA_HOME |
| to refer to the directory into which you have installed Tomcat 5, |
| and is the base directory against which most relative paths are |
| resolved. However, if you have configured Tomcat 5 for multiple |
| instances by setting a CATALINA_BASE directory, you should use |
| $CATALINA_BASE instead of $CATALINA_HOME for each of these |
| references.</p> |
| </em></blockquote> |
| |
| </section> |
| |
| |
| <section name="Access Log Valve"> |
| |
| <subsection name="Introduction"> |
| |
| <p>The <strong>Access Log Valve</strong> creates log files in the same |
| format as those created by standard web servers. These logs can later |
| be analyzed by standard log analysis tools to track page hit counts, |
| user session activity, and so on. The Access Log Valve shares many |
| configuration and behavior characteristics of the |
| <a href="logger.html#Standard Implementation">File Logger</a>, including |
| the automatic rollover of log files at midnight each night. An |
| Access Log Valve can be associated with any Catalina container, and |
| will record ALL requests processed by that container.</p> |
| |
| </subsection> |
| |
| <subsection name="Attributes"> |
| |
| <p>The <strong>Access Log Valve</strong> supports the following |
| configuration attributes:</p> |
| |
| <attributes> |
| |
| <attribute name="className" required="true"> |
| <p>Java class name of the implementation to use. This MUST be set to |
| <strong>org.apache.catalina.valves.AccessLogValve</strong>.</p> |
| </attribute> |
| |
| <attribute name="directory" required="false"> |
| <p>Absolute or relative pathname of a directory in which log files |
| created by this valve will be placed. If a relative path is |
| specified, it is interpreted as relative to $CATALINA_HOME. If |
| no directory attribute is specified, the default value is "logs" |
| (relative to $CATALINA_HOME).</p> |
| </attribute> |
| |
| <attribute name="pattern" required="false"> |
| <p>A formatting layout identifying the various information fields |
| from the request and response to be logged, or the word |
| <code>common</code> or <code>combined</code> to select a |
| standard format. See below for more information on configuring |
| this attribute.</p> |
| </attribute> |
| |
| <attribute name="prefix" required="false"> |
| <p>The prefix added to the start of each log file's name. If not |
| specified, the default value is "access_log.". To specify no prefix, |
| use a zero-length string.</p> |
| </attribute> |
| |
| <attribute name="resolveHosts" required="false"> |
| <p>Set to <code>true</code> to convert the IP address of the remote |
| host into the corresponding host name via a DNS lookup. Set to |
| <code>false</code> to skip this lookup, and report the remote IP |
| address instead.</p> |
| </attribute> |
| |
| <attribute name="suffix" required="false"> |
| <p>The suffix added to the end of each log file's name. If not |
| specified, the default value is "". To specify no suffix, |
| use a zero-length string.</p> |
| </attribute> |
| |
| <attribute name="rotatable" required="false"> |
| <p>Deafult true. Flag to determine if log rotation should occur. |
| If set to false, then this file is never rotated and |
| <tt>fileDateFormat</tt> is ignored. Use with caution! |
| </p> |
| </attribute> |
| |
| <attribute name="condition" required="false"> |
| <p>Turns on conditional logging. If set, requests will be |
| logged only if <tt>ServletRequest.getAttribute()</tt> is |
| null. For example, if this value is set to |
| <tt>junk</tt>, then a particular request will only be logged |
| if <tt>ServletRequest.getAttribute("junk") == null</tt>. |
| The use of Filters is an easy way to set/unset the attribute |
| in the ServletRequest on many different requests. |
| </p> |
| </attribute> |
| |
| <attribute name="fileDateFormat" required="false"> |
| <p>Allows a customized date format in the access log file name. |
| The date format also decides how often the file is rotated. |
| If you wish to rotate every hour, then set this value |
| to: <tt>yyyy-MM-dd.HH</tt> |
| </p> |
| </attribute> |
| |
| </attributes> |
| |
| <p>Values for the <code>pattern</code> attribute are made up of literal |
| text strings, combined with pattern identifiers prefixed by the "%" |
| character to cause replacement by the corresponding variable value from |
| the current request and response. The following pattern codes are |
| supported:</p> |
| <ul> |
| <li><b>%a</b> - Remote IP address</li> |
| <li><b>%A</b> - Local IP address</li> |
| <li><b>%b</b> - Bytes sent, excluding HTTP headers, or '-' if zero</li> |
| <li><b>%B</b> - Bytes sent, excluding HTTP headers</li> |
| <li><b>%h</b> - Remote host name (or IP address if |
