Links Top Level Elements Executors Connectors Containers Nested Components Cluster Elements web.xml Other | Apache Tomcat Configuration ReferenceThe Valve ComponentIntroduction |
A Valve element represents a component that will be
inserted into the request processing pipeline for the associated
Catalina container (Engine,
Host, or Context).
Individual Valves have distinct processing capabilities, and are
described individually below.
The description below uses the variable name $CATALINA_BASE to refer the
base directory against which most relative paths are resolved. If you have
not configured Tomcat 6 for multiple instances by setting a CATALINA_BASE
directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME,
the directory into which you have installed Tomcat 6.
|
Access Log Valve |
Introduction |
The Access Log Valve creates log files in the same
format as those created by standard web servers. These logs can later
be analyzed by standard log analysis tools to track page hit counts,
user session activity, and so on. The files produces by this Valve
are rolled over nightly at midnight. This Valve
may be associated with any Catalina container (Context ,
Host , or Engine ), and
will record ALL requests processed by that container.
Some requests may be handled by Tomcat before they are passed to a
container. These include redirects from /foo to /foo/ and the rejection of
invalid requests. Where Tomcat can identify the Context that
would have handled the request, the request/response will be logged in the
AccessLog (s) associated Context , Host
and Engine . Where Tomcat cannot identify the
Context that would have handled the request, e.g. in cases
where the URL is invalid, Tomcat will look first in the Engine ,
then the default Host for the Engine and finally
the ROOT (or default) Context for the default Host
for an AccessLog implementation. Tomcat will use the first
AccessLog implementation found to log those requests that are
rejected before they are passed to a container.
|
Attributes |
The Access Log Valve supports the following
configuration attributes:
Attribute | Description |
---|
className |
Java class name of the implementation to use. This MUST be set to
org.apache.catalina.valves.AccessLogValve to use the
default access log valve.
| directory |
Absolute or relative pathname of a directory in which log files
created by this valve will be placed. If a relative path is
specified, it is interpreted as relative to $CATALINA_BASE. If
no directory attribute is specified, the default value is "logs"
(relative to $CATALINA_BASE).
| encoding |
Character set used to write the log file. An empty string means
to use the system default character set. Default value: use the
system default character set.
| pattern |
A formatting layout identifying the various information fields
from the request and response to be logged, or the word
common or combined to select a
standard format. See below for more information on configuring
this attribute. Note that the optimized access does only support
common and combined as the value for this
attribute.
| prefix |
The prefix added to the start of each log file's name. If not
specified, the default value is "access_log.". To specify no prefix,
use a zero-length string.
| resolveHosts |
Set to true to convert the IP address of the remote
host into the corresponding host name via a DNS lookup. Set to
false to skip this lookup, and report the remote IP
address instead.
| suffix |
The suffix added to the end of each log file's name. If not
specified, the default value is "". To specify no suffix,
use a zero-length string.
| rotatable |
Flag to determine if log rotation should occur.
If set to false , then this file is never rotated and
fileDateFormat is ignored. Use with caution!
Default value: true
| condition |
Turns on conditional logging. If set, requests will be
logged only if ServletRequest.getAttribute() is
null. For example, if this value is set to
junk , then a particular request will only be logged
if ServletRequest.getAttribute("junk") == null .
The use of Filters is an easy way to set/unset the attribute
in the ServletRequest on many different requests.
| fileDateFormat |
Allows a customized date format in the access log file name.
The date format also decides how often the file is rotated.
If you wish to rotate every hour, then set this value
to: yyyy-MM-dd.HH
| buffered |
Flag to determine if logging will be buffered.
If set to false , then access logging will be written after each
request. Default value: true
|
Values for the pattern attribute are made up of literal
text strings, combined with pattern identifiers prefixed by the "%"
character to cause replacement by the corresponding variable value from
the current request and response. The following pattern codes are
supported:
- %a - Remote IP address
- %A - Local IP address
- %b - Bytes sent, excluding HTTP headers, or '-' if zero
- %B - Bytes sent, excluding HTTP headers
- %h - Remote host name (or IP address if
resolveHosts is false)
- %H - Request protocol
- %l - Remote logical username from identd (always returns
'-')
- %m - Request method (GET, POST, etc.)
