This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new cd91dcac83 Deprecate RemoteAddr[Filter|Valve] in favour of
RemoteCIDR[Filter|Valve]
cd91dcac83 is described below
commit cd91dcac8308904bb3714c5ee7f8e530843e4119
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Oct 8 10:20:05 2025 +0100
Deprecate RemoteAddr[Filter|Valve] in favour of RemoteCIDR[Filter|Valve]
---
RUNNING.txt | 4 ++--
java/org/apache/catalina/filters/RemoteAddrFilter.java | 3 +++
java/org/apache/catalina/valves/RemoteAddrValve.java | 3 +++
test/org/apache/catalina/mapper/TestMapperWebapps.java | 4 ++--
test/org/apache/catalina/valves/TestRequestFilterValve.java | 1 +
webapps/docs/META-INF/context.xml | 4 ++--
webapps/docs/changelog.xml | 5 +++++
webapps/docs/config/context.xml | 4 ++--
webapps/docs/config/engine.xml | 4 ++--
webapps/docs/config/filter.xml | 5 +++++
webapps/docs/config/host.xml | 6 +++---
webapps/docs/config/valve.xml | 5 +++++
webapps/docs/manager-howto.xml | 10 +++++-----
webapps/docs/security-howto.xml | 4 ++--
webapps/examples/META-INF/context.xml | 4 ++--
webapps/host-manager/META-INF/context.xml | 4 ++--
webapps/host-manager/WEB-INF/manager.xml | 4 ++--
webapps/manager/META-INF/context.xml | 4 ++--
18 files changed, 50 insertions(+), 28 deletions(-)
diff --git a/RUNNING.txt b/RUNNING.txt
index 4a7aee9037..18c2032e67 100644
--- a/RUNNING.txt
+++ b/RUNNING.txt
@@ -305,8 +305,8 @@ The file will look like the following:
<?xml version="1.0" encoding="UTF-8"?>
<Context docBase="${catalina.home}/webapps/manager"
antiResourceLocking="false" privileged="true" >
- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
- allow="127\.0\.0\.1" />
+ <Valve className="org.apache.catalina.valves.RemoteCIDRValve"
+ allow="127.0.0.0/8,::1/128" />
<Manager
sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>
diff --git a/java/org/apache/catalina/filters/RemoteAddrFilter.java
b/java/org/apache/catalina/filters/RemoteAddrFilter.java
index f335795c03..1752132a3d 100644
--- a/java/org/apache/catalina/filters/RemoteAddrFilter.java
+++ b/java/org/apache/catalina/filters/RemoteAddrFilter.java
@@ -29,7 +29,10 @@ import org.apache.juli.logging.LogFactory;
/**
* Concrete implementation of <code>RequestFilter</code> that filters based on
the string representation of the remote
* client's IP address.
+ *
+ * @deprecated This Filter will be removed in Tomcat 12 onwards. Use {@link
RemoteCIDRFilter} instead.
*/
+@Deprecated
public final class RemoteAddrFilter extends RequestFilter {
// Log must be non-static as loggers are created per class-loader and this
diff --git a/java/org/apache/catalina/valves/RemoteAddrValve.java
b/java/org/apache/catalina/valves/RemoteAddrValve.java
index de34f763e4..bd128c10b1 100644
--- a/java/org/apache/catalina/valves/RemoteAddrValve.java
+++ b/java/org/apache/catalina/valves/RemoteAddrValve.java
@@ -30,7 +30,10 @@ import org.apache.juli.logging.LogFactory;
/**
* Concrete implementation of <code>RequestFilterValve</code> that filters
based on the string representation of the
* remote client's IP address optionally combined with the server connector
port number.
+ *
+ * @deprecated This Valve will be removed in Tomcat 12 onwards. Use {@link
RemoteCIDRValve} instead.
