Detailed explanation of Tomcat's commonly used filters

1. Cross-domain filter CorsFilter

org.apcache.catalina.filters.CorsFilter is an implementation of the cross-domain resource sharing specification, which is often used for separation of front-end and back-end, separation of static resources and back-end, etc. It mainly adds Access-Control-* headers to HttpServletResponse, protects HTTP responses from being split, and returns a 403 response code if the request is invalid or access is prohibited.

1.1 Configuration Example

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

1.2 Parameter Description

1. cors.allowed.origins

A list of cross-domain resources that are allowed to be accessed. "*" means that access to resources from any domain is allowed. Multiple domains are separated by commas. The default value is "*"

2. cors.allowed.methods

A list of HTTP methods that can be used to access resources, separated by "," for cross-domain requests. These methods will appear as part of the Access-Control-Allow-Methods header of the Preflight request response, and the default is "GET, POST, HEAD, OPTIONS"

3. cors.allowed.headers

The request headers that can be used when constructing a request are separated by ",". These methods will appear as part of the Preflight response header Access-Control-Allow-Headers. The default is Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers

4. cors.exposed.headers

A list of header information that the browser is allowed to access, separated by ",". These methods will appear in the Access-Control-Allow-Headers section of the Preflight response header, which is empty by default.

5. cors.preflight.maxage

The time, in seconds, that the browser allows to cache the result of a Preflght request. If it is a negative number, it means that CorsFilter will not add headers to the Preflight response. These methods will appear as part of the Preflight response header Access-Control-Max-Age, which defaults to 1800.

6. cors.support.credentials

Indicates whether the resource supports user credentials. These methods will appear as part of the Preflight response header Access-Control-Allow-Credentials. The default value is true.

7. cors.request.decorate

Whether the Cors specification attribute has been added to HttpServletRequest, the default is true. CorsFiter will add request related information to HttpServletRequest. If cors.request.decorate is configured to true, the following properties will be added

1) cors.isCorsRequest: used to check whether the request is a Cors request.

2) cors.request.origin: source URL, the URL of the page where the request originated.

3) cors.request.type: Cors request type, as follows:

SIMPLE : A request preceded by a non-Preflight request.

ACTUAL : A request preceded by a Preflight request.

PRE_FLIGHT : Preflight request

NOT_CORS : Normal same-domain request

INVALID_CORS : Invalid domain request

4) cors.request.headers: Request header information sent as a Preflight request Access-Control-Request-Header header.

2. CSRF Protection Filter CsrfPreventionFilter

org.apcache.catalina.filters.CsrfPreventionFilter provides basic CSRF protection for web applications. All links returned by the client are encoded through HttpServletResponse.encodeRedirectURL(String) and HttpServletResponse.encodeURL(String). The filter generates a random number and stores it in the session for comparison. The URL is encoded using the random number. When the next request is received, the random number in the request is compared with the one in the session, and the request is allowed only if the two are the same.

2.1 Configuration Example

<filter>
    <filter-name>CsrfPreventionFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
    <init-param>
        <param-name>denyStatus</param-name>
        <param-value>403</param-value>
    </init-param>
    <init-param>
        <param-name>entryPoints</param-name>
        <param-value>/html,/html/list</param-value>
    </init-param>
    <init-param>
        <param-name>nonceCacheSize</param-name>
        <param-value>5</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>CsrfPreventionFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

2.2 Parameter Description

1. denyStatus: HTTP response, used to reject the request, the default is 403

2. entryPoints: A list of URLs separated by ",". These lists will not be checked for random numbers (mainly used to navigate away from the protected application and then return)

if ("GET".equals(req.getMethod()) && this.entryPoints.contains(this.getRequestedPath(req))) {
                skipNonceCheck = true;
 }

3. nonceCacheSize: random number cache size. Previously published random numbers are cached in an LRU cache to support concurrent requests, with limited use for browser refreshes (which may result in non-current random numbers). The default value is 5

private int nonceCacheSize = 5;
....
if (nonceCache == null) {
    nonceCache = new CsrfPreventionFilter.LruCache(this.nonceCacheSize);
      if (session == null) {
           session = req.getSession(true);
       }

    session.setAttribute("org.apache.catalina.filters.CSRF_NONCE", nonceCache);
}

4. randomClass: The class used to generate random numbers. It must be an instance of java.util.Random. If not set, the default is java.security.SecureRandom

3. Prevent parameter loss filter FailedRequestFilter

org.apcache.catalina.filters.FailedRequestFilter is used to trigger parameter parsing of the request. When parameter parsing fails, the request will be rejected. This Filter is used to ensure that the parameter information submitted by the client is not lost. The principle of this filter is: first call ServletRequest.getParameter (the first call will trigger the request parameter parsing of the Tomcat server. If the parameter parsing fails, the result will be placed in the request attribute org.apache.catalina.parameter_parse_failed), then determine the value of the attribute org.apache.catalina.parameter_parse_failed, and if it is not empty, return 400 directly.

In order to parse the parameters correctly, you need to set the character set encoding filter SetCharacterEncodingFilter before this Filter. In addition, this filter does not support the r initialization parameter

// Determine whether it is a valid request: org.apache.catalina.parameter_parse_failed is null
private boolean isGoodRequest(ServletRequest request) {
    request.getParameter("none");
    return request.getAttribute("org.apache.catalina.parameter_parse_failed") == null;
}

4. Get the client IP filter RemoteAddrFilter

org.apcache.catalina.filters.RemoteAddrFiler allows to compare the submitted client IP address (obtained via ServletRequest.getRemoteAddr) against a specified regular expression.

