This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 6eda98540a Remove the deprecated RemoteAddrFilter and RemoteAddrValve
6eda98540a is described below
commit 6eda98540a570ea0daa6c483e96ee81fa43b997c
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Oct 8 11:06:32 2025 +0100
Remove the deprecated RemoteAddrFilter and RemoteAddrValve
---
.../apache/catalina/filters/RemoteAddrFilter.java | 66 ---------
.../apache/catalina/valves/RemoteAddrValve.java | 63 ---------
.../apache/catalina/valves/mbeans-descriptors.xml | 63 ---------
.../catalina/valves/TestRequestFilterValve.java | 36 +----
webapps/docs/changelog.xml | 6 +-
webapps/docs/config/filter.xml | 92 ------------
webapps/docs/config/valve.xml | 156 ---------------------
7 files changed, 8 insertions(+), 474 deletions(-)
diff --git a/java/org/apache/catalina/filters/RemoteAddrFilter.java
b/java/org/apache/catalina/filters/RemoteAddrFilter.java
deleted file mode 100644
index 1752132a3d..0000000000
--- a/java/org/apache/catalina/filters/RemoteAddrFilter.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.catalina.filters;
-
-import java.io.IOException;
-
-import jakarta.servlet.FilterChain;
-import jakarta.servlet.ServletException;
-import jakarta.servlet.ServletRequest;
-import jakarta.servlet.ServletResponse;
-
-import org.apache.juli.logging.Log;
-import org.apache.juli.logging.LogFactory;
-
-/**
- * Concrete implementation of <code>RequestFilter</code> that filters based on
the string representation of the remote
- * client's IP address.
- *
- * @deprecated This Filter will be removed in Tomcat 12 onwards. Use {@link
RemoteCIDRFilter} instead.
- */
-@Deprecated
-public final class RemoteAddrFilter extends RequestFilter {
-
- // Log must be non-static as loggers are created per class-loader and this
- // Filter may be used in multiple class loaders
- private final Log log = LogFactory.getLog(RemoteAddrFilter.class); // must
not be static
-
-
- /**
- * Extract the desired request property, and pass it (along with the
specified request and response objects and
- * associated filter chain) to the protected <code>process()</code> method
to perform the actual filtering.
- *
- * @param request The servlet request to be processed
- * @param response The servlet response to be created
- * @param chain The filter chain for this request
- *
- * @exception IOException if an input/output error occurs
- * @exception ServletException if a servlet error occurs
- */
- @Override
- public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain)
- throws IOException, ServletException {
-
- process(request.getRemoteAddr(), request, response, chain);
-
- }
-
- @Override
- protected Log getLogger() {
- return log;
- }
-}
diff --git a/java/org/apache/catalina/valves/RemoteAddrValve.java
b/java/org/apache/catalina/valves/RemoteAddrValve.java
deleted file mode 100644
index bd128c10b1..0000000000
--- a/java/org/apache/catalina/valves/RemoteAddrValve.java
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.catalina.valves;
-
-
-import java.io.IOException;
-
-import jakarta.servlet.ServletException;
-
-import org.apache.catalina.connector.Request;
-import org.apache.catalina.connector.Response;
-import org.apache.juli.logging.Log;
-import org.apache.juli.logging.LogFactory;
-
-
-/**
- * Concrete implementation of <code>RequestFilterValve</code> that filters
based on the string representation of the
- * remote client's IP address optionally combined with the server connector
port number.
- *
- * @deprecated This Valve will be removed in Tomcat 12 onwards. Use {@link
RemoteCIDRValve} instead.
- */
-@Deprecated
-public final class RemoteAddrValve extends RequestFilterValve {
-
- private static final Log log = LogFactory.getLog(RemoteAddrValve.class);
-
-
- // --------------------------------------------------------- Public Methods
-
- @Override
- public void invoke(Request request, Response response) throws IOException,
ServletException {
- String property;
- if (getUsePeerAddress()) {
- property = request.getPeerAddr();
- } else {
- property = request.getRequest().getRemoteAddr();
- }
- if (getAddConnectorPort()) {
- property = property + ";" +
request.getConnector().getPortWithOffset();
- }
- process(property, request, response);
- }
-
-
- @Override
- protected Log getLog() {
- return log;
- }
-}
diff --git a/java/org/apache/catalina/valves/mbeans-descriptors.xml
b/java/org/apache/catalina/valves/mbeans-descriptors.xml
index 6b389d8752..03865ef8ef 100644
--- a/java/org/apache/catalina/valves/mbeans-descriptors.xml
+++ b/java/org/apache/catalina/valves/mbeans-descriptors.xml
@@ -331,69 +331,6 @@
</mbean>
- <mbean name="RemoteAddrValve"
- description="Concrete implementation of RequestFilterValve that
filters based on the string representation of the remote client's IP address"
- domain="Catalina"
- group="Valve"
- type="org.apache.catalina.valves.RemoteAddrValve">
-
- <attribute name="addConnectorPort"
- description="Append the server connector port to the client IP
separated by a semicolon"
- type="boolean"/>
-
- <attribute name="allow"
- description="The allow expression"
- type="java.lang.String"/>
-
- <attribute name="allowValid"
- description="Becomes false if assigned value of allow
expression is not syntactically correct"
- is="true"
- type="boolean"
- writeable="false"/>
-
- <attribute name="asyncSupported"
- description="Does this valve support async reporting."