- %p - Local port on which this request was received
- %q - Query string (prepended with a '?' if it exists)
- %r - First line of the request (method and request URI)
- %s - HTTP status code of the response
- %S - User session ID
- %t - Date and time, in Common Log Format
- %u - Remote user that was authenticated (if any), else '-'
- %U - Requested URL path
- %v - Local server name
- %D - Time taken to process the request, in millis
- %T - Time taken to process the request, in seconds
- %I - Current request thread name (can compare later with stacktraces)
There is also support to write information from the cookie, incoming
header, the Session or something else in the ServletRequest.
It is modeled after the
Apache HTTP Server log configuration
syntax:
%{xxx}i for incoming headers
%{xxx}o for outgoing response headers
%{xxx}c for a specific cookie
%{xxx}r xxx is an attribute in the ServletRequest
%{xxx}s xxx is an attribute in the HttpSession
The shorthand pattern name common (which is also the
default) corresponds to '%h %l %u %t "%r" %s %b'.
The shorthand pattern name combined appends the
values of the Referer and User-Agent headers,
each in double quotes, to the common pattern
described in the previous paragraph.
When Tomcat is operating behind a reverse proxy, the client information
logged by the Access Log Valve may represent the reverse proxy, the browser
or some combination of the two depending on the configuration of Tomcat and
the reverse proxy. For Tomcat configuration options see the
Proxy How-To. For reverse proxies that
use mod_jk, see the generic
proxy documentation. For other reverse proxies, consult their
documentation.
|
|
Remote Address Filter |
Introduction |
The Remote Address Filter allows you to compare the
IP address of the client that submitted this request against one or more
regular expressions, and either allow the request to continue
or refuse to process the request from this client. A Remote Address
Filter can be associated with any Catalina container
(Engine, Host, or
Context), and must accept any request
presented to this container for processing before it will be passed on.
The syntax for regular expressions is different than that for
'standard' wildcard matching. Tomcat uses the java.util.regex
package. Please consult the Java documentation for details of the
expressions supported.
Optionally one can append the server connector port separated with a
comma (";") to allow different expressions for each connector.
See also: Remote Host Filter,
Remote IP Valve.
|
Attributes |
The Remote Address Filter supports the following
configuration attributes:
Attribute | Description |
---|
className |
Java class name of the implementation to use. This MUST be set to
org.apache.catalina.valves.RemoteAddrValve.
| allow |
A comma-separated list of regular expression patterns
that the remote client's IP address is compared to. If this attribute
is specified, the remote address MUST match for this request to be
accepted. If this attribute is not specified, all requests will be
accepted UNLESS the remote address matches a deny
pattern.
| deny |
A comma-separated list of regular expression patterns
that the remote client's IP address is compared to. If this attribute
is specified, the remote address MUST NOT match for this request to be
accepted. If this attribute is not specified, request acceptance is
governed solely by the allow attribute.
| denyStatus |
HTTP response status code that is used when rejecting denied
request. The default value is 403 . For example,
it can be set to the value 404 .
| addConnectorPort |
Append the server connector port to the client IP address separated
with a semicolon (";"). If this is set to true , the
expressions configured with allow and
deny is compared against ADDRESS;PORT
where ADDRESS is the client IP address and
PORT is the Tomcat connector port which received the
request. The default value is false .
|
|
|
Remote Host Filter |
Introduction |
The Remote Host Filter allows you to compare the
hostname of the client that submitted this request against one or more
regular expressions, and either allow the request to continue
or refuse to process the request from this client. A Remote Host
Filter can be associated with any Catalina container
(Engine, Host, or
Context), and must accept any request
presented to this container for processing before it will be passed on.
The syntax for regular expressions is different than that for
'standard' wildcard matching. Tomcat uses the java.util.regex
package. Please consult the Java documentation for details of the
expressions supported.
Optionally one can append the server connector port separated with a
comma (";") to allow different expressions for each connector.
Note: This filter processes the value returned by
method ServletRequest.getRemoteHost() . To allow the method
to return proper host names, you have to enable "DNS lookups" feature on
a Connector.