*/
+@Deprecated
public final class RemoteAddrValve extends RequestFilterValve {
private static final Log log = LogFactory.getLog(RemoteAddrValve.class);
diff --git a/test/org/apache/catalina/mapper/TestMapperWebapps.java
b/test/org/apache/catalina/mapper/TestMapperWebapps.java
index 91262d6397..ba9965912d 100644
--- a/test/org/apache/catalina/mapper/TestMapperWebapps.java
+++ b/test/org/apache/catalina/mapper/TestMapperWebapps.java
@@ -31,7 +31,7 @@ import org.apache.catalina.Context;
import org.apache.catalina.core.StandardContext;
import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.startup.TomcatBaseTest;
-import org.apache.catalina.valves.RemoteAddrValve;
+import org.apache.catalina.valves.RemoteHostValve;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
@@ -226,7 +226,7 @@ public class TestMapperWebapps extends TomcatBaseTest {
org.apache.catalina.Context examples = tomcat.addWebapp(null,
"/examples", examplesDir.getAbsolutePath());
examples.setMapperContextRootRedirectEnabled(false);
// Then block access to the examples to test redirection
- RemoteAddrValve rav = new RemoteAddrValve();
+ RemoteHostValve rav = new RemoteHostValve();
rav.setDeny(".*");
rav.setDenyStatus(404);
examples.getPipeline().addValve(rav);
diff --git a/test/org/apache/catalina/valves/TestRequestFilterValve.java
b/test/org/apache/catalina/valves/TestRequestFilterValve.java
index da1764b5dc..7c0e3e2778 100644
--- a/test/org/apache/catalina/valves/TestRequestFilterValve.java
+++ b/test/org/apache/catalina/valves/TestRequestFilterValve.java
@@ -100,6 +100,7 @@ public class TestRequestFilterValve {
}
}
+ @SuppressWarnings("deprecation")
private void oneTest(String allow, String deny, boolean denyStatus,
boolean addConnectorPort,
boolean usePeerAddress, boolean auth, String property, String
type, boolean allowed) {
// PREPARE
diff --git a/webapps/docs/META-INF/context.xml
b/webapps/docs/META-INF/context.xml
index ae6803be32..8aa32c8f3f 100644
--- a/webapps/docs/META-INF/context.xml
+++ b/webapps/docs/META-INF/context.xml
@@ -16,6 +16,6 @@
limitations under the License.
-->
<Context antiResourceLocking="false" >
- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
- allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
+ <Valve className="org.apache.catalina.valves.RemoteCIDRValve"
+ allow="127.0.0.0/8,::1/128" />
</Context>
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index aad2eed127..8101bd769e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -111,6 +111,11 @@
Log warnings when the SSO configuration does not comply with the
documentation. (remm)
</fix>
+ <update>
+ Deprecate the <code>RemoteAddrFilter</code> and
+ <code>RemoteAddValve</code> in favour of the
+ <code>RemoteCIDRFilter</code> and <code>RemoteCIDRValve</code>. (markt)
+ </update>
</changelog>
</subsection>
</section>
diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml
index 45b0989b90..3d0e378310 100644
--- a/webapps/docs/config/context.xml
+++ b/webapps/docs/config/context.xml
@@ -1287,8 +1287,8 @@
...
<Valve className="org.apache.catalina.valves.RemoteHostValve"
allow=".*\.mycompany\.com|www\.yourcompany\.com"/>
- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
- deny="192\.168\.1\.\d+"/>
+ <Valve className="org.apache.catalina.valves.RemoteCIDRValve"
+ deny="192.168.1.0/24"/>
...
</Context>]]></source>
diff --git a/webapps/docs/config/engine.xml b/webapps/docs/config/engine.xml
index 7180e34bc4..44b6f10cc8 100644
--- a/webapps/docs/config/engine.xml
+++ b/webapps/docs/config/engine.xml
@@ -242,8 +242,8 @@
...