- is="true"
- type="boolean"/>
-
- <attribute name="className"
- description="Fully qualified class name of the managed object"
- type="java.lang.String"
- writeable="false"/>
-
- <attribute name="deny"
- description="The deny expression"
- type="java.lang.String"/>
-
- <attribute name="denyStatus"
- description="HTTP response status code that is used when
rejecting denied request"
- type="int"/>
-
- <attribute name="denyValid"
- description="Becomes false if assigned value of deny expression
is not syntactically correct"
- is="true"
- type="boolean"
- writeable="false"/>
-
- <attribute name="invalidAuthenticationWhenDeny"
- description="Send an invalid authentication header instead of
deny"
- type="boolean"/>
-
- <attribute name="stateName"
- description="The name of the LifecycleState that this component
is currently in"
- type="java.lang.String"
- writeable="false"/>
-
- <operation name="isAllowed"
- description="Tests whether a client with this IP address value
is allowed access by the current valve configuration"
- impact="INFO"
- returnType="boolean">
- <parameter name="ipAddress"
- description="IP address to be tested"
- type="java.lang.String"/>
- </operation>
- </mbean>
-
<mbean name="RemoteHostValve"
description="Concrete implementation of RequestFilterValve that
filters based on the string representation of the remote client's host name"
domain="Catalina"
diff --git a/test/org/apache/catalina/valves/TestRequestFilterValve.java
b/test/org/apache/catalina/valves/TestRequestFilterValve.java
index 5caeb951c4..bec069bac0 100644
--- a/test/org/apache/catalina/valves/TestRequestFilterValve.java
+++ b/test/org/apache/catalina/valves/TestRequestFilterValve.java
@@ -38,13 +38,6 @@ public class TestRequestFilterValve {
private static final int FORBIDDEN = 403;
private static final int CUSTOM = 499;
- private static final String ADDR_ALLOW_PAT = "127\\.\\d*\\.\\d*\\.\\d*";
- private static final String ADDR_DENY_PAT = "\\d*\\.\\d*\\.\\d*\\.1";
- private static final String ADDR_ONLY_ALLOW = "127.0.0.2";
- private static final String ADDR_ONLY_DENY = "192.168.0.1";
- private static final String ADDR_ALLOW_AND_DENY = "127.0.0.1";
- private static final String ADDR_NO_ALLOW_NO_DENY = "192.168.0.2";
-
private static final String HOST_ALLOW_PAT =
"www\\.example\\.[a-zA-Z0-9-]*";
private static final String HOST_DENY_PAT = ".*\\.org";
private static final String HOST_ONLY_ALLOW = "www.example.com";
@@ -105,7 +98,6 @@ public class TestRequestFilterValve {
}
}
- @SuppressWarnings("deprecation")
private void oneTest(String allow, String deny, boolean denyStatus,
boolean addConnectorPort,
boolean usePeerAddress, boolean auth, String property, String
type, boolean allowed) {
// PREPARE
@@ -123,19 +115,7 @@ public class TestRequestFilterValve {
Assert.assertNotNull("Invalid test with null type", type);
if (property != null) {
- if (type.equals("Addr")) {
- valve = new RemoteAddrValve();
- if (usePeerAddress) {
- request.setRemoteAddr(ADDR_OTHER);
- request.getCoyoteRequest().peerAddr().setString(property);
- valve.setUsePeerAddress(true);
- msg.append(" peer='" + property + "'");
- } else {
- request.setRemoteAddr(property);
-
request.getCoyoteRequest().peerAddr().setString(ADDR_OTHER);
- msg.append(" ip='" + property + "'");
- }
- } else if (type.equals("Host")) {
+ if (type.equals("Host")) {
valve = new RemoteHostValve();
request.setRemoteHost(property);
msg.append(" host='" + property + "'");
@@ -172,14 +152,12 @@ public class TestRequestFilterValve {
}
}
if (addConnectorPort) {
- if (valve instanceof RemoteAddrValve) {
- valve.setAddConnectorPort(true);
- } else if (valve instanceof RemoteHostValve) {
+ if (valve instanceof RemoteHostValve) {
valve.setAddConnectorPort(true);
} else if (valve instanceof RemoteCIDRValve) {
valve.setAddConnectorPort(true);
} else {
- Assert.fail("Can only set 'addConnectorPort' for
RemoteAddrValve, RemoteHostValve and RemoteCIDRValve");
+ Assert.fail("Can only set 'addConnectorPort' for
RemoteHostValve and RemoteCIDRValve");
}
msg.append(" addConnectorPort='true'");
}
@@ -365,14 +343,6 @@ public class TestRequestFilterValve {
twoTests(apat, dpat, true, true, auth, AllowAndDeny, type, false);