See also: Remote Address Filter,
HTTP Connector configuration.
|
Attributes |
The Remote Host Filter supports the following
configuration attributes:
Attribute | Description |
---|
className |
Java class name of the implementation to use. This MUST be set to
org.apache.catalina.valves.RemoteHostValve.
| allow |
A comma-separated list of regular expression patterns
that the remote client's hostname is compared to. If this attribute
is specified, the remote hostname MUST match for this request to be
accepted. If this attribute is not specified, all requests will be
accepted UNLESS the remote hostname matches a deny
pattern.
| deny |
A comma-separated list of regular expression patterns
that the remote client's hostname is compared to. If this attribute
is specified, the remote hostname MUST NOT match for this request to be
accepted. If this attribute is not specified, request acceptance is
governed solely by the allow attribute.
| denyStatus |
HTTP response status code that is used when rejecting denied
request. The default value is 403 . For example,
it can be set to the value 404 .
| addConnectorPort |
Append the server connector port to the client hostname separated
with a comma (";"). If this is set to true , the
expressions configured with allow and
deny is compared against HOSTNAME;PORT
where HOSTNAME is the client hostname and
PORT is the Tomcat connector port which received the
request. The default value is false .
|
|
|
Request Dumper Valve |
Introduction |
The Request Dumper Valve is a useful tool in debugging
interactions with a client application (or browser) that is sending
HTTP requests to your Tomcat-based server. When configured, it causes
details about each request processed by its associated Engine ,
Host , or Context to be logged according to
the logging configuration for that container.
WARNING: Using this valve has side-effects. The
output from this valve includes any parameters included with the request.
The parameters will be decoded using the default platform encoding. Any
subsequent calls to request.setCharacterEncoding() within
the web application will have no effect. NOTE: Since all parameters are
included in the output, the InputStream is consumed for requests made with
the method POST and content-type application/x-www-form-urlencoded.
|
Attributes |
The Request Dumper Valve supports the following
configuration attributes:
Attribute | Description |
---|
className |
Java class name of the implementation to use. This MUST be set to
org.apache.catalina.valves.RequestDumperValve.
|
|
|
Single Sign On Valve |
Introduction |
The Single Sign On Valve is utilized when you wish to give users
the ability to sign on to any one of the web applications associated with
your virtual host, and then have their identity recognized by all other
web applications on the same virtual host.
See the Single Sign On special
feature on the Host element for more information.
|
Attributes |
The Single Sign On Valve supports the following
configuration attributes:
Attribute | Description |
---|
className |
Java class name of the implementation to use. This MUST be set to
org.apache.catalina.authenticator.SingleSignOn.
| requireReauthentication |
Default false. Flag to determine whether each request needs to be
reauthenticated to the security Realm. If "true", this
Valve uses cached security credentials (username and password) to
reauthenticate to the Realm each request associated
with an SSO session. If "false", the Valve can itself authenticate
requests based on the presence of a valid SSO cookie, without
rechecking with the Realm.
| cookieDomain |
Sets the host domain to be used for sso cookies.
|
|
|
Basic Authenticator Valve |
Introduction |
The Basic Authenticator Valve is automatically added to
any Context that is configured to use BASIC
authentication.
If any non-default settings are required, the valve may be configured
within Context element with the required
values.
|
Attributes |
The Basic Authenticator Valve supports the following
configuration attributes:
Attribute | Description |
---|
className |
Java class name of the implementation to use. This MUST be set to
org.apache.catalina.authenticator.BasicAuthenticator.
| changeSessionIdOnAuthentication |
Controls if the session ID is changed if a session exists at the
point where users are authenticated. This is to prevent session fixation
attacks. If not set, the default value of true will be
used.
| disableProxyCaching |
Controls the caching of pages that are protected by security
constraints. Setting this to false may help work around
caching issues in some browsers but will also cause secured pages to be
cached by proxies which will almost certainly be a security issue.
securePagesWithPragma offers an alternative, secure,
workaround for browser caching issues. If not set, the default value of
true will be used.
| securePagesWithPragma |
Controls the caching of pages that are protected by security
constraints. Setting this to false may help work around
caching issues in some browsers by using
Cache-Control: private rather than the default of
Pragma: No-cache and Cache-control: No-cache .
If not set, the default value of true will be used.
|
|
|
Digest Authenticator Valve |
Introduction |
The Digest Authenticator Valve is automatically added to
any Context that is configured to use DIGEST
authentication.
