Google Git
Sign in
apache / tomcat55 / 3f732334a502a5c9164e35535c003afc495a4f84 / . / container / webapps / docs / config / valve.xml
blob: b5d669c8620b794659419e2f27eb48a9bd6bed83 [file] [log] [blame]
<?xml version="1.0"?>
<!DOCTYPE document [
<!ENTITY project SYSTEM "project.xml">
]>
<document url="valve.html">
&project;
<properties>
<author email="craigmcc@apache.org">Craig R. McClanahan</author>
<title>The Valve Component</title>
</properties>
<body>
<section name="Introduction">
<p>A <strong>Valve</strong> element represents a component that will be
inserted into the request processing pipeline for the associated
Catalina container (<a href="engine.html">Engine</a>,
<a href="host.html">Host</a>, or <a href="context.html">Context</a>).
Individual Valves have distinct processing capabilities, and are
described individually below.</p>
<blockquote><em>
<p>The description below uses the variable name $CATALINA_HOME
to refer to the directory into which you have installed Tomcat 5,
and is the base directory against which most relative paths are
resolved. However, if you have configured Tomcat 5 for multiple
instances by setting a CATALINA_BASE directory, you should use
$CATALINA_BASE instead of $CATALINA_HOME for each of these
references.</p>
</em></blockquote>
</section>
<section name="Access Log Valve">
<subsection name="Introduction">
<p>The <strong>Access Log Valve</strong> creates log files in the same
format as those created by standard web servers. These logs can later
be analyzed by standard log analysis tools to track page hit counts,
user session activity, and so on. The Access Log Valve shares many
configuration and behavior characteristics of the
<a href="logger.html#Standard Implementation">File Logger</a>, including
the automatic rollover of log files at midnight each night. An
Access Log Valve can be associated with any Catalina container, and
will record ALL requests processed by that container.</p>
</subsection>
<subsection name="Attributes">
<p>The <strong>Access Log Valve</strong> supports the following
configuration attributes:</p>
<attributes>
<attribute name="className" required="true">
<p>Java class name of the implementation to use. This MUST be set to
<strong>org.apache.catalina.valves.AccessLogValve</strong>.</p>
</attribute>
<attribute name="directory" required="false">
<p>Absolute or relative pathname of a directory in which log files
created by this valve will be placed. If a relative path is
specified, it is interpreted as relative to $CATALINA_HOME. If
no directory attribute is specified, the default value is "logs"
(relative to $CATALINA_HOME).</p>
</attribute>
<attribute name="pattern" required="false">
<p>A formatting layout identifying the various information fields
from the request and response to be logged, or the word
<code>common</code> or <code>combined</code> to select a
standard format. See below for more information on configuring
this attribute.</p>
</attribute>
<attribute name="prefix" required="false">
<p>The prefix added to the start of each log file's name. If not
specified, the default value is "access_log.". To specify no prefix,
use a zero-length string.</p>
</attribute>
<attribute name="resolveHosts" required="false">
<p>Set to <code>true</code> to convert the IP address of the remote
host into the corresponding host name via a DNS lookup. Set to
<code>false</code> to skip this lookup, and report the remote IP
address instead.</p>
</attribute>
<attribute name="suffix" required="false">
<p>The suffix added to the end of each log file's name. If not
specified, the default value is "". To specify no suffix,
use a zero-length string.</p>
</attribute>
<attribute name="rotatable" required="false">
<p>Deafult true. Flag to determine if log rotation should occur.
If set to false, then this file is never rotated and
<tt>fileDateFormat</tt> is ignored. Use with caution!
</p>
</attribute>
<attribute name="condition" required="false">
<p>Turns on conditional logging. If set, requests will be
logged only if <tt>ServletRequest.getAttribute()</tt> is
null. For example, if this value is set to
<tt>junk</tt>, then a particular request will only be logged
if <tt>ServletRequest.getAttribute("junk") == null</tt>.
The use of Filters is an easy way to set/unset the attribute
in the ServletRequest on many different requests.
</p>
</attribute>
<attribute name="fileDateFormat" required="false">
<p>Allows a customized date format in the access log file name.
The date format also decides how often the file is rotated.