}
- @Test
- public void testRemoteAddrValveIPv4() {
- standardTests(ADDR_ALLOW_PAT, ADDR_DENY_PAT, ADDR_ONLY_ALLOW,
ADDR_ONLY_DENY, ADDR_ALLOW_AND_DENY,
- ADDR_NO_ALLOW_NO_DENY, false, "Addr");
- standardTests(ADDR_ALLOW_PAT, ADDR_DENY_PAT, ADDR_ONLY_ALLOW,
ADDR_ONLY_DENY, ADDR_ALLOW_AND_DENY,
- ADDR_NO_ALLOW_NO_DENY, true, "Addr");
- }
-
@Test
public void testRemoteHostValve() {
standardTests(HOST_ALLOW_PAT, HOST_DENY_PAT, HOST_ONLY_ALLOW,
HOST_ONLY_DENY, HOST_ALLOW_AND_DENY,
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 2e15191460..e614839347 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -176,6 +176,10 @@
trusted proxies for the <code>RemoteIpFilter</code> and
<code>RemoteIpValve</code>. (markt)
</update>
+ <update>
+ Remove the <code>RemoteAddrFilter</code> and
+ <code>RemoteAddrValve</code>. (markt)
+ </update>
<!-- Entries for backport and removal before 12.0.0-M1 below this line
-->
<add>
Add CIDR support for the configuration of internal and trusted proxies
@@ -188,7 +192,7 @@
</fix>
<update>
Deprecate the <code>RemoteAddrFilter</code> and
- <code>RemoteAddValve</code> in favour of the
+ <code>RemoteAddrValve</code> in favour of the
<code>RemoteCIDRFilter</code> and <code>RemoteCIDRValve</code>. (markt)
</update>
</changelog>
diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml
index 33aa40edb8..77a5aad7ba 100644
--- a/webapps/docs/config/filter.xml
+++ b/webapps/docs/config/filter.xml
@@ -1107,98 +1107,6 @@ FINE: Request "/docs/config/manager.html" with response
status "200"
</section>
-
-<section name="Remote Address Filter">
-
- <subsection name="Introduction">
-
- <p>The <strong>Remote Address Filter</strong> allows you to compare the
- IP address of the client that submitted this request against one or more
- <em>regular expressions</em>, and either allow the request to continue
- or refuse to process the request from this client. </p>
-
- <p>The syntax for <em>regular expressions</em> is different than that for
- 'standard' wildcard matching. Tomcat uses the <code>java.util.regex</code>
- package. Please consult the Java documentation for details of the
- expressions supported.</p>
-
- <p><strong>Note:</strong> There is a caveat when using this filter with
- IPv6 addresses. Format of the IP address that this valve is processing
- depends on the API that was used to obtain it. If the address was obtained
- from Java socket using Inet6Address class, its format will be
- <code>x:x:x:x:x:x:x:x</code>. That is, the IP address for localhost
- will be <code>0:0:0:0:0:0:0:1</code> instead of the more widely used
- <code>::1</code>. Consult your access logs for the actual value.</p>
-
- <p>See also: <a href="#Remote_Host_Filter">Remote Host Filter</a>.</p>
-
- <p><strong>Note:</strong> This Filter is deprecated and will be removed in
- Tomcat 12. Use the <a href="#Remote_CIDR_Filter">Remote CIDR Filter</a>
- instead.</p>
-
- </subsection>
-
- <subsection name="Filter Class Name">
-
- <p>The filter class name for the Remote Address Filter is
- <strong><code>org.apache.catalina.filters.RemoteAddrFilter</code>
- </strong>.</p>
-
- </subsection>
-
- <subsection name="Initialisation parameters">
-
- <p>The <strong>Remote Address Filter</strong> supports the following
- initialisation parameters:</p>
-
- <attributes>
-
- <attribute name="allow" required="false">
- <p>A regular expression (using <code>java.util.regex</code>) that the
- remote client's IP address is compared to. If this attribute
- is specified, the remote address MUST match for this request to be
- accepted. If this attribute is not specified, all requests will be
- accepted UNLESS the remote address matches a <code>deny</code>
- pattern.</p>
- </attribute>
-
- <attribute name="deny" required="false">
- <p>A regular expression (using <code>java.util.regex</code>) that the
- remote client's IP address is compared to. If this attribute
- is specified, the remote address MUST NOT match for this request to be
- accepted. If this attribute is not specified, request acceptance is
- governed solely by the <code>accept</code> attribute.</p>
- </attribute>
-
- <attribute name="denyStatus" required="false">