<Valve className="org.apache.catalina.valves.RemoteHostValve"
allow=".*\.mycompany\.com|www\.yourcompany\.com"/>
- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
- deny="192\.168\.1\.\d+"/>
+ <Valve className="org.apache.catalina.valves.RemoteCIDRValve"
+ deny="192.168.1.0/24"/>
...
</Engine>]]></source>
diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml
index 8d18e04bf9..a3c5b6adcc 100644
--- a/webapps/docs/config/filter.xml
+++ b/webapps/docs/config/filter.xml
@@ -1185,6 +1185,11 @@ FINE: Request "/docs/config/manager.html" with response
status "200"
<code>::1</code>. Consult your access logs for the actual value.</p>
<p>See also: <a href="#Remote_Host_Filter">Remote Host Filter</a>.</p>
+
+ <p><strong>Note:</strong> This Filter is deprecated and will be removed in
+ Tomcat 12. Use the <a href="#Remote_CIDR_Filter">Remote CIDR Filter</a>
+ instead.</p>
+
</subsection>
<subsection name="Filter Class Name">
diff --git a/webapps/docs/config/host.xml b/webapps/docs/config/host.xml
index aed9b78866..e2a2384a56 100644
--- a/webapps/docs/config/host.xml
+++ b/webapps/docs/config/host.xml
@@ -275,7 +275,7 @@
a descriptor is located at <code>/META-INF/context.xml</code> and no
descriptor is present in <strong>xmlBase</strong> then the context will
fail to start in case the descriptor contains necessary configuration
- for secure deployment (such as a RemoteAddrValve) which should not be
+ for secure deployment (such as a RemoteCIDRValve) which should not be
ignored. The default is <code>true</code> unless a security manager is
enabled when the default is <code>false</code>. When running under a
security manager this may be enabled on a per web application basis by
@@ -556,8 +556,8 @@
...
<Valve className="org.apache.catalina.valves.RemoteHostValve"
allow=".*\.mycompany\.com|www\.yourcompany\.com"/>
- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
- deny="192\.168\.1\.\d+"/>
+ <Valve className="org.apache.catalina.valves.RemoteCIDRValve"
+ deny="192.168.1.0/24"/>
...
</Host>]]></source>
diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml
index b1cd1dc104..170e8291b2 100644
--- a/webapps/docs/config/valve.xml
+++ b/webapps/docs/config/valve.xml
@@ -667,6 +667,11 @@
<a href="#Remote_CIDR_Valve">Remote CIDR Valve</a>,
<a href="#Remote_IP_Valve">Remote IP Valve</a>,
<a href="http.html">HTTP Connector</a> configuration.</p>
+
+ <p><strong>Note:</strong> This Valve is deprecated and will be removed in
+ Tomcat 12. Use <a href="#Remote_CIDR_Valve">Remote CIDR Valve</a>
+ instead.</p>
+
</subsection>
<subsection name="Attributes">
diff --git a/webapps/docs/manager-howto.xml b/webapps/docs/manager-howto.xml
index 02e0650422..3bd65b9536 100644
--- a/webapps/docs/manager-howto.xml
+++ b/webapps/docs/manager-howto.xml
@@ -76,8 +76,8 @@ example:</p>
docBase="${catalina.home}/webapps/manager">
<CookieProcessor
className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
sameSiteCookies="strict" />
- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
- allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
+ <Valve className="org.apache.catalina.valves.RemoteCIDRValve"
+ allow="127.0.0.0/8,::1/128" />
<Manager
sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>]]></source>
@@ -204,13 +204,13 @@ the role <strong>manager-script</strong>.</p>
<p>In addition to the password restrictions, access to the Manager web
application can be restricted by the <strong>remote IP address</strong> or host
-by adding a <code>RemoteAddrValve</code> or <code>RemoteHostValve</code>.
+by adding a <code>RemoteCIDRValve</code> or <code>RemoteHostValve</code>.