If any non-default settings are required, the valve may be configured
within Context element with the required
values.
|
Attributes |
The Digest Authenticator Valve supports the following
configuration attributes:
Attribute | Description |
---|
cache |
Should we cache authenticated Principals if the request is part of an
HTTP session? If not specified, the default value of false
will be used.
| className |
Java class name of the implementation to use. This MUST be set to
org.apache.catalina.authenticator.DigestAuthenticator.
| changeSessionIdOnAuthentication |
Controls if the session ID is changed if a session exists at the
point where users are authenticated. This is to prevent session fixation
attacks. If not set, the default value of true will be
used.
| disableProxyCaching |
Controls the caching of pages that are protected by security
constraints. Setting this to false may help work around
caching issues in some browsers but will also cause secured pages to be
cached by proxies which will almost certainly be a security issue.
securePagesWithPragma offers an alternative, secure,
workaround for browser caching issues. If not set, the default value of
true will be used.
| key |
The secret key used by digest authentication. If not set, a secure
random value is generated. This should normally only be set when it is
necessary to keep key values constant either across server restarts
and/or across a cluster.
| nonceCacheSize |
To protect against replay attacks, the DIGEST authenticator tracks
server nonce and nonce count values. This attribute controls the size
of that cache. If not specified, the default value of 1000 is used.
| nonceValidity |
The time, in milliseconds, that a server generated nonce will be
considered valid for use in authentication. If not specified, the
default value of 300000 (5 minutes) will be used.
| opaque |
The opaque server string used by digest authentication. If not set, a
random value is generated. This should normally only be set when it is
necessary to keep opaque values constant either across server restarts
and/or across a cluster.
| securePagesWithPragma |
Controls the caching of pages that are protected by security
constraints. Setting this to false may help work around
caching issues in some browsers by using
Cache-Control: private rather than the default of
Pragma: No-cache and Cache-control: No-cache .
If not set, the default value of true will be used.
| validateUri |
Should the URI be validated as required by RFC2617? If not specified,
the default value of true will be used. This should
normally only be set when Tomcat is located behind a reverse proxy and
the proxy is modifying the URI passed to Tomcat such that DIGEST
authentication always fails.
|
|
|
Form Authenticator Valve |
Introduction |
The Form Authenticator Valve is automatically added to
any Context that is configured to use FORM
authentication.
If any non-default settings are required, the valve may be configured
within Context element with the required
values.
|
Attributes |
The Form Authenticator Valve supports the following
configuration attributes:
Attribute | Description |
---|
className |
Java class name of the implementation to use. This MUST be set to
org.apache.catalina.authenticator.FormAuthenticator.
| changeSessionIdOnAuthentication |
Controls if the session ID is changed if a session exists at the
point where users are authenticated. This is to prevent session fixation
attacks. If not set, the default value of true will be
used.
| characterEncoding |
Character encoding to use to read the username and password parameters
from the request. If not set, the encoding of the request body will be
used.
| disableProxyCaching |
Controls the caching of pages that are protected by security
constraints. Setting this to false may help work around
caching issues in some browsers but will also cause secured pages to be
cached by proxies which will almost certainly be a security issue.
securePagesWithPragma offers an alternative, secure,
workaround for browser caching issues. If not set, the default value of
true will be used.
| securePagesWithPragma |
Controls the caching of pages that are protected by security
constraints. Setting this to false may help work around
caching issues in some browsers by using
Cache-Control: private rather than the default of
Pragma: No-cache and Cache-control: No-cache .
If not set, the default value of true will be used.
|
|
|
SSL Authenticator Valve |
Introduction |
The SSL Authenticator Valve is automatically added to
any Context that is configured to use SSL
authentication.
If any non-default settings are required, the valve may be configured
within Context element with the required
values.
|
Attributes |
The SSL Authenticator Valve supports the following
configuration attributes:
Attribute | Description |
---|
className |
Java class name of the implementation to use. This MUST be set to
org.apache.catalina.authenticator.SSLAuthenticator.
| changeSessionIdOnAuthentication |
Controls if the session ID is changed if a session exists at the
point where users are authenticated. This is to prevent session fixation
attacks. If not set, the default value of true will be
used.
| disableProxyCaching |
Controls the caching of pages that are protected by security
constraints. Setting this to false may help work around
caching issues in some browsers but will also cause secured pages to be
cached by proxies which will almost certainly be a security issue.
securePagesWithPragma offers an alternative, secure,
workaround for browser caching issues. If not set, the default value of
true will be used.
| securePagesWithPragma |
Controls the caching of pages that are protected by security
constraints. Setting this to false may help work around
caching issues in some browsers by using
Cache-Control: private rather than the default of
Pragma: No-cache and Cache-control: No-cache .
If not set, the default value of true will be used.
|
|
|
WebDAV Fix Valve |
Introduction |
Microsoft operating systems have two WebDAV clients. One is used with
port 80, the other is used for all other ports. The implementation used with
port 80 does not adhere to the WebDAV specification and fails when trying to
communicate with the Tomcat WebDAV Servlet. This valve provides a fix for
this by forcing the use of the WebDAV implementation that works, even when
connecting via port 80.