- <p>HTTP response status code that is used when rejecting denied
- request. The default value is <code>403</code>. For example,
- it can be set to the value <code>404</code>.</p>
- </attribute>
-
- </attributes>
-
- </subsection>
-
- <subsection name="Example">
- <p>To allow access only for the clients connecting from localhost:</p>
-<source><![CDATA[ <filter>
- <filter-name>Remote Address Filter</filter-name>
- <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
- <init-param>
- <param-name>allow</param-name>
- <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
- </init-param>
- </filter>
- <filter-mapping>
- <filter-name>Remote Address Filter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>]]></source>
- </subsection>
-
-</section>
-
-
<section name="Remote Host Filter">
<subsection name="Introduction">
diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml
index d9110901c4..aa8e9f79c3 100644
--- a/webapps/docs/config/valve.xml
+++ b/webapps/docs/config/valve.xml
@@ -616,162 +616,6 @@
<section name="Access Control">
-
-<subsection name="Remote Address Valve">
-
- <subsection name="Introduction">
-
- <p>The <strong>Remote Address Valve</strong> allows you to compare the
- IP address of the client that submitted this request against one or more
- <em>regular expressions</em>, and either allow the request to continue
- or refuse to process the request from this client. A Remote Address
- Valve can be associated with any Catalina container
- (<a href="engine.html">Engine</a>, <a href="host.html">Host</a>, or
- <a href="context.html">Context</a>), and must accept any request
- presented to this container for processing before it will be passed on.</p>
-
- <p>The syntax for <em>regular expressions</em> is different than that for
- 'standard' wildcard matching. Tomcat uses the <code>java.util.regex</code>
- package. Please consult the Java documentation for details of the
- expressions supported.</p>
-
- <p>After setting the attribute <code>addConnectorPort</code> to
- <code>true</code>, one can append the server connector port separated with
a
- semicolon (";") to allow different expressions for each connector.</p>
-
- <p>By setting the attribute <code>usePeerAddress</code> to
- <code>true</code>, the valve will use the connection peer address in its
- checks. This will differ from the client IP, if a reverse proxy is used
- in front of Tomcat in combination with either the AJP protocol, or the
- HTTP protocol plus the <code>RemoteIp(Valve|Filter)</code>.</p>
-
- <p>A refused request will be answered a response with status code
- <code>403</code>. This status code can be overwritten using the attribute
- <code>denyStatus</code>.</p>
-
- <p>By setting the attribute <code>invalidAuthenticationWhenDeny</code> to
- <code>true</code>, the behavior when a request is refused can be changed
- to not deny but instead set an invalid <code>authentication</code>
- header. This is useful in combination with the context attribute
- <code>preemptiveAuthentication="true"</code>.</p>
-
- <p><strong>Note:</strong> There is a caveat when using this valve with
- IPv6 addresses. Format of the IP address that this valve is processing
- depends on the API that was used to obtain it. If the address was obtained
- from Java socket using Inet6Address class, its format will be
- <code>x:x:x:x:x:x:x:x</code>. That is, the IP address for localhost
- will be <code>0:0:0:0:0:0:0:1</code> instead of the more widely used
- <code>::1</code>. Consult your access logs for the actual value.</p>
-
- <p>See also: <a href="#Remote_Host_Valve">Remote Host Valve</a>,
- <a href="#Remote_CIDR_Valve">Remote CIDR Valve</a>,
- <a href="#Remote_IP_Valve">Remote IP Valve</a>,
- <a href="http.html">HTTP Connector</a> configuration.</p>
-
- <p><strong>Note:</strong> This Valve is deprecated and will be removed in
- Tomcat 12. Use <a href="#Remote_CIDR_Valve">Remote CIDR Valve</a>
- instead.</p>
-
- </subsection>
-
- <subsection name="Attributes">
-
- <p>The <strong>Remote Address Valve</strong> supports the following
- configuration attributes:</p>
-
- <attributes>
-
- <attribute name="className" required="true">
