From 50f1b1da794cd93b70ab5456d3c2c984408e1506 Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Mon, 18 Jan 2016 13:13:35 +0000
Subject: [PATCH] Expand the session attribute filtering options - new option
 to filter based on implementation class of value - new option to log a
 warning message if an attribute is filtered out - always log a message at at
 least debug level if an attribute is filtered out

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1725263 13f79535-47bb-0310-9956-ffa450edef68
---
 .../ha/session/mbeans-descriptors.xml         |  16 +++
 .../catalina/session/LocalStrings.properties  |   2 +
 .../apache/catalina/session/ManagerBase.java  | 119 +++++++++++++++++-
 .../catalina/session/mbeans-descriptors.xml   |  16 +++
 webapps/docs/changelog.xml                    |   7 ++
 webapps/docs/config/cluster-manager.xml       |  67 ++++++++--
 webapps/docs/config/manager.xml               |  47 ++++++-
 7 files changed, 256 insertions(+), 18 deletions(-)

diff --git a/java/org/apache/catalina/ha/session/mbeans-descriptors.xml b/java/org/apache/catalina/ha/session/mbeans-descriptors.xml
index 9cdfe54e4677..511c7679eb78 100644
--- a/java/org/apache/catalina/ha/session/mbeans-descriptors.xml
+++ b/java/org/apache/catalina/ha/session/mbeans-descriptors.xml
@@ -314,6 +314,14 @@
       name="sessionAttributeNameFilter"
       descritpion="The string pattern used for including session attributes in replication. Null means all attributes are included."
       type="java.lang.String"/>
+    <attribute
+      name="sessionAttributeValueClassNameFilter"
+      description="The regular expression used to filter session attributes based on the implementation class of the value. The regular expression is anchored and must match the fully qualified class name."
+      type="java.lang.String"/>
+    <attribute
+      name="warnOnSessionAttributeFilterFailure"
+      description="Should a WARN level log message be generated if a session attribute fails to match sessionAttributeNameFilter or sessionAttributeClassNameFilter?"
+      type="boolean"/>
     <operation
       name="expireSession"
       description="Expired the given session"
@@ -536,6 +544,14 @@
       name="sessionAttributeNameFilter"
       descritpion="The string pattern used for including session attributes in replication. Null means all attributes are included."
       type="java.lang.String"/>
+    <attribute
+      name="sessionAttributeValueClassNameFilter"
+      description="The regular expression used to filter session attributes based on the implementation class of the value. The regular expression is anchored and must match the fully qualified class name."
+      type="java.lang.String"/>
+    <attribute
+      name="warnOnSessionAttributeFilterFailure"
+      description="Should a WARN level log message be generated if a session attribute fails to match sessionAttributeNameFilter or sessionAttributeClassNameFilter?"
+      type="boolean"/>
     <operation
       name="expireSession"
       description="Expired the given session"
diff --git a/java/org/apache/catalina/session/LocalStrings.properties b/java/org/apache/catalina/session/LocalStrings.properties
index c62a9d615500..2dd8625ec898 100644
--- a/java/org/apache/catalina/session/LocalStrings.properties
+++ b/java/org/apache/catalina/session/LocalStrings.properties
@@ -32,6 +32,8 @@ JDBCStore.missingDataSourceName=No valid JNDI name was given.
 JDBCStore.commitSQLException=SQLException committing connection before closing
 managerBase.container.noop=Managers added to containers other than Contexts will never be used
 managerBase.createSession.ise=createSession: Too many active sessions
+managerBase.sessionAttributeNameFilter=Skipped session attribute named [{0}] because it did not match the name filter [{1}]
+managerBase.sessionAttributeValueClassNameFilter=Skipped session attribute named [{0}] because the value type [{1}] did not match the filter [{2}]
 managerBase.sessionTimeout=Invalid session timeout setting {0}
 standardManager.loading=Loading persisted sessions from {0}
 standardManager.loading.exception=Exception while loading persisted sessions
diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java
index e5bd16aff7bc..dcb03310affb 100644
--- a/java/org/apache/catalina/session/ManagerBase.java
+++ b/java/org/apache/catalina/session/ManagerBase.java
@@ -203,6 +203,10 @@ public abstract class ManagerBase extends LifecycleMBeanBase
 
     private Pattern sessionAttributeNamePattern;
 