This Valve may be used at the Engine , Host or
Context level as required. Normally, this Valve would be used
at the Context level.
|
Attributes |
The WebDAV Fix Valve supports the following
configuration attributes:
Attribute | Description |
---|
className |
Java class name of the implementation to use. This MUST be set to
org.apache.catalina.valves.WebdavFixValve.
|
|
|
Remote IP Valve |
Introduction |
Tomcat port of
mod_remoteip,
this valve replaces the apparent client remote IP address and hostname for
the request with the IP address list presented by a proxy or a load balancer
via a request headers (e.g. "X-Forwarded-For").
Another feature of this valve is to replace the apparent scheme
(http/https), server port and request.secure with the scheme presented
by a proxy or a load balancer via a request header
(e.g. "X-Forwarded-Proto").
This Valve may be used at the Engine , Host or
Context level as required. Normally, this Valve would be used
at the Engine level.
If used in conjunction with Remote Address/Host valves then this valve
should be defined first to ensure that the correct client IP address is
presented to the Remote Address/Host valves.
|
Attributes |
The Remote IP Valve supports the
following configuration attributes:
Attribute | Description |
---|
className |
Java class name of the implementation to use. This MUST be set to
org.apache.catalina.valves.RemoteIpValve.
| remoteIpHeader |
Name of the HTTP Header read by this valve that holds the list of
traversed IP addresses starting from the requesting client. If not
specified, the default of x-forwarded-for is used.
| internalProxies |
List of internal proxies' IP addresses as comma separated regular
expressions. If they appear in the remoteIpHeader
value, they will be trusted and will not appear in the
proxiesHeader value. If not specified the default value
of 10\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?,
192\.168\.\d\d?\d?\.\d\d?\d?,
169\.254\.\d\d?\d?\.\d\d?\d?,
127\.\d\d?\d?\.\d\d?\d?\.\d\d?\d? will
be used.
Note that the individual regular expressions must not
contain commas themselves, as the internalProxies
value is first split by commas, then parsed into separate regular
expression patterns.
| proxiesHeader |
Name of the HTTP header created by this valve to hold the list of
proxies that have been processed in the incoming
remoteIpHeader. If not specified, the default of
x-forwarded-by is used.
| trustedProxies |
List of trusted proxies' IP addresses as comma separated regular
expressions. If they appear in the remoteIpHeader
value, they will be trusted and will appear in the
proxiesHeader value. If not specified, no proxies will
be trusted.
| protocolHeader |
Name of the HTTP Header read by this valve that holds the protocol
used by the client to connect to the proxy. If not specified, the
default of null is used.
| protocolHeaderHttpsValue |
Value of the protocolHeader to indicate that it is
an HTTPS request. If not specified, the default of https is
used.
| httpServerPort |
Value returned by ServletRequest.getServerPort()
when the protocolHeader indicates http
protocol. If not specified, the default of 80 is
used.
| httpsServerPort |
Value returned by ServletRequest.getServerPort()
when the protocolHeader indicates https
protocol. If not specified, the default of 443 is
used.
|
|
|
Stuck Thread Detection Valve |
Introduction |
This valve allows to detect requests that take a long time to process, which might
indicate that the thread that is processing it is stuck.
When such a request is detected, the current stack trace of its thread is written
to Tomcat log with a WARN level.
The IDs and names of the stuck threads are available through JMX in the
stuckThreadIds and stuckThreadNames attributes.
The IDs can be used with the standard Threading JVM MBean
(java.lang:type=Threading ) to retrieve other information
about each stuck thread.
|
Attributes |
The Stuck Thread Detection Valve supports the
following configuration attributes:
Attribute | Description |
---|
className |
Java class name of the implementation to use. This MUST be set to
org.apache.catalina.valves.StuckThreadDetectionValve.
| threshold |
Minimum duration in seconds after which a thread is considered stuck.
Default is 600 seconds. If set to 0, the detection is disabled.
Note: since the detection is done in the background thread of the Container
(Engine, Host or Context) declaring this Valve, the threshold should be higher
than the backgroundProcessorDelay of this Container.
|
|
|
SSL Valve |
Attributes |
The SSL Valve supports the following configuration
attribute:
Attribute | Description |
---|
className |
Java class name of the implementation to use. This MUST be set to
org.apache.catalina.valves.SSLValve.
|
|
|
|