tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Denying IPs using the Valve command in context.xml
Date Tue, 04 Oct 2011 20:58:52 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 10/4/2011 4:50 PM, André Warnier wrote:
> I agree with Francis that the way the documentation is written, is 
> confusing for anyone not dedicating his life to Java programming
> (like the sysadmins and other perl programmers who have to use this
> to configure Tomcat). In classical regex usage, if you want
> something anchored, you have to say so explicitly.  In classical
> regex usage, if you do use anchors such as ^ and $, you expect them
> to take effect, and not to be silently ignored.

I suspect it's not going to change, as that would be an incompatible
change. Since it's security-related, it's not something to be changed
lightly.

> And, it seems that the Pattern class, and its own .matches()
> method, does work in the way that a non-exclusively-java programmer
> would expect, anchors and all.

Does it?

"
Compiles the given regular expression and attempts to match the given
input against it.

An invocation of this convenience method of the form

     Pattern.matches(regex, input);

behaves in exactly the same way as the expression

     Pattern.compile(regex).matcher(input).matches()

If a pattern is to be used multiple times, compiling it once and
reusing it will be more efficient than invoking this method each time.
"

> So my question is : which of Matcher or Pattern is really used in
> the Valve's code ?

You could read the code :)

> Furthermore, about the Tomcat Valve documentation, I would opine :
> 
> - either the documentation remains as it is, and in the code, it
> should use the Pattern class for matching (and thus not
> automatically anchor, but allow the usage of explicit anchors in
> the provided patterns for allow and deny).

Not going to change the code (see above). Also, Pattern.matches is
static and re-compiles the pattern every time. That's also not going
to change.

> - or the documentation should be amended to indicate that the
> expression provided for allow and deny is already automatically
> anchored at the beginning and end of the string. (And also that
> this is not thread-safe, and may occasionally miss a host ?)

Documentation patches are always welcome. Thread-safety is not an
issue (hint:read the code).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6Lc4wACgkQ9CaO5/Lv0PCySgCgkLqSiAVx4D/F/7RTbKopzQBf
hScAn3VAYSNyoHzgi5jg4h3nDAat0bQt
=QpMq
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message