+    private Pattern sessionAttributeValueClassNamePattern;
+
+    private boolean warnOnSessionAttributeFilterFailure;
+
 
     // ------------------------------------------------------------- Properties
 
@@ -257,6 +261,86 @@ protected Pattern getSessionAttributeNamePattern() {
     }
 
 
+    /**
+     * Obtain the regular expression used to filter session attribute based on
+     * the implementation class of the value. The regular expression is anchored
+     * and must match the fully qualified class name.
+     *
+     * @return The regular expression currently used to filter class names.
+     *         {@code null} means no filter is applied. If an empty string is
+     *         specified then no names will match the filter and all attributes
+     *         will be blocked.
+     */
+    public String getSessionAttributeValueClassNameFilter() {
+        if (sessionAttributeValueClassNamePattern == null) {
+            return null;
+        }
+        return sessionAttributeValueClassNamePattern.toString();
+    }
+
+
+    /**
+     * Provides {@link #getSessionAttributeValueClassNameFilter()} as a
+     * pre-compiled regular expression pattern.
+     *
+     * @return The pre-compiled pattern used to filter session attributes based
+     *         on the implementation class name of the value. {@code null} means
+     *         no filter is applied.
+     */
+    protected Pattern getSessionAttributeValueClassNamePattern() {
+        return sessionAttributeValueClassNamePattern;
+    }
+
+
+    /**
+     * Set the regular expression to use to filter classes used for session
+     * attributes. The regular expression is anchored and must match the fully
+     * qualified class name.
+     *
+     * @param sessionAttributeValueClassNameFilter The regular expression to use
+     *            to filter session attributes based on class name. Use {@code
+     *            null} if no filtering is required. If an empty string is
+     *           specified then no names will match the filter and all
+     *           attributes will be blocked.
+     *
+     * @throws PatternSyntaxException If the expression is not valid
+     */
+    public void setSessionAttributeValueClassNameFilter(String sessionAttributeValueClassNameFilter)
+            throws PatternSyntaxException {
+        if (sessionAttributeValueClassNameFilter == null ||
+                sessionAttributeValueClassNameFilter.length() == 0) {
+            sessionAttributeValueClassNamePattern = null;
+        }
+        sessionAttributeValueClassNamePattern =
+                Pattern.compile(sessionAttributeValueClassNameFilter);
+    }
+
+
+    /**
+     * Should a warn level log message be generated if a session attribute is
+     * not persisted / replicated / restored.
+     *
+     * @return {@code true} if a warn level log message should be generated
+     */
+    public boolean getWarnOnSessionAttributeFilterFailure() {
+        return warnOnSessionAttributeFilterFailure;
+    }
+
+
+    /**
+     * Configure whether or not a warn level log message should be generated if
+     * a session attribute is not persisted / replicated / restored.
+     *
+     * @param warnOnSessionAttributeFilterFailure {@code true} if the
+     *            warn level message should be generated
+     *
+     */
+    public void setWarnOnSessionAttributeFilterFailure(
+            boolean warnOnSessionAttributeFilterFailure) {
+        this.warnOnSessionAttributeFilterFailure = warnOnSessionAttributeFilterFailure;
+    }
+
+
     @Override
     public Context getContext() {
         return context;
@@ -719,10 +803,39 @@ protected void changeSessionId(Session session, String newId,
     @Override
     public boolean willAttributeDistribute(String name, Object value) {
         Pattern sessionAttributeNamePattern = getSessionAttributeNamePattern();
-        if (sessionAttributeNamePattern == null) {
-            return true;
+        if (sessionAttributeNamePattern != null) {
+            if (!sessionAttributeNamePattern.matcher(name).matches()) {
+                if (getWarnOnSessionAttributeFilterFailure() || log.isDebugEnabled()) {
+                    String msg = sm.getString("managerBase.sessionAttributeNameFilter",
+                            name, sessionAttributeNamePattern);
+                    if (getWarnOnSessionAttributeFilterFailure()) {
+                        log.warn(msg);
+                    } else {
+                        log.debug(msg);
+                    }
+                }
+                return false;
+            }
+        }
+
+        Pattern sessionAttributeValueClassNamePattern = getSessionAttributeValueClassNamePattern();
+        if (value != null && sessionAttributeValueClassNamePattern != null) {
+            if (!sessionAttributeValueClassNamePattern.matcher(
+                    value.getClass().getName()).matches()) {
+                if (getWarnOnSessionAttributeFilterFailure() || log.isDebugEnabled()) {
+                    String msg = sm.getString("managerBase.sessionAttributeValueClassNameFilter",
+                            name, value.getClass().getName(), sessionAttributeNamePattern);
+                    if (getWarnOnSessionAttributeFilterFailure()) {
+                        log.warn(msg);
+                    } else {
+                        log.debug(msg);
+                    }
+                }
+                return false;
+            }
         }
-        return sessionAttributeNamePattern.matcher(name).matches();
+
+        return true;
     }
 
