Skip to main content

Tomcat creating a custom Valve

I recently tried registering an app with Salesforce and they reported a security vulnerability of JSESSIONID cookie not being secure in it. The app uses https but this JSESSIONID cookie is created by tomcat. The app is fronted by tomcat so the Apache-tomcat connector is not secure. There were various solution like:

1) Adding secure="true" on http connector, but it didnt worked, somehow it used to work in older tomcat but not in the version of tomcat we use.
2)Other solution is to write an apache module to rewrite the Set-Cookie header but that is too complex.
3)I tried implementing a filter and wrapping the HttpServletResponse and overriding setHeader method but unfortunately by the time the call reaches the filter tomcat has already added the cookie in response and if I add another one there were two cookies sent one with secure and other with no secure attribute so that defeats the purpose.

Here I thought Valves comes to rescue so I implemented a tomcat Valve (unfortuntely the Valve solution also doesn't work because I had to wrap the org.apache.catalina.connector.Response and it has protected fields that can be directly used by some classes so I had to drop the solution). But I learnt how to create a valve so thought of sharing it.

A tomcat Valve is similar to servlet filter except you get tomcat request,response classes that extend the HttpServletRequest/Response. Without going into much BS as we all are programmers let me paste the real code

package org.apache.catalina.connector;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;

import org.apache.catalina.valves.ValveBase;

public class SecureSessionCookieValve extends ValveBase {

 @Override
 public void invoke(Request request, Response response) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        String clientId = httpRequest.getHeader("X-Forwarded-For");
        if (clientId != null) {
      if(containerLog.isDebugEnabled()) {
       containerLog.debug("wrapping response to mark session cookies as secure");
      }
         response = new SecureSessionCookieResponse(response, true, containerLog);
        } else {
         //this is done so that local tests show no wrapping side effects
      if(containerLog.isDebugEnabled()) {
       containerLog.debug("wrapping response but will not mark session cookies as secure");
      }
         response = new SecureSessionCookieResponse(response, false, containerLog);
        }
        request.setResponse(response);
        getNext().invoke(request, response);
 }

}


The valve checks if the request is forwarded from apache->tomcat then it tries to make the cookie secure else it would leave it as is.

Once you have written the valve create a jar file out of classes and put it in tomcathome/server/lib and then modify the server.xml to add the valve under Context tag as shown below

 <Context path="" docBase="ROOT" debug="0" privileged="true">
 <Valve className="org.apache.catalina.connector.SecureSessionCookieValve" />


Not posting the SecureSessionCookieResponse class as this solution doesnt work. In next post Patching tomcat to make JSESSIONID secure I would describe how I patched the tomcat class to make the JSESSIONID secure.

Comments

Popular posts from this blog

RabbitMQ java clients for beginners

Here is a sample of a consumer and producer example for RabbitMQ. The steps are
Download ErlangDownload Rabbit MQ ServerDownload Rabbit MQ Java client jarsCompile and run the below two class and you are done.
This sample create a Durable Exchange, Queue and a Message. You will have to start the consumer first before you start the for the first time.

For more information on AMQP, Exchanges, Queues, read this excellent tutorial
http://blogs.digitar.com/jjww/2009/01/rabbits-and-warrens/

+++++++++++++++++RabbitMQProducer.java+++++++++++++++++++++++++++
import com.rabbitmq.client.Connection; import com.rabbitmq.client.Channel; import com.rabbitmq.client.*; public class RabbitMQProducer { public static void main(String []args) throws Exception { ConnectionFactory factory = new ConnectionFactory(); factory.setUsername("guest"); factory.setPassword("guest"); factory.setVirtualHost("/"); factory.setHost("127.0.0.1"); factory.setPort(5672); Conne…

What a rocky start to labor day weekend

Woke up by earthquake at 7:00 AM in morning and then couldn't get to sleep. I took a bath, made my tea and started checking emails and saw that after last night deployment three storage node out of 100s of nodes were running into Full GC. What was special about the 3 nodes was that each one was in a different Data centre but it was named same app02.  This got me curious I asked the node to be taken out of rotation and take a heap dump.  Yesterday night a new release has happened and I had upgraded spymemcached library version as new relic now natively supports instrumentation on it so it was a suspect. And the hunch was a bullseye, the heap dump clearly showed it taking 1.3G and full GCs were taking 6 sec but not claiming anything.



I have a quartz job in each jvm that takes a thread dump every 5 minutes and saves last 300 of them, checking few of them quickly showed a common thread among all 3 data centres. It seems there was a long running job that was trying to replicate pending…

Email slavery

It seems I have become an EmailSlave. The first half of the day is spent in just answering to emails. There are so many emails where I am copied but I need not be. There are many emails  where its a 1-2 page email and somewhere down someone says @KP please answer this.  So it seems daily my work schedule is:
Signin to newrelic and check anomalies for 15 min. Check emails related production exception report and yes there are a ton of these report daily. Need a better tool here as this model is not scalable. I need to reduce the incoming data at me to only see relevant data like what newrelic does. May be I need to create a webapp out of these emails.Check emails for next few minutes before team callsDo team callsThen again back to checking emails until a I have taken a best shot at answering everyone waiting for my reply.Attend team meetings on Tue/Thu
Being an architect and coder at heart I don't feel satisfied at end of the day if there is nothing tangible getting done at the end.…