Return-Path: 
 <dev-return-147752-apmail-tomcat-dev-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-dev-archive@www.apache.org
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 7305D109F9
	for <apmail-tomcat-dev-archive@www.apache.org>;
 Sun,  2 Mar 2014 12:46:59 +0000 (UTC)
Received: (qmail 71574 invoked by uid 500); 2 Mar 2014 12:46:56 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 71044 invoked by uid 500); 2 Mar 2014 12:46:51 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 71035 invoked by uid 99); 2 Mar 2014 12:46:50 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 02 Mar 2014 12:46:50 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 02 Mar 2014 12:46:47 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
	by eris.apache.org (Postfix) with ESMTP id 7C749238896F
	for <dev@tomcat.apache.org>; Sun,  2 Mar 2014 12:46:25 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1573294 - in /tomcat/tc6.0.x/trunk: ./
 java/org/apache/catalina/valves/SSLValve.java webapps/docs/changelog.xml
 webapps/docs/config/valve.xml
Date: Sun, 02 Mar 2014 12:46:25 -0000
To: dev@tomcat.apache.org
From: kkolinko@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20140302124625.7C749238896F@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: kkolinko
Date: Sun Mar  2 12:46:24 2014
New Revision: 1573294

URL: http://svn.apache.org/r1573294
Log:
CTR: docs

Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56093
Provide documentation for SSLValve.
Backport of r1073184, r1568921

Modified:
    tomcat/tc6.0.x/trunk/   (props changed)
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
    tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml

Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1073184,1568921
  Merged /tomcat/tc7.0.x/trunk:r1568922

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java?rev=1573294&r1=1573293&r2=1573294&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java Sun Mar  2 12:46:24 2014
@@ -32,22 +32,35 @@ import org.apache.catalina.connector.Res
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 
-/*
- * Valve to fill the SSL informations in the request
- * mod_header is used to fill the headers and the valve
- * will fill the parameters of the request.
+/**
+ * When using mod_proxy_http, the client SSL information is not included in the
+ * protocol (unlike mod_jk and mod_proxy_ajp). To make the client SSL
+ * information available to Tomcat, some additional configuration is required.
+ * In httpd, mod_headers is used to add the SSL information as HTTP headers. In
+ * Tomcat, this valve is used to read the information from the HTTP headers and
+ * insert it into the request.<p>
+ *
+ * <b>Note: Ensure that the headers are always set by httpd for all requests to
+ * prevent a client spoofing SSL information by sending fake headers. </b><p>
+ *
  * In httpd.conf add the following:
- * <IfModule ssl_module>
+ * <pre>
+ * &lt;IfModule ssl_module&gt;
  *   RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
  *   RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
  *   RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
  *   RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"
- * </IfModule>
- *
- * @author Jean-Frederic Clere
+ * &lt;/IfModule&gt;
+ * </pre>
  *
+ * In server.xml, configure this valve under the Engine element in server.xml:
+ * <pre>
+ * &lt;Engine ...&gt;
+ *   &lt;Valve className="org.apache.catalina.valves.SSLValve" /&gt;
+ *   &lt;Host ... /&gt;
+ * &lt;/Engine&gt;
+ * </pre>
  */
-
 public class SSLValve extends ValveBase {
 
     private static final Log log = LogFactory.getLog(SSLValve.class);

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1573294&r1=1573293&r2=1573294&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun Mar  2 12:46:24 2014
@@ -44,6 +44,13 @@
  General, Catalina, Coyote, Jasper, Cluster, Web applications, Other
 -->
 <section name="Tomcat 6.0.40" rtext="">
+  <subsection name="Web applications">
+    <changelog>
+      <add>
+        <bug>56093</bug>: Documentation for SSLValve. (markt/kkolinko)
+      </add>
+    </changelog>
+  </subsection>
   <subsection name="Other">
     <changelog>
       <scode>

Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml?rev=1573294&r1=1573293&r2=1573294&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml Sun Mar  2 12:46:24 2014
@@ -964,7 +964,48 @@
 
 </section>
 
+<section name="SSL Valve">
 
+  <subsection name="Introduction">
+
+    <p>When using mod_proxy_http, the client SSL information is not included in
+    the protocol (unlike mod_jk and mod_proxy_ajp). To make the client SSL
+    information available to Tomcat, some additional configuration is required.
+    In httpd, mod_headers is used to add the SSL information as HTTP headers. In
+    Tomcat, this valve is used to read the information from the HTTP headers and
+    insert it into the request.</p>
+
+    <p>Note: Ensure that the headers are always set by httpd for all requests to
+    prevent a client spoofing SSL information by sending fake headers.</p>
+
+    <p>To configure httpd to set the necessary headers, add the following:</p>
+<source>&lt;IfModule ssl_module&gt;
+  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
+  RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
+  RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
+  RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"
+&lt;/IfModule&gt;</source>
+
+  </subsection>
+
+  <subsection name="Attributes">
+
+    <p>The <strong>SSL Valve</strong> supports the following configuration
+    attribute:</p>
+
+    <attributes>
+
+      <attribute name="className" required="true">
+        <p>Java class name of the implementation to use.  This MUST be set to
+        <strong>org.apache.catalina.valves.SSLValve</strong>.
+        </p>
+      </attribute>
+
+    </attributes>
+
+  </subsection>
+
+</section>
 </body>
 
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org