 
diff --git a/java/org/apache/catalina/session/mbeans-descriptors.xml b/java/org/apache/catalina/session/mbeans-descriptors.xml
index d8df4e7ff9ac..3e406f809351 100644
--- a/java/org/apache/catalina/session/mbeans-descriptors.xml
+++ b/java/org/apache/catalina/session/mbeans-descriptors.xml
@@ -132,6 +132,14 @@
           descritpion="The string pattern used for including session attributes in distribution. Null means all attributes are included."
                  type="java.lang.String"/>
 
+    <attribute   name="sessionAttributeValueClassNameFilter"
+          description="The regular expression used to filter session attributes based on the implementation class of the value. The regular expression is anchored and must match the fully qualified class name."
+                 type="java.lang.String"/>
+
+    <attribute   name="warnOnSessionAttributeFilterFailure"
+          description="Should a WARN level log message be generated if a session attribute fails to match sessionAttributeNameFilter or sessionAttributeClassNameFilter?"
+                 type="boolean"/>
+
     <operation   name="backgroundProcess"
           description="Invalidate all sessions that have expired."
                impact="ACTION"
@@ -319,6 +327,14 @@
           descritpion="The string pattern used for including session attributes in distribution. Null means all attributes are included."
                  type="java.lang.String"/>
 
