Skip to main content

Tomcat creating a custom Valve

I recently tried registering an app with Salesforce and they reported a security vulnerability of JSESSIONID cookie not being secure in it. The app uses https but this JSESSIONID cookie is created by tomcat. The app is fronted by tomcat so the Apache-tomcat connector is not secure. There were various solution like:

1) Adding secure="true" on http connector, but it didnt worked, somehow it used to work in older tomcat but not in the version of tomcat we use.
2)Other solution is to write an apache module to rewrite the Set-Cookie header but that is too complex.
3)I tried implementing a filter and wrapping the HttpServletResponse and overriding setHeader method but unfortunately by the time the call reaches the filter tomcat has already added the cookie in response and if I add another one there were two cookies sent one with secure and other with no secure attribute so that defeats the purpose.

Here I thought Valves comes to rescue so I implemented a tomcat Valve (unfortuntely the Valve solution also doesn't work because I had to wrap the org.apache.catalina.connector.Response and it has protected fields that can be directly used by some classes so I had to drop the solution). But I learnt how to create a valve so thought of sharing it.

A tomcat Valve is similar to servlet filter except you get tomcat request,response classes that extend the HttpServletRequest/Response. Without going into much BS as we all are programmers let me paste the real code

package org.apache.catalina.connector;


import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;

import org.apache.catalina.valves.ValveBase;

public class SecureSessionCookieValve extends ValveBase {

 public void invoke(Request request, Response response) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        String clientId = httpRequest.getHeader("X-Forwarded-For");
        if (clientId != null) {
      if(containerLog.isDebugEnabled()) {
       containerLog.debug("wrapping response to mark session cookies as secure");
         response = new SecureSessionCookieResponse(response, true, containerLog);
        } else {
         //this is done so that local tests show no wrapping side effects
      if(containerLog.isDebugEnabled()) {
       containerLog.debug("wrapping response but will not mark session cookies as secure");
         response = new SecureSessionCookieResponse(response, false, containerLog);
        getNext().invoke(request, response);


The valve checks if the request is forwarded from apache->tomcat then it tries to make the cookie secure else it would leave it as is.

Once you have written the valve create a jar file out of classes and put it in tomcathome/server/lib and then modify the server.xml to add the valve under Context tag as shown below

 <Context path="" docBase="ROOT" debug="0" privileged="true">
 <Valve className="org.apache.catalina.connector.SecureSessionCookieValve" />

Not posting the SecureSessionCookieResponse class as this solution doesnt work. In next post Patching tomcat to make JSESSIONID secure I would describe how I patched the tomcat class to make the JSESSIONID secure.


Popular posts from this blog

RabbitMQ java clients for beginners

Here is a sample of a consumer and producer example for RabbitMQ. The steps are
Download ErlangDownload Rabbit MQ ServerDownload Rabbit MQ Java client jarsCompile and run the below two class and you are done.
This sample create a Durable Exchange, Queue and a Message. You will have to start the consumer first before you start the for the first time.

For more information on AMQP, Exchanges, Queues, read this excellent tutorial
import com.rabbitmq.client.Connection; import com.rabbitmq.client.Channel; import com.rabbitmq.client.*; public class RabbitMQProducer { public static void main(String []args) throws Exception { ConnectionFactory factory = new ConnectionFactory(); factory.setUsername("guest"); factory.setPassword("guest"); factory.setVirtualHost("/"); factory.setHost(""); factory.setPort(5672); Conne…

Spring query timeout or transaction timeout

If you are using spring to manage transactions then you can specify default transaction timeout using

    <bean id="transactionManager"
        <property name="dataSource" ref="dataSource" />
        <property name="defaultTimeout" value="30" /> <!--30 sec--->             

or you can override the timeout in the annotation

    @Transactional(readOnly = false, timeout=30)

or if you are doing it programatic transactions then you can do

DataSourceTransactionManager transactionManager = new DataSourceTransactionManager(dataSource);

 or you can override the timeout for one particular transaction

TransactionTemplate transactionTemplate = new TransactionTemplate();

Python adding pid file

I have a thumbnail generator that launches multiple processes and the correct way to shut it down is to send kill -HUP to the parent process. To automate I had to write a pid file from python, it was a piece of cake
def writePidFile(): pid = str(os.getpid()) f = open('', 'w') f.write(pid) f.close()