If you wish to rotate every hour, then set this value
to: <tt>yyyy-MM-dd.HH</tt>
</p>
</attribute>
</attributes>
<p>Values for the <code>pattern</code> attribute are made up of literal
text strings, combined with pattern identifiers prefixed by the "%"
character to cause replacement by the corresponding variable value from
the current request and response. The following pattern codes are
supported:</p>
<ul>
<li><b>%a</b> - Remote IP address</li>
<li><b>%A</b> - Local IP address</li>
<li><b>%b</b> - Bytes sent, excluding HTTP headers, or '-' if zero</li>
<li><b>%B</b> - Bytes sent, excluding HTTP headers</li>
<li><b>%h</b> - Remote host name (or IP address if
<code>resolveHosts</code> is false)</li>
<li><b>%H</b> - Request protocol</li>
<li><b>%l</b> - Remote logical username from identd (always returns
'-')</li>
<li><b>%m</b> - Request method (GET, POST, etc.)</li>
<li><b>%p</b> - Local port on which this request was received</li>
<li><b>%q</b> - Query string (prepended with a '?' if it exists)</li>
<li><b>%r</b> - First line of the request (method and request URI)</li>
<li><b>%s</b> - HTTP status code of the response</li>
<li><b>%S</b> - User session ID</li>
<li><b>%t</b> - Date and time, in Common Log Format</li>
<li><b>%u</b> - Remote user that was authenticated (if any), else '-'</li>
<li><b>%U</b> - Requested URL path</li>
<li><b>%v</b> - Local server name</li>
<li><b>%D</b> - Time taken to process the request, in millis</li>
<li><b>%T</b> - Time taken to process the request, in seconds</li>
</ul>
<p>
There is also support to write information from the cookie, incoming
header, the Session or something else in the ServletRequest.
It is modeled after the apache syntax:
<ul>
<li><b><code>%{xxx}i</code></b> for incoming headers</li>
<li><b><code>%{xxx}c</code></b> for a specific cookie</li>
<li><b><code>%{xxx}r</code></b> xxx is an attribute in the ServletRequest</li>
<li><b><code>%{xxx}s</code></b> xxx is an attribute in the HttpSession</li>
</ul>
</p>
<p>The shorthand pattern name <code>common</code> (which is also the
default) corresponds to <strong>%h %l %u %t "%r" %s %b"</strong>.</p>
<p>The shorthand pattern name <code>combined</code> appends the
values of the <code>Referer</code> and <code>User-Agent</code> headers,
each in double quotes, to the <code>common</code> pattern
described in the previous paragraph.</p>
</subsection>
</section>
<section name="Remote Address Filter">
<subsection name="Introduction">
<p>The <strong>Remote Address Filter</strong> allows you to compare the
IP address of the client that submitted this request against one or more
<em>regular expressions</em>, and either allow the request to continue
or refuse to process the request from this client. A Remote Address
Filter can be associated with any Catalina container
(<a href="engine.html">Engine</a>, <a href="host.html">Host</a>, or
<a href="context.html">Context</a>), and must accept any request
presented to this container for processing before it will be passed on.</p>
<p>The syntax for <em>regular expressions</em> is different than that for
'standard' wildcard matching. Tomcat uses the
<a href="http://jakarta.apache.org/regexp/">Jakarta Regexp</a> library.
Please consult the Regexp documentation for details of the expressions
supported.</p>
</subsection>
<subsection name="Attributes">
<p>The <strong>Remote Address Filter</strong> supports the following
configuration attributes:</p>
<attributes>
<attribute name="className" required="true">
<p>Java class name of the implementation to use. This MUST be set to
<strong>org.apache.catalina.valves.RemoteAddrValve</strong>.</p>
</attribute>
<attribute name="allow" required="false">
<p>A comma-separated list of <em>regular expression</em> patterns
that the remote client's IP address is compared to. If this attribute
is specified, the remote address MUST match for this request to be
accepted. If this attribute is not specified, all requests will be
accepted UNLESS the remote address matches a <code>deny</code>
pattern.</p>
</attribute>
<attribute name="deny" required="false">
<p>A comma-separated list of <em>regular expression</em> patterns
that the remote client's IP address is compared to. If this attribute
is specified, the remote address MUST NOT match for this request to be
accepted. If this attribute is not specified, request acceptance is
governed solely by the <code>accept</code> attribute.</p>
</attribute>
</attributes>
</subsection>
</section>
<section name="Remote Host Filter">
<subsection name="Introduction">
<p>The <strong>Remote Host Filter</strong> allows you to compare the
hostname of the client that submitted this request against one or more
<em>regular expressions</em>, and either allow the request to continue
or refuse to process the request from this client. A Remote Host
Filter can be associated with any Catalina container
(<a href="engine.html">Engine</a>, <a href="host.html">Host</a>, or
<a href="context.html">Context</a>), and must accept any request
presented to this container for processing before it will be passed on.</p>
<p>The syntax for <em>regular expressions</em> is different than that for
'standard' wildcard matching. Tomcat uses the
<a href="http://jakarta.apache.org/regexp/">Jakarta Regexp</a> library.