+    <attribute   name="sessionAttributeValueClassNameFilter"
+          description="The regular expression used to filter session attributes based on the implementation class of the value. The regular expression is anchored and must match the fully qualified class name."
+                 type="java.lang.String"/>
+
+    <attribute   name="warnOnSessionAttributeFilterFailure"
+          description="Should a WARN level log message be generated if a session attribute fails to match sessionAttributeNameFilter or sessionAttributeClassNameFilter?"
+                 type="boolean"/>
+
     <operation   name="backgroundProcess"
           description="Invalidate all sessions that have expired."
                impact="ACTION"
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index eef5670200bc..a44f749bd9c3 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -207,6 +207,13 @@
         well as unload to ensure that configuration changes made while the web
         application is stopped are applied to any persisted data. (markt)
       </add>
+      <add>
+        Extend the session attribute filtering options to include filtering
+        based on the implementation class of the value and optional
+        <code>WARN</code> level logging if an attribute is filtered. These
+        options are avaialble for all of the Manager implementations that ship
+        with Tomcat. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">
diff --git a/webapps/docs/config/cluster-manager.xml b/webapps/docs/config/cluster-manager.xml
index ad7bbbfc5d54..8d6c3c1756f5 100644
--- a/webapps/docs/config/cluster-manager.xml
+++ b/webapps/docs/config/cluster-manager.xml
@@ -77,17 +77,6 @@
         when session attributes are being replicated or removed across Tomcat
         nodes in the cluster.
       </attribute>
-      <attribute name="sessionAttributeNameFilter" required="false">
-        A regular expression used to filter which session attributes will be
-        replicated. An attribute will only be replicated if its name matches
-        this pattern. If the pattern is zero length or <code>null</code>, all
-        attributes are eligible for replication. The pattern is anchored so the
-        session attribute name must fully match the pattern. As an example, the
-        value <code>(userName|sessionHistory)</code> will only replicate the
-        two session attributes named <code>userName</code> and
-        <code>sessionHistory</code>. If not specified, the default value of
-        <code>null</code> will be used.
-      </attribute>
       <attribute name="maxInactiveInterval" required="false">
         <p>The initial maximum time interval, in seconds,
         between client requests before a session is invalidated. A negative value
@@ -184,6 +173,26 @@
         effective only when <code>sendAllSessions</code> is <code>false</code>.
         Default is <code>2000</code> milliseconds.
       </attribute>
+      <attribute name="sessionAttributeNameFilter" required="false">
+        <p>A regular expression used to filter which session attributes will be
+        replicated. An attribute will only be replicated if its name matches
+        this pattern. If the pattern is zero length or <code>null</code>, all
+        attributes are eligible for replication. The pattern is anchored so the
+        session attribute name must fully match the pattern. As an example, the
+        value <code>(userName|sessionHistory)</code> will only replicate the
+        two session attributes named <code>userName</code> and
+        <code>sessionHistory</code>. If not specified, the default value of
+        <code>null</code> will be used.</p>
+      </attribute>
+      <attribute name="sessionAttributeValueClassNameFilter" required="false">
+        <p>A regular expression used to filter which session attributes will be
+        replicated. An attribute will only be replicated if the implementation
+        class name of the value matches this pattern. If the pattern is zero
+        length or <code>null</code>, all attributes are eligible for
+        replication. The pattern is anchored so the fully qualified class name
+        must fully match the pattern. If not specified, the default value of
+        <code>null</code> will be used.</p>
+      </attribute>
       <attribute name="stateTimestampDrop" required="false">
         When this node sends a <code>GET_ALL_SESSIONS</code> message to other
         node, all session messages that are received as a response are queued.
@@ -195,6 +204,14 @@
         If set to <code>false</code>, all queued session messages are handled.
         Default is <code>true</code>.
       </attribute>
+      <attribute name="warnOnSessionAttributeFilterFailure" required="false">
+        <p>If <strong>sessionAttributeNameFilter</strong> or
+        <strong>sessionAttributeValueClassNameFilter</strong> blocks an
+        attribute, should this be logged at <code>WARN</code> level? If
+        <code>WARN</code> level logging is disabled then it will be logged at
+        <code>DEBUG</code>. The default value of this attribute is
+        <code>false</code>.</p>
+      </attribute>
     </attributes>
   </subsection>
   <subsection name="org.apache.catalina.ha.session.BackupManager Attributes">
@@ -218,6 +235,26 @@
         another map.
         Default value is <code>15000</code> milliseconds.
       </attribute>
+      <attribute name="sessionAttributeNameFilter" required="false">
+        <p>A regular expression used to filter which session attributes will be
+        replicated. An attribute will only be replicated if its name matches
+        this pattern. If the pattern is zero length or <code>null</code>, all
+        attributes are eligible for replication. The pattern is anchored so the
+        session attribute name must fully match the pattern. As an example, the
+        value <code>(userName|sessionHistory)</code> will only replicate the
+        two session attributes named <code>userName</code> and
+        <code>sessionHistory</code>. If not specified, the default value of
+        <code>null</code> will be used.</p>
+      </attribute>
+      <attribute name="sessionAttributeValueClassNameFilter" required="false">
+        <p>A regular expression used to filter which session attributes will be
+        replicated. An attribute will only be replicated if the implementation
+        class name of the value matches this pattern. If the pattern is zero
+        length or <code>null</code>, all attributes are eligible for
+        replication. The pattern is anchored so the fully qualified class name
+        must fully match the pattern. If not specified, the default value of
+        <code>null</code> will be used.</p>
+      </attribute>
       <attribute name="terminateOnStartFailure" required="false">
         Set to true if you wish to terminate replication map when replication
         map fails to start. If replication map is terminated, associated context
@@ -225,6 +262,14 @@
         does not end. It will try to join the map membership in the heartbeat.
         Default value is <code>false</code> .
       </attribute>
+      <attribute name="warnOnSessionAttributeFilterFailure" required="false">
+        <p>If <strong>sessionAttributeNameFilter</strong> or
+        <strong>sessionAttributeValueClassNameFilter</strong> blocks an
+        attribute, should this be logged at <code>WARN</code> level? If
+        <code>WARN</code> level logging is disabled then it will be logged at
+        <code>DEBUG</code>. The default value of this attribute is
+        <code>false</code>.</p>
+      </attribute>
     </attributes>
   </subsection>
 </section>
diff --git a/webapps/docs/config/manager.xml b/webapps/docs/config/manager.xml
index ac1e9bbc36ea..97f1ce31c88b 100644
--- a/webapps/docs/config/manager.xml
+++ b/webapps/docs/config/manager.xml
@@ -167,7 +167,7 @@
       </attribute>
 