| <code>resolveHosts</code> is false)</li> |
| <li><b>%H</b> - Request protocol</li> |
| <li><b>%l</b> - Remote logical username from identd (always returns |
| '-')</li> |
| <li><b>%m</b> - Request method (GET, POST, etc.)</li> |
| <li><b>%p</b> - Local port on which this request was received</li> |
| <li><b>%q</b> - Query string (prepended with a '?' if it exists)</li> |
| <li><b>%r</b> - First line of the request (method and request URI)</li> |
| <li><b>%s</b> - HTTP status code of the response</li> |
| <li><b>%S</b> - User session ID</li> |
| <li><b>%t</b> - Date and time, in Common Log Format</li> |
| <li><b>%u</b> - Remote user that was authenticated (if any), else '-'</li> |
| <li><b>%U</b> - Requested URL path</li> |
| <li><b>%v</b> - Local server name</li> |
| <li><b>%D</b> - Time taken to process the request, in millis</li> |
| <li><b>%T</b> - Time taken to process the request, in seconds</li> |
| </ul> |
| |
| <p> |
| There is also support to write information from the cookie, incoming |
| header, the Session or something else in the ServletRequest. |
| It is modeled after the apache syntax: |
| <ul> |
| <li><b><code>%{xxx}i</code></b> for incoming headers</li> |
| <li><b><code>%{xxx}c</code></b> for a specific cookie</li> |
| <li><b><code>%{xxx}r</code></b> xxx is an attribute in the ServletRequest</li> |
| <li><b><code>%{xxx}s</code></b> xxx is an attribute in the HttpSession</li> |
| </ul> |
| </p> |
| |
| |
| <p>The shorthand pattern name <code>common</code> (which is also the |
| default) corresponds to <strong>%h %l %u %t "%r" %s %b"</strong>.</p> |
| |
| <p>The shorthand pattern name <code>combined</code> appends the |
| values of the <code>Referer</code> and <code>User-Agent</code> headers, |
| each in double quotes, to the <code>common</code> pattern |
| described in the previous paragraph.</p> |
| |
| </subsection> |
| |
| </section> |
| |
| |
| <section name="Remote Address Filter"> |
| |
| <subsection name="Introduction"> |
| |
| <p>The <strong>Remote Address Filter</strong> allows you to compare the |
| IP address of the client that submitted this request against one or more |
| <em>regular expressions</em>, and either allow the request to continue |
| or refuse to process the request from this client. A Remote Address |
| Filter can be associated with any Catalina container |
| (<a href="engine.html">Engine</a>, <a href="host.html">Host</a>, or |
| <a href="context.html">Context</a>), and must accept any request |
| presented to this container for processing before it will be passed on.</p> |
| |
| <p>The syntax for <em>regular expressions</em> is different than that for |
| 'standard' wildcard matching. Tomcat uses the |
| <a href="http://jakarta.apache.org/regexp/">Jakarta Regexp</a> library. |
| Please consult the Regexp documentation for details of the expressions |
| supported.</p> |
| |
| </subsection> |
| |
| <subsection name="Attributes"> |
| |
| <p>The <strong>Remote Address Filter</strong> supports the following |
| configuration attributes:</p> |
| |
| <attributes> |
| |
| <attribute name="className" required="true"> |
| <p>Java class name of the implementation to use. This MUST be set to |
| <strong>org.apache.catalina.valves.RemoteAddrValve</strong>.</p> |
| </attribute> |
| |
| <attribute name="allow" required="false"> |
| <p>A comma-separated list of <em>regular expression</em> patterns |
| that the remote client's IP address is compared to. If this attribute |
| is specified, the remote address MUST match for this request to be |
| accepted. If this attribute is not specified, all requests will be |
| accepted UNLESS the remote address matches a <code>deny</code> |
| pattern.</p> |
| </attribute> |
| |
| <attribute name="deny" required="false"> |
| <p>A comma-separated list of <em>regular expression</em> patterns |
| that the remote client's IP address is compared to. If this attribute |
| is specified, the remote address MUST NOT match for this request to be |
| accepted. If this attribute is not specified, request acceptance is |
| governed solely by the <code>accept</code> attribute.</p> |
| </attribute> |
| |
| </attributes> |
| |
| </subsection> |
| |
| </section> |
| |
| |
| <section name="Remote Host Filter"> |
| |
| <subsection name="Introduction"> |
| |
| <p>The <strong>Remote Host Filter</strong> allows you to compare the |
| hostname of the client that submitted this request against one or more |
| <em>regular expressions</em>, and either allow the request to continue |
| or refuse to process the request from this client. A Remote Host |
| Filter can be associated with any Catalina container |
| (<a href="engine.html">Engine</a>, <a href="host.html">Host</a>, or |
