tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Denying IPs using the Valve command in context.xml
Date Tue, 04 Oct 2011 22:12:52 GMT
Hash: SHA1


On 10/4/2011 5:48 PM, André Warnier wrote:
> Yes, because if one defines e.g. a Pattern "^abcdef" and uses it
> via yesno = Pattern.matches("^abcdef",input); it will actually
> match the pattern at the beginning of the string only, which is
> what one would expect.  Thus
> Pattern.matches("^abc","abcdef");
> would return true, while this :
> Pattern.compile("^abc").matcher("abcdef").matches()
> would return false (according to what I read in the documentation
> of Matcher.matches()). Not so ?

I'm not sure how Pattern.matches() would be different than
Pattern.matcher().matches(), given that it is documented to be identical.

>>> So my question is : which of Matcher or Pattern is really used
>>> in the Valve's code ?
>> You could read the code :)
> Do you mean to say that trying to configure Tomcat according to
> the online documentation, with the purpose of using it as a
> servlet container, is reserved exclusively for java programmers ? 
> ;-)

No, I meant to say that you've been around long enough that you don't
have to speculate.

> I guess that what I have trouble understanding here, is how the
> Java regex library can go about allowing to create a Pattern like
> "^abc", and then using it in a Matcher.matches() method, completely
> ignoring the anchors which it accepted in the Pattern and silently
> inserting its own.

It can and should, because it's documented to do so. Nobody is saying
it's the "right" thing to do... just that it's what it does do.

> But then, how come they are not, in the allow/deny of the Valve ?

Because of the choice to use Matcher.matches() instead of something
more nuanced.

> Does the Valve code itself strip any provided anchors, and "force"
> ^ and $ around the expression provided in the allow/deny attributes
> ?

No, it keeps them in-tact. It's the library that essentially ignores them.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message