Author: kkolinko Date: Sun Mar 2 12:46:24 2014 New Revision: 1573294 URL: http://svn.apache.org/r1573294 Log: CTR: docs
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56093 Provide documentation for SSLValve. Backport of r1073184, r1568921 Modified: tomcat/tc6.0.x/trunk/ (props changed) tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml Propchange: tomcat/tc6.0.x/trunk/ ------------------------------------------------------------------------------ Merged /tomcat/trunk:r1073184,1568921 Merged /tomcat/tc7.0.x/trunk:r1568922 Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java?rev=1573294&r1=1573293&r2=1573294&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java Sun Mar 2 12:46:24 2014 @@ -32,22 +32,35 @@ import org.apache.catalina.connector.Res import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; -/* - * Valve to fill the SSL informations in the request - * mod_header is used to fill the headers and the valve - * will fill the parameters of the request. +/** + * When using mod_proxy_http, the client SSL information is not included in the + * protocol (unlike mod_jk and mod_proxy_ajp). To make the client SSL + * information available to Tomcat, some additional configuration is required. + * In httpd, mod_headers is used to add the SSL information as HTTP headers. In + * Tomcat, this valve is used to read the information from the HTTP headers and + * insert it into the request.<p> + * + * <b>Note: Ensure that the headers are always set by httpd for all requests to + * prevent a client spoofing SSL information by sending fake headers. </b><p> + * * In httpd.conf add the following: - * <IfModule ssl_module> + * <pre> + * <IfModule ssl_module> * RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" * RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s" * RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s" * RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s" - * </IfModule> - * - * @author Jean-Frederic Clere + * </IfModule> + * </pre> * + * In server.xml, configure this valve under the Engine element in server.xml: + * <pre> + * <Engine ...> + * <Valve className="org.apache.catalina.valves.SSLValve" /> + * <Host ... /> + * </Engine> + * </pre> */ - public class SSLValve extends ValveBase { private static final Log log = LogFactory.getLog(SSLValve.class); Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1573294&r1=1573293&r2=1573294&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun Mar 2 12:46:24 2014 @@ -44,6 +44,13 @@ General, Catalina, Coyote, Jasper, Cluster, Web applications, Other --> <section name="Tomcat 6.0.40" rtext=""> + <subsection name="Web applications"> + <changelog> + <add> + <bug>56093</bug>: Documentation for SSLValve. (markt/kkolinko) + </add> + </changelog> + </subsection> <subsection name="Other"> <changelog> <scode> Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml?rev=1573294&r1=1573293&r2=1573294&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml Sun Mar 2 12:46:24 2014 @@ -964,7 +964,48 @@ </section> +<section name="SSL Valve"> + <subsection name="Introduction"> + + <p>When using mod_proxy_http, the client SSL information is not included in + the protocol (unlike mod_jk and mod_proxy_ajp). To make the client SSL + information available to Tomcat, some additional configuration is required. + In httpd, mod_headers is used to add the SSL information as HTTP headers. In + Tomcat, this valve is used to read the information from the HTTP headers and + insert it into the request.</p> + + <p>Note: Ensure that the headers are always set by httpd for all requests to + prevent a client spoofing SSL information by sending fake headers.</p> + + <p>To configure httpd to set the necessary headers, add the following:</p> +<source><IfModule ssl_module> + RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" + RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s" + RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s" + RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s" +</IfModule></source> + + </subsection> + + <subsection name="Attributes"> + + <p>The <strong>SSL Valve</strong> supports the following configuration + attribute:</p> + + <attributes> + + <attribute name="className" required="true"> + <p>Java class name of the implementation to use. This MUST be set to + <strong>org.apache.catalina.valves.SSLValve</strong>. + </p> + </attribute> + + </attributes> + + </subsection> + +</section> </body> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
