tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Denying IPs using the Valve command in context.xml
Date Tue, 04 Oct 2011 20:58:52 GMT
Hash: SHA1


On 10/4/2011 4:50 PM, André Warnier wrote:
> I agree with Francis that the way the documentation is written, is 
> confusing for anyone not dedicating his life to Java programming
> (like the sysadmins and other perl programmers who have to use this
> to configure Tomcat). In classical regex usage, if you want
> something anchored, you have to say so explicitly.  In classical
> regex usage, if you do use anchors such as ^ and $, you expect them
> to take effect, and not to be silently ignored.

I suspect it's not going to change, as that would be an incompatible
change. Since it's security-related, it's not something to be changed

> And, it seems that the Pattern class, and its own .matches()
> method, does work in the way that a non-exclusively-java programmer
> would expect, anchors and all.

Does it?

Compiles the given regular expression and attempts to match the given
input against it.

An invocation of this convenience method of the form

     Pattern.matches(regex, input);

behaves in exactly the same way as the expression


If a pattern is to be used multiple times, compiling it once and
reusing it will be more efficient than invoking this method each time.

> So my question is : which of Matcher or Pattern is really used in
> the Valve's code ?

You could read the code :)

> Furthermore, about the Tomcat Valve documentation, I would opine :
> - either the documentation remains as it is, and in the code, it
> should use the Pattern class for matching (and thus not
> automatically anchor, but allow the usage of explicit anchors in
> the provided patterns for allow and deny).

Not going to change the code (see above). Also, Pattern.matches is
static and re-compiles the pattern every time. That's also not going
to change.

> - or the documentation should be amended to indicate that the
> expression provided for allow and deny is already automatically
> anchored at the beginning and end of the string. (And also that
> this is not thread-safe, and may occasionally miss a host ?)

Documentation patches are always welcome. Thread-safety is not an
issue (hint:read the code).

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message