Skip to main content

Tomcat creating a custom Valve

I recently tried registering an app with Salesforce and they reported a security vulnerability of JSESSIONID cookie not being secure in it. The app uses https but this JSESSIONID cookie is created by tomcat. The app is fronted by tomcat so the Apache-tomcat connector is not secure. There were various solution like:

1) Adding secure="true" on http connector, but it didnt worked, somehow it used to work in older tomcat but not in the version of tomcat we use.
2)Other solution is to write an apache module to rewrite the Set-Cookie header but that is too complex.
3)I tried implementing a filter and wrapping the HttpServletResponse and overriding setHeader method but unfortunately by the time the call reaches the filter tomcat has already added the cookie in response and if I add another one there were two cookies sent one with secure and other with no secure attribute so that defeats the purpose.

Here I thought Valves comes to rescue so I implemented a tomcat Valve (unfortuntely the Valve solution also doesn't work because I had to wrap the org.apache.catalina.connector.Response and it has protected fields that can be directly used by some classes so I had to drop the solution). But I learnt how to create a valve so thought of sharing it.

A tomcat Valve is similar to servlet filter except you get tomcat request,response classes that extend the HttpServletRequest/Response. Without going into much BS as we all are programmers let me paste the real code

package org.apache.catalina.connector;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;

import org.apache.catalina.valves.ValveBase;

public class SecureSessionCookieValve extends ValveBase {

 @Override
 public void invoke(Request request, Response response) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        String clientId = httpRequest.getHeader("X-Forwarded-For");
        if (clientId != null) {
      if(containerLog.isDebugEnabled()) {
       containerLog.debug("wrapping response to mark session cookies as secure");
      }
         response = new SecureSessionCookieResponse(response, true, containerLog);
        } else {
         //this is done so that local tests show no wrapping side effects
      if(containerLog.isDebugEnabled()) {
       containerLog.debug("wrapping response but will not mark session cookies as secure");
      }
         response = new SecureSessionCookieResponse(response, false, containerLog);
        }
        request.setResponse(response);
        getNext().invoke(request, response);
 }

}


The valve checks if the request is forwarded from apache->tomcat then it tries to make the cookie secure else it would leave it as is.

Once you have written the valve create a jar file out of classes and put it in tomcathome/server/lib and then modify the server.xml to add the valve under Context tag as shown below

 <Context path="" docBase="ROOT" debug="0" privileged="true">
 <Valve className="org.apache.catalina.connector.SecureSessionCookieValve" />


Not posting the SecureSessionCookieResponse class as this solution doesnt work. In next post Patching tomcat to make JSESSIONID secure I would describe how I patched the tomcat class to make the JSESSIONID secure.

Comments

Popular posts from this blog

Killing a particular Tomcat thread

Update: This JSP does not work on a thread that is inside some native code.  On many occasions I had a thread stuck in JNI code and it wont work. Also in some cases thread.stop can cause jvm to hang. According to javadocs " This method is inherently unsafe. Stopping a thread with Thread.stop causes it to unlock all of the monitors that it has locked". I have used it only in some rare occasions where I wanted to avoid a system shutdown and in some cases we ended up doing system shutdown as jvm was hung so I had a 70-80% success with it.   -------------------------------------------------------------------------------------------------------------------------- We had an interesting requirement. A tomcat thread that was spawned from an ExecutorService ThreadPool had gone Rogue and was causing lots of disk churning issues. We cant bring down the production server as that would involve downtime. Killing this thread was harmless but how to kill it, t

Adding Jitter to cache layer

Thundering herd is an issue common to webapp that rely on heavy caching where if lots of items expire at the same time due to a server restart or temporal event, then suddenly lots of calls will go to database at same time. This can even bring down the database in extreme cases. I wont go into much detail but the app need to do two things solve this issue. 1) Add consistent hashing to cache layer : This way when a memcache server is added/removed from the pool, entire cache is not invalidated.  We use memcahe from both python and Java layer and I still have to find a consistent caching solution that is portable across both languages. hash_ring and spymemcached both use different points for server so need to read/test more. 2) Add a jitter to cache or randomise the expiry time: We expire long term cache  records every 8 hours after that key was added and short term cache expiry is 2 hours. As our customers usually comes to work in morning and access the cloud file server it can happe

Preparing for an interview after being employed 11 years at a startup

I would say I didn't prepared a hell lot but  I did 2 hours in night every day and every weekend around 8 hours for 2-3 months. I did 20-30 leetcode medium problems from this list https://leetcode.com/explore/interview/card/top-interview-questions-medium/.  I watched the first 12 videos of Lecture Videos | Introduction to Algorithms | Electrical Engineering and Computer Science | MIT OpenCourseWare I did this course https://www.educative.io/courses/grokking-the-system-design-interview I researched on topics from https://www.educative.io/courses/java-multithreading-for-senior-engineering-interviews and leetcode had around 10 multithreading questions so I did those I watched some 10-20 videos from this channel https://www.youtube.com/channel/UCn1XnDWhsLS5URXTi5wtFTA