Cyrille Le Clerc

I faced the same NPE with Jetty 7.6, it is caused by calling toString() on servletContext.getAttribute("com.sun.jsp.taglibraryCache") which returns a java.util.concurrent.ConcurrentHashMap.

The stack trace is :
java.lang.NullPointerException at org.apache.jasper.compiler.TagLibraryInfoImpl.toString(TagLibraryInfoImpl.java:123) at java.lang.String.valueOf(String.java:2838) at java.lang.StringBuilder.append(StringBuilder.java:132) at java.util.AbstractMap.toString(AbstractMap.java:523)

Hope this helps,

Cyrille

Hello Andrew,

You are right, RemoteIpValve (and RemoteIpFilter) currently override the serverPort when you specify a protocol header (e.g. x-forwarded-proto). Would you like to add a boolean configuration option override-http-server-port-with-protocol-information to disable this behavior for your use case ?

Thanks for your interest in RemoteIpValve,

Cyrille

Andrew Swanson wrote:
I am using the RemoteIpValve to correctly set request.isSecure and request.scheme but I am using the "ProxyPreserveHost" Apache httpd directive so that request.serverHost and request.serverPort are correctly set in Tomcat. Is there anyway to prevent RemoteIpValve from populating the request.serverPort when it detects the presence of the $protocolHeader http header?

Hello,

Here is a sample of code to get the JVM's default Trust Managers :
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init((KeyStore)null); System.out.println("JVM Default Trust Managers:"); for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) { System.out.println(trustManager); if (trustManager instanceof X509TrustManager) { X509TrustManager x509TrustManager = (X509TrustManager)trustManager; System.out.println("\tAccepted issuers count : " + x509TrustManager.getAcceptedIssuers().length); } }

I get the following result on my Apple 1.6.0_17 JVM :

JVM Default Trust Managers:
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl@687b6889
Accepted issuers count : 163


Hope this helps,

Cyrille

Hello,

The RemoteIpValve is now available in Tomcat 6.0.24. I didn't yet have the time to merge in Tomcat's documentation all the docs we wrote. If you are interested in more details about the handling of X-Forwarded-For, internal proxies, trusted proxies, X-Forwarded-Proto or scenarios to handle SSL with tomcat preceded by Apache Httpd and/or load balancers, please have a look at :

Google Code: RemoteIpValve

Tomcat : Adresse IP de l’internaute, load balancer, reverse proxy et header Http X-Forwarded-For (French but google translate friendly)

Tomcat, SSL, communications sécurisées et X-Forwarded-Proto (French but google translate friendly with many drawings)

thanks again for your interest in the RemoteIpValve,

Cyrille

Hello,

The RemoteIpValve and the XForwardedFilter have been integrated in the Tomcat Project. The RemoteIpValve will be available in the forthcoming Tomcat 6.0.21 version when the XForwardedFilter has been renamed RemoteIpFilter and will be integrated in Tomcat 7.
The Google Code version of XForwardedFilter will still be interesting for people who want to integrate this features in other servlet containers (Glassfish, JBoss, Weblogic, WebSphere, etc) without importing Tomcat jars.

Cyrille.

Hello,

Getting the IP address of the client can be tricky because each traversed proxy and load balancer adds an IP address to the multi valued, comma delimited, value of the X-Forwarded-For header (see Wikipedia X-Forwarded-For page). Moreover, web client can tweak the X-Forwarded-For with tools like Firefox Modify Headers or X-Forwarded-For Spoofer add-ons.

The forthcoming version of Apache Httpd will offer a secure mechanism to handle X-Forwarded-For with mod_remoteip.

Here are a Tomcat valve RemoteIpValve and a servlet filter XForwardedFilter to repectively integrate the X-Forwarded-For and X-Forwarded-Proto (http or https) headers at the Tomcat and WAR levels.

Thanks to these valve and filter, the actual client ip and the incoming protocol (http/https) will be available in Tomcat logs (if you use the valve) and in the servlet API (request.getRemoteAddr(), request.getRemoteHost(), request.isSecure(), request.getScheme() and request.getServerPort()).
The Tomcat RemoteIpValve has been proposed to the Tomcat Project as Bug 47330 - proposal : port of mod_remoteip in Tomcat as RemoteIpValve.

Hope thise helps,

Cyrille