See <a href="config/valve.html#Remote_Address_Filter">valves documentation</a>
for details. Here is
an example of restricting access to the localhost by IP address:</p>
<source><![CDATA[<Context privileged="true">
- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
- allow="127\.0\.0\.1"/>
+ <Valve className="org.apache.catalina.valves.RemoteCIDRValve"
+ allow="127.0.0.0/8,::1/128" />
</Context>]]></source>
</section>
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 080932dda0..53556a4bc0 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -169,7 +169,7 @@
<li>Do not remove the use of the <a
href="config/realm.html#LockOut_Realm_-_org.apache.catalina.realm.LockOutRealm">LockOutRealm</a>
which prevents brute force attacks against user passwords.</li>
- <li>Configure the <a
href="config/valve.html#Remote_Address_Valve">RemoteAddrValve</a>
+ <li>Configure the <a
href="config/valve.html#Remote_CIDR_Valve">RemoteCIDRValve</a>
in the <a href="config/context.html">context.xml</a> file for the
management application which limits access to localhost by default.
If remote access is required, limit it to specific IP addresses
using
@@ -461,7 +461,7 @@
context as required.</p>
<p>Any administrative application should be protected by a
- RemoteAddrValve (this Valve is also available as a Filter).
+ RemoteCIDRValve (this Valve is also available as a Filter).
The <strong>allow</strong> attribute should be used to limit access to a
set of known trusted hosts.</p>
diff --git a/webapps/examples/META-INF/context.xml
b/webapps/examples/META-INF/context.xml
index 2ae7e6682f..7709435c08 100644
--- a/webapps/examples/META-INF/context.xml
+++ b/webapps/examples/META-INF/context.xml
@@ -18,6 +18,6 @@
<Context>
<CookieProcessor
className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
sameSiteCookies="strict" />
- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
- allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
+ <Valve className="org.apache.catalina.valves.RemoteCIDRValve"
+ allow="127.0.0.0/8,::1/128" />
</Context>
diff --git a/webapps/host-manager/META-INF/context.xml
b/webapps/host-manager/META-INF/context.xml
index 1fa3a5ae8d..568f74e5d7 100644
--- a/webapps/host-manager/META-INF/context.xml
+++ b/webapps/host-manager/META-INF/context.xml
@@ -18,7 +18,7 @@
<Context antiResourceLocking="false" privileged="true" >
<CookieProcessor
className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
sameSiteCookies="strict" />
- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
- allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
+ <Valve className="org.apache.catalina.valves.RemoteCIDRValve"
+ allow="127.0.0.0/8,::1/128" />
<Manager
sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>
\ No newline at end of file
diff --git a/webapps/host-manager/WEB-INF/manager.xml
b/webapps/host-manager/WEB-INF/manager.xml
index a26dca6542..25c9b526e5 100644
--- a/webapps/host-manager/WEB-INF/manager.xml
+++ b/webapps/host-manager/WEB-INF/manager.xml
@@ -24,7 +24,7 @@
privileged="true" antiResourceLocking="false" >
<CookieProcessor
className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
sameSiteCookies="strict" />
- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
- allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
+ <Valve className="org.apache.catalina.valves.RemoteCIDRValve"
+ allow="127.0.0.0/8,::1/128" />
<Manager
sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>
diff --git a/webapps/manager/META-INF/context.xml
b/webapps/manager/META-INF/context.xml
index 120b7ab61a..fc2b7b4bfd 100644
--- a/webapps/manager/META-INF/context.xml
+++ b/webapps/manager/META-INF/context.xml
@@ -18,7 +18,7 @@
<Context antiResourceLocking="false" privileged="true" >
<CookieProcessor
className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
sameSiteCookies="strict" />
- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
- allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
+ <Valve className="org.apache.catalina.valves.RemoteCIDRValve"
+ allow="127.0.0.0/8,::1/128" />
<Manager
sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
