Author: markt Date: Fri Jun 23 21:14:43 2017 New Revision: 1799704 URL: http://svn.apache.org/viewvc?rev=1799704&view=rev Log: When the access log valve logs a TLS related request attribute and the NIO2 connector is used with OpenSSL, ensure that the TLS attributes are available to the access log valve when the connection is closing.
Added: tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java (with props) Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java tomcat/trunk/java/org/apache/catalina/valves/AbstractAccessLogValve.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=1799704&r1=1799703&r2=1799704&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original) +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Fri Jun 23 21:14:43 2017 @@ -85,6 +85,7 @@ import org.apache.catalina.core.AsyncCon import org.apache.catalina.mapper.MappingData; import org.apache.catalina.util.ParameterMap; import org.apache.catalina.util.RequestUtil; +import org.apache.catalina.util.TLSUtil; import org.apache.catalina.util.URLEncoder; import org.apache.coyote.ActionCode; import org.apache.coyote.UpgradeToken; @@ -855,48 +856,46 @@ public class Request implements HttpServ */ @Override public Object getAttribute(String name) { - // Special attributes SpecialAttributeAdapter adapter = specialAttributes.get(name); if (adapter != null) { return adapter.get(this, name); } - Object attr=attributes.get(name); + Object attr = attributes.get(name); - if(attr!=null) { + if (attr != null) { return attr; } - attr = coyoteRequest.getAttribute(name); - if(attr != null) { + attr = coyoteRequest.getAttribute(name); + if (attr != null) { return attr; } - if( isSSLAttribute(name) || name.equals(SSLSupport.PROTOCOL_VERSION_KEY)) { - coyoteRequest.action(ActionCode.REQ_SSL_ATTRIBUTE, - coyoteRequest); + if (TLSUtil.isTLSRequestAttribute(name)) { + coyoteRequest.action(ActionCode.REQ_SSL_ATTRIBUTE, coyoteRequest); attr = coyoteRequest.getAttribute(Globals.CERTIFICATES_ATTR); - if( attr != null) { + if (attr != null) { attributes.put(Globals.CERTIFICATES_ATTR, attr); } attr = coyoteRequest.getAttribute(Globals.CIPHER_SUITE_ATTR); - if(attr != null) { + if (attr != null) { attributes.put(Globals.CIPHER_SUITE_ATTR, attr); } attr = coyoteRequest.getAttribute(Globals.KEY_SIZE_ATTR); - if(attr != null) { + if (attr != null) { attributes.put(Globals.KEY_SIZE_ATTR, attr); } attr = coyoteRequest.getAttribute(Globals.SSL_SESSION_ID_ATTR); - if(attr != null) { + if (attr != null) { attributes.put(Globals.SSL_SESSION_ID_ATTR, attr); } attr = coyoteRequest.getAttribute(Globals.SSL_SESSION_MGR_ATTR); - if(attr != null) { + if (attr != null) { attributes.put(Globals.SSL_SESSION_MGR_ATTR, attr); } attr = coyoteRequest.getAttribute(SSLSupport.PROTOCOL_VERSION_KEY); - if(attr != null) { + if (attr != null) { attributes.put(SSLSupport.PROTOCOL_VERSION_KEY, attr); } attr = attributes.get(name); @@ -911,18 +910,6 @@ public class Request implements HttpServ return coyoteRequest.getContentLengthLong(); } - /** - * Test if a given name is one of the special Servlet-spec SSL attributes. - * - * @return <code>true</code> if this is a special SSL attribute - */ - static boolean isSSLAttribute(String name) { - return Globals.CERTIFICATES_ATTR.equals(name) || - Globals.CIPHER_SUITE_ATTR.equals(name) || - Globals.KEY_SIZE_ATTR.equals(name) || - Globals.SSL_SESSION_ID_ATTR.equals(name) || - Globals.SSL_SESSION_MGR_ATTR.equals(name); - } /** * Return the names of all request attributes for this Request, or an Added: tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java?rev=1799704&view=auto ============================================================================== --- tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java (added) +++ tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java Fri Jun 23 21:14:43 2017 @@ -0,0 +1,43 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina.util; + +import org.apache.catalina.Globals; +import org.apache.tomcat.util.net.SSLSupport; + +public class TLSUtil { + + /** + * Determines if the named request attribute is used to pass information + * about the TLS configuration of the connection to the application. Both + * the standard request attributes defined by the Servlet specification and + * Tomcat specific attributes are supported. + * + * @param name The attribute name to test + * + * @return {@code true} if the attribute is used to pass TLS configuration + * information, otherwise {@code false} + */ + public static boolean isTLSRequestAttribute(String name) { + return Globals.CERTIFICATES_ATTR.equals(name) || + Globals.CIPHER_SUITE_ATTR.equals(name) || + Globals.KEY_SIZE_ATTR.equals(name) || + Globals.SSL_SESSION_ID_ATTR.equals(name) || + Globals.SSL_SESSION_MGR_ATTR.equals(name) || + SSLSupport.PROTOCOL_VERSION_KEY.equals(name); + } +} Propchange: tomcat/trunk/java/org/apache/catalina/util/TLSUtil.java ------------------------------------------------------------------------------ svn:eol-style = native Modified: tomcat/trunk/java/org/apache/catalina/valves/AbstractAccessLogValve.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/valves/AbstractAccessLogValve.java?rev=1799704&r1=1799703&r2=1799704&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/valves/AbstractAccessLogValve.java (original) +++ tomcat/trunk/java/org/apache/catalina/valves/AbstractAccessLogValve.java Fri Jun 23 21:14:43 2017 @@ -42,6 +42,7 @@ import org.apache.catalina.LifecycleStat import org.apache.catalina.Session; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; +import org.apache.catalina.util.TLSUtil; import org.apache.coyote.RequestInfo; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; @@ -460,6 +461,12 @@ public abstract class AbstractAccessLogV */ private int maxLogMessageBufferSize = 256; + /** + * Does the configured log pattern include a known TLS attribute? + */ + private boolean tlsAttributeRequired = false; + + // ------------------------------------------------------------- Properties /** @@ -622,6 +629,14 @@ public abstract class AbstractAccessLogV @Override public void invoke(Request request, Response response) throws IOException, ServletException { + if (tlsAttributeRequired) { + // The log pattern uses TLS attributes. Ensure these are populated + // before the request is processed because with NIO2 it is possible + // for the connection to be closed (and the TLS info lost) before + // the access log requests the TLS info. Requesting it now causes it + // to be cached in the request. + request.getAttribute(Globals.CERTIFICATES_ATTR); + } getNext().invoke(request, response); } @@ -1559,6 +1574,9 @@ public abstract class AbstractAccessLogV case 'p': return new PortElement(name); case 'r': + if (TLSUtil.isTLSRequestAttribute(name)) { + tlsAttributeRequired = true; + } return new RequestAttributeElement(name); case 's': return new SessionAttributeElement(name); Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1799704&r1=1799703&r2=1799704&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Fri Jun 23 21:14:43 2017 @@ -61,6 +61,12 @@ OpenSSL based TLS session since this is expected when session tickets are enabled. (markt) </fix> + <fix> + When the access log valve logs a TLS related request attribute and the + NIO2 connector is used with OpenSSL, ensure that the TLS attributes are + available to the access log valve when the connection is closing. + (markt) + </fix> </changelog> </subsection> <subsection name="Tribes"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org