tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1799704 - in /tomcat/trunk: java/org/apache/catalina/connector/Request.java java/org/apache/catalina/util/TLSUtil.java java/org/apache/catalina/valves/AbstractAccessLogValve.java webapps/docs/changelog.xml
Date Fri, 23 Jun 2017 21:14:43 GMT
Author: markt
Date: Fri Jun 23 21:14:43 2017
New Revision: 1799704

URL: http://svn.apache.org/viewvc?rev=1799704&view=rev
Log:
When the access log valve logs a TLS related request attribute and the NIO2 connector is used
with OpenSSL, ensure that the TLS attributes are available to the access log valve when the
connection is closing.

Added:
    tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java   (with props)
Modified:
    tomcat/trunk/java/org/apache/catalina/connector/Request.java
    tomcat/trunk/java/org/apache/catalina/valves/AbstractAccessLogValve.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=1799704&r1=1799703&r2=1799704&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Fri Jun 23 21:14:43 2017
@@ -85,6 +85,7 @@ import org.apache.catalina.core.AsyncCon
 import org.apache.catalina.mapper.MappingData;
 import org.apache.catalina.util.ParameterMap;
 import org.apache.catalina.util.RequestUtil;
+import org.apache.catalina.util.TLSUtil;
 import org.apache.catalina.util.URLEncoder;
 import org.apache.coyote.ActionCode;
 import org.apache.coyote.UpgradeToken;
@@ -855,48 +856,46 @@ public class Request implements HttpServ
      */
     @Override
     public Object getAttribute(String name) {
-
         // Special attributes
         SpecialAttributeAdapter adapter = specialAttributes.get(name);
         if (adapter != null) {
             return adapter.get(this, name);
         }
 
-        Object attr=attributes.get(name);
+        Object attr = attributes.get(name);
 
-        if(attr!=null) {
+        if (attr != null) {
             return attr;
         }
 
-        attr =  coyoteRequest.getAttribute(name);
-        if(attr != null) {
+        attr = coyoteRequest.getAttribute(name);
+        if (attr != null) {
             return attr;
         }
-        if( isSSLAttribute(name) || name.equals(SSLSupport.PROTOCOL_VERSION_KEY)) {
-            coyoteRequest.action(ActionCode.REQ_SSL_ATTRIBUTE,
-                                 coyoteRequest);
+        if (TLSUtil.isTLSRequestAttribute(name)) {
+            coyoteRequest.action(ActionCode.REQ_SSL_ATTRIBUTE, coyoteRequest);
             attr = coyoteRequest.getAttribute(Globals.CERTIFICATES_ATTR);
-            if( attr != null) {
+            if (attr != null) {
                 attributes.put(Globals.CERTIFICATES_ATTR, attr);
             }
             attr = coyoteRequest.getAttribute(Globals.CIPHER_SUITE_ATTR);
-            if(attr != null) {
+            if (attr != null) {
                 attributes.put(Globals.CIPHER_SUITE_ATTR, attr);
             }
             attr = coyoteRequest.getAttribute(Globals.KEY_SIZE_ATTR);
-            if(attr != null) {
+            if (attr != null) {
                 attributes.put(Globals.KEY_SIZE_ATTR, attr);
             }
             attr = coyoteRequest.getAttribute(Globals.SSL_SESSION_ID_ATTR);
-            if(attr != null) {
+            if (attr != null) {
                 attributes.put(Globals.SSL_SESSION_ID_ATTR, attr);
             }
             attr = coyoteRequest.getAttribute(Globals.SSL_SESSION_MGR_ATTR);
-            if(attr != null) {
+            if (attr != null) {
                 attributes.put(Globals.SSL_SESSION_MGR_ATTR, attr);
             }
             attr = coyoteRequest.getAttribute(SSLSupport.PROTOCOL_VERSION_KEY);
-            if(attr != null) {
+            if (attr != null) {
                 attributes.put(SSLSupport.PROTOCOL_VERSION_KEY, attr);
             }
             attr = attributes.get(name);
@@ -911,18 +910,6 @@ public class Request implements HttpServ
         return coyoteRequest.getContentLengthLong();
     }
 