- <p>Java class name of the implementation to use. This MUST be set to
- <strong>org.apache.catalina.valves.RemoteAddrValve</strong>.</p>
- </attribute>
-
- <attribute name="allow" required="false">
- <p>A regular expression (using <code>java.util.regex</code>) that the
- remote client's IP address is compared to. If this attribute
- is specified, the remote address MUST match for this request to be
- accepted. If this attribute is not specified, all requests will be
- accepted UNLESS the remote address matches a <code>deny</code>
- pattern.</p>
- </attribute>
-
- <attribute name="deny" required="false">
- <p>A regular expression (using <code>java.util.regex</code>) that the
- remote client's IP address is compared to. If this attribute
- is specified, the remote address MUST NOT match for this request to be
- accepted. If this attribute is not specified, request acceptance is
- governed solely by the <code>allow</code> attribute.</p>
- </attribute>
-
- <attribute name="denyStatus" required="false">
- <p>HTTP response status code that is used when rejecting denied
- request. The default value is <code>403</code>. For example,
- it can be set to the value <code>404</code>.</p>
- </attribute>
-
- <attribute name="addConnectorPort" required="false">
- <p>Append the server connector port to the client IP address separated
- with a semicolon (";"). If this is set to <code>true</code>, the
- expressions configured with <code>allow</code> and
- <code>deny</code> is compared against <code>ADDRESS;PORT</code>
- where <code>ADDRESS</code> is the client IP address and
- <code>PORT</code> is the Tomcat connector port which received the
- request. The default value is <code>false</code>.</p>
- </attribute>
-
- <attribute name="invalidAuthenticationWhenDeny" required="false">
- <p>When a request should be denied, do not deny but instead
- set an invalid <code>authentication</code> header. This only works
- if the context has the attribute
<code>preemptiveAuthentication="true"</code>
- set. An already existing <code>authentication</code> header will not be
- overwritten. In effect this will trigger authentication instead of deny
- even if the application does not have a security constraint
configured.</p>
- <p>This can be combined with <code>addConnectorPort</code> to trigger
authentication
- depending on the client and the connector that is used to access an
application.</p>
- </attribute>
-
- <attribute name="usePeerAddress" required="false">
- <p>Use the connection peer address instead of the client IP address.
- They will differ, if a reverse proxy is used in front of Tomcat in
- combination with either the AJP protocol, or the HTTP protocol plus
- the <code>RemoteIp(Valve|Filter)</code>.</p>
- </attribute>
-
- </attributes>
-
- </subsection>
-
- <subsection name="Example 1" anchor="Remote_Address_Valve/Example_localhost">
- <p>To allow access only for the clients connecting from localhost:</p>
- <source><![CDATA[<Valve
className="org.apache.catalina.valves.RemoteAddrValve"
- allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>]]></source>
- </subsection>
-
- <subsection name="Example 2"
anchor="Remote_Address_Valve/Example_localhost_port">
- <p>To allow unrestricted access for the clients connecting from localhost
- but for all other clients only to port 8443:</p>
- <source><![CDATA[<Valve
className="org.apache.catalina.valves.RemoteAddrValve"
- addConnectorPort="true"
-
allow="127\.\d+\.\d+\.\d+;\d*|::1;\d*|0:0:0:0:0:0:0:1;\d*|.*;8443"/>]]></source>
- </subsection>
-
- <subsection name="Example 3" anchor="Remote_Address_Valve/Example_port_auth">
- <p>To allow unrestricted access to port 8009, but trigger basic
- authentication if the application is accessed on another port:</p>
-<source><![CDATA[<Context>
- ...
- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
- addConnectorPort="true"
- invalidAuthenticationWhenDeny="true"
- allow=".*;8009"/>
- <Valve className="org.apache.catalina.authenticator.BasicAuthenticator" />
- ...
-</Context>]]></source>
- </subsection>
-
-</subsection>
-
-
<subsection name="Remote Host Valve">
<subsection name="Introduction">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