4.1 Configuration Example

<filter>
    <filter-name>Remote Address Filter</filter-name>
    <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
    <init-param>
    <param-name>allow</param-name>
    <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>Remote Address Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

4.2 Parameter Description

1. allow: specifies the client IP address allowed to access

2. deny: client address that denies access

3. denyStatus: The HTTP response returned when the request is rejected.

5. Get the client Host filter RemoteHostFilter

org.apcache.catalina.filters.RemoteHostFiler allows you to compare the client host name submitting a request against a specified regular expression to determine whether the request should be allowed to proceed. Same parameters as RemoteAddrFilter

6. Get the original client IP filter RemoteIpFilter

When a client accesses a server through an HTTP proxy or load balancing, for the server, the request comes directly from the front-end proxy server. At this time, the remote IP obtained is actually the IP address of the proxy server.

6.1. How to obtain the original client IP address

The HTTP protocol records the IP address of the front proxy from the client to the application server through the X-Forwarded-For header information. RemoteIpFilter parses the request header and replaces the IP address and host name in the request with the client's real IP address and host information. In addition, the current protocol name http/https, server port and request.secure can be replaced through the X-Forwarded-Proto request header.

The format of X-Forwarded-For is as follows:

X-Forwarded-For: client, proxy1, proxy2

The client on the far left is the original client IP. In the above example, the client passes through three levels of proxy: proxy1, proxy2, and proxy3 (the last level, proxy3, is not displayed and is obtained through ServletRquest.getRemoteAddr). In the case of load balancing, RemoteAddrFilter and RemoteHostFilter need to be used in conjunction with this filter, otherwise access to clients cannot be properly restricted.

Usually we get X-Forwarded-For using the following Java code:

public static String getIp(HttpServletRequest request) {
    String requestAddr = request.getHeader("x-forwarded-for");
    if (requestAddr == null || requestAddr.length() == 0 || "unknown".equalsIgnoreCase(requestAddr)) {
        requestAddr = request.getHeader("Proxy-Client-IP");
    }

    if (requestAddr == null || requestAddr.length() == 0 || "unknown".equalsIgnoreCase(requestAddr)) {
        requestAddr = request.getHeader("WL-Proxy-Client-IP");
    }

    if (requestAddr == null || requestAddr.length() == 0 || "unknown".equalsIgnoreCase(requestAddr)) {
        requestAddr = request.getRemoteAddr();
    }

    return requestAddr;
}

6.2 Configuration Example

1) Basic processing of X-Forwarded-For header configuration

<filter>
    <filter-name>RemoteIpFilter</filter-name>
    <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>RemoteIpFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

2) Processing X-Forwarded-For and x-forwarded-proto header configuration

<filter>
    <filter-name>RemoteIpFilter</filter-name>
    <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
    <init-param>
    <param-name>protocolHeader</param-name>
    <param-value>x-forwarded-proto</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>RemoteIpFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

3) Advanced configuration using internal proxy

<filter>
    <filter-name>RemoteIpFilter</filter-name>
    <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
    <init-param>
        <param-name>allowedInternalProxies</param-name>
        <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
    </init-param>
    <init-param>
        <param-name>remoteIpHeader</param-name>
        <param-value>x-forwarded-for</param-value>
    </init-param>
    <init-param>
        <param-name>remoteIpProxiesHeader</param-name>
        <param-value>x-forwarded-by</param-value>
    </init-param>
    <init-param>
        <param-name>protocolHeader</param-name>
        <param-value>x-forwarded-proto</param-value>
    </init-param>
</filter>

4) Use trusted proxy advanced configuration

<filter>
    <filter-name>RemoteIpFilter</filter-name>
    <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
    <init-param>
        <param-name>allowedInternalProxies</param-name>
        <param-value>192\.168\.0\.10|192\.168\.0\.11</param-value>
    </init-param>
    <init-param>
        <param-name>remoteIpHeader</param-name>
        <param-value>x-forwarded-for</param-value>
    </init-param>
    <init-param>
        <param-name>remoteIpProxiesHeader</param-name>
        <param-value>x-forwarded-by</param-value>
    </init-param>
    <init-param>
        <param-name>trustedProxies</param-name>
        <param-value>proxy1|proxy2</param-value>
    </init-param>
</filter>

7. Character set encoding filter SetCharacterEncodingFilter

Provides a way to set the character set encoding. Usually the default encoding is ISO-8859-1, but UTF-8 is recommended in the actual production environment. The encoding in the request can be used when no encoding is specified, or it can be forcibly overwritten.

7.1 Configuration Example

<filter>
    <filter-name>SetCharacterEncodingFilter</filter-name>
    <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class>
    <init-param>
        <param-name>encoding</param-name>
        <param-value>UTF-8</param-value>
    </init-param>
    <init-param>
        <param-name>ignore</param-name>
        <param-value>false</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>SetCharacterEncodingFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

7.2 Parameter Description

1. encoding: specified character set encoding

2. ignore: Indicates whether to ignore the character set encoding set by the client request. If true, the requested character set encoding will be overwritten. If false, it will be set when the request does not specify the character set encoding. Defaults to false

The above is a detailed explanation of the commonly used filters of Tomcat. For more information about Tomcat filters, please pay attention to other related articles on 123WORDPRESS.COM!