| <a href="context.html">Context</a>), and must accept any request |
| presented to this container for processing before it will be passed on.</p> |
| |
| <p>The syntax for <em>regular expressions</em> is different than that for |
| 'standard' wildcard matching. Tomcat uses the |
| <a href="http://jakarta.apache.org/regexp/">Jakarta Regexp</a> library. |
| Please consult the Regexp documentation for details of the expressions |
| supported.</p> |
| |
| </subsection> |
| |
| <subsection name="Attributes"> |
| |
| <p>The <strong>Remote Host Filter</strong> supports the following |
| configuration attributes:</p> |
| |
| <attributes> |
| |
| <attribute name="className" required="true"> |
| <p>Java class name of the implementation to use. This MUST be set to |
| <strong>org.apache.catalina.valves.RemoteHostValve</strong>.</p> |
| </attribute> |
| |
| <attribute name="allow" required="false"> |
| <p>A comma-separated list of <em>regular expression</em> patterns |
| that the remote client's hostname is compared to. If this attribute |
| is specified, the remote hostname MUST match for this request to be |
| accepted. If this attribute is not specified, all requests will be |
| accepted UNLESS the remote hostname matches a <code>deny</code> |
| pattern.</p> |
| </attribute> |
| |
| <attribute name="deny" required="false"> |
| <p>A comma-separated list of <em>regular expression</em> patterns |
| that the remote client's hostname is compared to. If this attribute |
| is specified, the remote hostname MUST NOT match for this request to be |
| accepted. If this attribute is not specified, request acceptance is |
| governed solely by the <code>accept</code> attribute.</p> |
| </attribute> |
| |
| </attributes> |
| |
| </subsection> |
| |
| </section> |
| |
| |
| <section name="Request Dumper Valve"> |
| |
| |
| <subsection name="Introduction"> |
| |
| <p>The <em>Request Dumper Valve</em> is a useful tool in debugging |
| interactions with a client application (or browser) that is sending |
| HTTP requests to your Tomcat-based server. When configured, it causes |
| details about each request processed by its associated Engine, Host, |
| or Context to be logged to the <a href="logger.html">Logger</a> that |
| corresponds to that container.</p> |
| |
| <p><strong>WARNING: Using this valve has side-effects.</strong> |
| The |
| output from this valve includes any parameters included with the request. |
| The parameters will be decoded using the default platform encoding. Any |
| subsequent calls to <code>request.setCharacterEncoding()</code> within |
| the web application will have no effect.</p> |
| |
| </subsection> |
| |
| |
| <subsection name="Attributes"> |
| |
| <p>The <strong>Request Dumper Valve</strong> supports the following |
| configuration attributes:</p> |
| |
| <attributes> |
| |
| <attribute name="className" required="true"> |
| <p>Java class name of the implementation to use. This MUST be set to |
| <strong>org.apache.catalina.valves.RequestDumperValve</strong>.</p> |
| </attribute> |
| |
| </attributes> |
| |
| </subsection> |
| |
| |
| </section> |
| |
| |
| <section name="Single Sign On Valve"> |
| |
| <subsection name="Introduction"> |
| |
| <p>The <em>Single Sign On Vale</em> is utilized when you wish to give users |
| the ability to sign on to any one of the web applications associated with |
| your virtual host, and then have their identity recognized by all other |
| web applications on the same virtual host.</p> |
| |
| <p>See the <a href="host.html#Single Sign On">Single Sign On</a> special |
| feature on the <strong>Host</strong> element for more information.</p> |
| |
| </subsection> |
| |
| |
| <subsection name="Attributes"> |
| |
| <p>The <strong>Single Sign On</strong> Valve supports the following |
| configuration attributes:</p> |
| |
| <attributes> |
| |
| <attribute name="className" required="true"> |
| <p>Java class name of the implementation to use. This MUST be set to |
| <strong>org.apache.catalina.authenticator.SingleSignOn</strong>.</p> |
| </attribute> |
| |
| <attribute name="requireReauthentication" required="false"> |
| <p>Default false. Flag to determine whether each request needs to be |
| reauthenticated to the security <strong>Realm</strong>. If "true", this |
| Valve uses cached security credentials (username and password) to |
| reauthenticate to the <strong>Realm</strong> each request associated |
| with an SSO session. If "false", the Valve can itself authenticate |
| requests based on the presence of a valid SSO cookie, without |
| rechecking with the <strong>Realm</strong>.</p> |
| </attribute> |
| |
| |
| </attributes> |
| |
| </subsection> |
| |
| |
| </section> |
| |
| |
| </body> |
| |
| |
| </document> |