Byutilizing absolute pressure ratings, the REALM safety valves reduce your operating costs. The control chamber, dynamic seal system, and rod piston can all withstand full differential pressures, eliminating the need to stage tubing pressures during installation. As a result, REALM valves lower the risks of over pressuring while minimizing your installation costs.
I try to implement a Tomcat valve (currently using 7.0.55) that should intercept every request that reaches the Tomcat serivce, regardless of Connector and whatnot, regardless of wether there's a Host with matching name or a servlet context or whatever.
On the dev system, testing locally, everything's working as excepted. A request to any URI path on my "localhost" tomcat writes that log line. In the sever.xml, the valve is configured outside of any Host element:
As said above the log line gets printet when I call :8080/some-webapp/, which is as expected, and it gets also printed when I call :8080/non-existing-webapp/, which is also as expected.
The same goes for the domain (that is not configured in server.xml)
test.domain.com, thus -webapp/ prints the log line as well as -existing-webapp.
But this is not true for the server we're testing on. Here the Valve is only invoked if the context name of the URI is "known" to tomcat, i.e. a call to .../some-webapp/ would print the log line while a call to .../non-existing-webapp/ would simply do nothing - the valve is not invoked at all.
Still, tomcat handles that request as the 404 that gets sent to the client in this case contains "Apache-Coyote something" as a response header.
Turns out it is caused by a missing ROOT-directory in Tomcat's webapps-dir. I think that Tomcat does filter incoming requests rather rigorously at a very early point in time, even before any valves can handle and mess with the request.
And if there's no default context (i.e. no ROOT-dir) then Tomcat (thinks to) know(s) that a request to non-existing-webapp cannot succeed and thus does not even call the valve(s). With a default context Tomcat cannot know what will happen to the request and thus the valve gets its chance to intercept the request.
In versions 6(not sure what happens in earlier versions) - 8 Tomcat does not call Valve if it determines that redirect is required, so suprisingly Valves work reliably only when context is determined during mapping phase.
As you can see Valves are called only in case postParseRequest returned true, which does not happen for example if Tomcat determines that it should return redirect during postParseRequest. Code determining that redirect is required:
Our Realms are stocked in a range of finishes that are constantly expanding. Currently these valves are available in Anthracite, Satin Black, Brushed Brass, Chrome, Grey, Black Nickel, Satin Nickel and White. We also stock these valves in a trio of orientations; Angled, Corner and Straight, allowing you to select the right valve for your pipework.
We always recommend using matching Sleeve Kits with all of our radiator valves. Our Radiator Valve Accessories are the perfect finishing touch to any radiator and come in two lengths; 130mm covering most common radiators and 300mm versions are also available for radiators that are positioned slightly higher on your wall.
A Realm element represents a "database" of usernames, passwords, and roles (similar to Unix groups) assigned to those users. Different implementations of Realm allow Catalina to be integrated into environments where such authentication information is already being created and maintained, and then utilize that information to implement Container Managed Security as described in the Servlet Specification.
A Catalina container (Engine, Host, or Context) may contain no more than one Realm element (although if supported by the Realm this one Realm may itself contain multiple nested Realms). In addition, the Realm associated with an Engine or a Host is automatically inherited by lower-level containers unless the lower level container explicitly defines its own Realm. If no Realm is configured for the Engine, an instance of the Null Realm will be configured for the Engine automatically.
For more in-depth information about container managed security in web applications, as well as more information on configuring and using the standard realm component implementations, please see the Container-Managed Security Guide.
The description below uses the variable name $CATALINA_BASE to refer the base directory against which most relative paths are resolved. If you have not configured Tomcat for multiple instances by setting a CATALINA_BASE directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME, the directory into which you have installed Tomcat.
Unlike most Catalina components, there are several standard Realm implementations available. As a result, the className attribute MUST be used to select the implementation you wish to use.
The DataSource Database Realm connects Tomcat to a relational database, accessed through a JNDI named JDBC DataSource to perform lookups of usernames, passwords, and their associated roles. Because the lookup is done each time that it is required, changes to the database will be immediately reflected in the information used to authenticate new logins.
The JDBC Realm uses a single db connection. This requires that realm based authentication be synchronized, i.e. only one authentication can be done at a time. This could be a bottleneck for applications with high volumes of realm based authentications.
This attribute controls how the special role name * is handled when processing authorization constraints in web.xml. By default, the specification compliant value of strict is used which means that the user must be assigned one of the roles defined in web.xml. The alternative values are authOnly which means that the user must be authenticated but no check is made for assigned roles and strictAuthOnly which means that the user must be authenticated and no check will be made for assigned roles unless roles are defined in web.xml in which case the user must be assigned at least one of those roles.
When this attribute has the value of authOnly or strictAuthOnly, the roleNameCol and userRoleTable attributes become optional. If those two attributes are omitted, the user's roles will not be loaded by this Realm.
When the realm is nested inside a Context element, this allows the realm to use a DataSource defined for the Context rather than a global DataSource. If not specified, the default is false: use a global DataSource.
The HTTP status code to use when the container needs to issue an HTTP redirect to meet the requirements of a configured transport guarantee. The provided status code is not validated. If not specified, the default value of 302 is used.
Name of the column, in the "users" table, which contains the user's credentials (i.e. password). If a CredentialHandler is specified, this component will assume that the passwords have been encoded with the specified algorithm. Otherwise, they will be assumed to be in clear text.
When using X509 client certificates, this specifies the class name that will be used to retrieve the user name from the certificate. The class must implement the org.apache.catalina.realm.X509UsernameRetriever interface. The default is to use the certificate's SubjectDN as the username.
The JNDI Directory Realm connects Tomcat to an LDAP Directory, accessed through an appropriate JNDI driver, that stores usernames, passwords, and their associated roles. Changes to the directory are immediately reflected in the information used to authenticate new logins.
A rich set of additional attributes lets you configure the required behaviour as well as the connection to the underlying directory and the element and attribute names used to retrieve information from the directory:
Microsoft Active Directory often returns referrals. When iterating over NamingEnumerations these lead to PartialResultExceptions. If you want us to ignore those exceptions, set this attribute to "true". Unfortunately there's no stable way to detect, if the Exceptions really come from an AD referral. The default value is "false".
Specify which cipher suites are allowed when trying to open a secured connection using StartTLS. The allowed cipher suites are specified by a comma separated list. The default is to use the cipher suites of the JVM.
The directory username to use when establishing a connection to the directory for LDAP search operations. If not specified an anonymous connection is made, which is often sufficient unless you specify the userPassword property.
The directory password to use when establishing a connection to the directory for LDAP search operations. If not specified an anonymous connection is made, which is often sufficient unless you specify the userPassword property.
The JNDI realm can use a pool of connections to the directory server to avoid blocking on a single connection. This attribute value is the maximum pool size. If not specified, it will use 1, which means a single connection will be used.
A setting of true forces escaping in the String representation of a distinguished name to use the \nn form. This may avoid issues with realms using Active Directory which appears to be more tolerant of optional escaping when the \nn form is used. If not specified, the default of false will be used.
3a8082e126