-    /**
-     * Test if a given name is one of the special Servlet-spec SSL attributes.
-     *
-     * @return <code>true</code> if this is a special SSL attribute
-     */
-    static boolean isSSLAttribute(String name) {
-        return Globals.CERTIFICATES_ATTR.equals(name) ||
-            Globals.CIPHER_SUITE_ATTR.equals(name) ||
-            Globals.KEY_SIZE_ATTR.equals(name)  ||
-            Globals.SSL_SESSION_ID_ATTR.equals(name) ||
-            Globals.SSL_SESSION_MGR_ATTR.equals(name);
-    }
 
     /**
      * Return the names of all request attributes for this Request, or an

Added: tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java?rev=1799704&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java (added)
+++ tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java Fri Jun 23 21:14:43 2017
@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.util;
+
+import org.apache.catalina.Globals;
+import org.apache.tomcat.util.net.SSLSupport;
+
+public class TLSUtil {
+
+    /**
+     * Determines if the named request attribute is used to pass information
+     * about the TLS configuration of the connection to the application. Both
+     * the standard request attributes defined by the Servlet specification and
+     * Tomcat specific attributes are supported.
+     *
+     * @param name  The attribute name to test
+     *
+     * @return {@code true} if the attribute is used to pass TLS configuration
+     *         information, otherwise {@code false}
+     */
+    public static boolean isTLSRequestAttribute(String name) {
+        return Globals.CERTIFICATES_ATTR.equals(name) ||
+                Globals.CIPHER_SUITE_ATTR.equals(name) ||
+                Globals.KEY_SIZE_ATTR.equals(name)  ||
+                Globals.SSL_SESSION_ID_ATTR.equals(name) ||
+                Globals.SSL_SESSION_MGR_ATTR.equals(name) ||
+                SSLSupport.PROTOCOL_VERSION_KEY.equals(name);
+    }
+}

Propchange: tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: tomcat/trunk/java/org/apache/catalina/valves/AbstractAccessLogValve.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/valves/AbstractAccessLogValve.java?rev=1799704&r1=1799703&r2=1799704&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/valves/AbstractAccessLogValve.java (original)
+++ tomcat/trunk/java/org/apache/catalina/valves/AbstractAccessLogValve.java Fri Jun 23 21:14:43
2017
@@ -42,6 +42,7 @@ import org.apache.catalina.LifecycleStat
 import org.apache.catalina.Session;
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
+import org.apache.catalina.util.TLSUtil;
 import org.apache.coyote.RequestInfo;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
@@ -460,6 +461,12 @@ public abstract class AbstractAccessLogV
      */
     private int maxLogMessageBufferSize = 256;
 
+    /**
+     * Does the configured log pattern include a known TLS attribute?
+     */
+    private boolean tlsAttributeRequired = false;
+
+
     // ------------------------------------------------------------- Properties
 
     /**
@@ -622,6 +629,14 @@ public abstract class AbstractAccessLogV
     @Override
     public void invoke(Request request, Response response) throws IOException,
             ServletException {
+        if (tlsAttributeRequired) {
+            // The log pattern uses TLS attributes. Ensure these are populated
+            // before the request is processed because with NIO2 it is possible
+            // for the connection to be closed (and the TLS info lost) before
+            // the access log requests the TLS info. Requesting it now causes it
+            // to be cached in the request.
+            request.getAttribute(Globals.CERTIFICATES_ATTR);
+        }
         getNext().invoke(request, response);
     }
 
@@ -1559,6 +1574,9 @@ public abstract class AbstractAccessLogV
         case 'p':
             return new PortElement(name);
         case 'r':
+            if (TLSUtil.isTLSRequestAttribute(name)) {
+                tlsAttributeRequired = true;
+            }
             return new RequestAttributeElement(name);
         case 's':
             return new SessionAttributeElement(name);

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1799704&r1=1799703&r2=1799704&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Jun 23 21:14:43 2017
@@ -61,6 +61,12 @@
         OpenSSL based TLS session since this is expected when session tickets
         are enabled. (markt)
       </fix>
+      <fix>
+        When the access log valve logs a TLS related request attribute and the
+        NIO2 connector is used with OpenSSL, ensure that the TLS attributes are
+        available to the access log valve when the connection is closing.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Tribes">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message