Please consult the Regexp documentation for details of the expressions
supported.</p>
</subsection>
<subsection name="Attributes">
<p>The <strong>Remote Host Filter</strong> supports the following
configuration attributes:</p>
<attributes>
<attribute name="className" required="true">
<p>Java class name of the implementation to use. This MUST be set to
<strong>org.apache.catalina.valves.RemoteHostValve</strong>.</p>
</attribute>
<attribute name="allow" required="false">
<p>A comma-separated list of <em>regular expression</em> patterns
that the remote client's hostname is compared to. If this attribute
is specified, the remote hostname MUST match for this request to be
accepted. If this attribute is not specified, all requests will be
accepted UNLESS the remote hostname matches a <code>deny</code>
pattern.</p>
</attribute>
<attribute name="deny" required="false">
<p>A comma-separated list of <em>regular expression</em> patterns
that the remote client's hostname is compared to. If this attribute
is specified, the remote hostname MUST NOT match for this request to be
accepted. If this attribute is not specified, request acceptance is
governed solely by the <code>accept</code> attribute.</p>
</attribute>
</attributes>
</subsection>
</section>
<section name="Request Dumper Valve">
<subsection name="Introduction">
<p>The <em>Request Dumper Valve</em> is a useful tool in debugging
interactions with a client application (or browser) that is sending
HTTP requests to your Tomcat-based server. When configured, it causes
details about each request processed by its associated Engine, Host,
or Context to be logged to the <a href="logger.html">Logger</a> that
corresponds to that container.</p>
<p><strong>WARNING: Using this valve has side-effects.</strong>
The
output from this valve includes any parameters included with the request.
The parameters will be decoded using the default platform encoding. Any
subsequent calls to <code>request.setCharacterEncoding()</code> within
the web application will have no effect.</p>
</subsection>
<subsection name="Attributes">
<p>The <strong>Request Dumper Valve</strong> supports the following
configuration attributes:</p>
<attributes>
<attribute name="className" required="true">
<p>Java class name of the implementation to use. This MUST be set to
<strong>org.apache.catalina.valves.RequestDumperValve</strong>.</p>
</attribute>
</attributes>
</subsection>
</section>
<section name="Single Sign On Valve">
<subsection name="Introduction">
<p>The <em>Single Sign On Vale</em> is utilized when you wish to give users
the ability to sign on to any one of the web applications associated with
your virtual host, and then have their identity recognized by all other
web applications on the same virtual host.</p>
<p>See the <a href="host.html#Single Sign On">Single Sign On</a> special
feature on the <strong>Host</strong> element for more information.</p>
</subsection>
<subsection name="Attributes">
<p>The <strong>Single Sign On</strong> Valve supports the following
configuration attributes:</p>
<attributes>
<attribute name="className" required="true">
<p>Java class name of the implementation to use. This MUST be set to
<strong>org.apache.catalina.authenticator.SingleSignOn</strong>.</p>
</attribute>
<attribute name="requireReauthentication" required="false">
<p>Default false. Flag to determine whether each request needs to be
reauthenticated to the security <strong>Realm</strong>. If "true", this
Valve uses cached security credentials (username and password) to
reauthenticate to the <strong>Realm</strong> each request associated
with an SSO session. If "false", the Valve can itself authenticate
requests based on the presence of a valid SSO cookie, without
rechecking with the <strong>Realm</strong>.</p>
</attribute>
</attributes>
</subsection>
</section>
</body>
</document>