       <attribute name="sessionAttributeNameFilter" required="false">
-        A regular expression used to filter which session attributes will be
+        <p>A regular expression used to filter which session attributes will be
         distributed. An attribute will only be distributed if its name matches
         this pattern. If the pattern is zero length or <code>null</code>, all
         attributes are eligible for distribution. The pattern is anchored so the
@@ -175,7 +175,26 @@
         value <code>(userName|sessionHistory)</code> will only distribute the
         two session attributes named <code>userName</code> and
         <code>sessionHistory</code>. If not specified, the default value of
-        <code>null</code> will be used.
+        <code>null</code> will be used.</p>
+      </attribute>
+
+      <attribute name="sessionAttributeValueClassNameFilter" required="false">
+        <p>A regular expression used to filter which session attributes will be
+        distributed. An attribute will only be distributed if the implementation
+        class name of the value matches this pattern. If the pattern is zero
+        length or <code>null</code>, all attributes are eligible for
+        distribution. The pattern is anchored so the fully qualified class name
+        must fully match the pattern. If not specified, the default value of
+        <code>null</code> will be used.</p>
+      </attribute>
+
+      <attribute name="warnOnSessionAttributeFilterFailure" required="false">
+        <p>If <strong>sessionAttributeNameFilter</strong> or
+        <strong>sessionAttributeValueClassNameFilter</strong> blocks an
+        attribute, should this be logged at <code>WARN</code> level? If
+        <code>WARN</code> level logging is disabled then it will be logged at
+        <code>DEBUG</code>. The default value of this attribute is
+        <code>false</code>.</p>
       </attribute>
     </attributes>
 
@@ -266,8 +285,9 @@
         <code>org.apache.catalina.session.StandardManager</code> class.
         </p>
       </attribute>
+      
       <attribute name="sessionAttributeNameFilter" required="false">
-        A regular expression used to filter which session attributes will be
+        <p>A regular expression used to filter which session attributes will be
         distributed. An attribute will only be distributed if its name matches
         this pattern. If the pattern is zero length or <code>null</code>, all
         attributes are eligible for distribution. The pattern is anchored so the
@@ -275,7 +295,26 @@
         value <code>(userName|sessionHistory)</code> will only distribute the
         two session attributes named <code>userName</code> and
         <code>sessionHistory</code>. If not specified, the default value of
-        <code>null</code> will be used.
+        <code>null</code> will be used.</p>
+      </attribute>
+
+      <attribute name="sessionAttributeValueClassNameFilter" required="false">
+        <p>A regular expression used to filter which session attributes will be
+        distributed. An attribute will only be distributed if the implementation
+        class name of the value matches this pattern. If the pattern is zero
+        length or <code>null</code>, all attributes are eligible for
+        distribution. The pattern is anchored so the fully qualified class name
+        must fully match the pattern. If not specified, the default value of
+        <code>null</code> will be used.</p>
+      </attribute>
+
+      <attribute name="warnOnSessionAttributeFilterFailure" required="false">
+        <p>If <strong>sessionAttributeNameFilter</strong> or
+        <strong>sessionAttributeValueClassNameFilter</strong> blocks an
+        attribute, should this be logged at <code>WARN</code> level? If
+        <code>WARN</code> level logging is disabled then it will be logged at
+        <code>DEBUG</code>. The default value of this attribute is
+        <code>false</code>.</p>
       </attribute>
     </attributes>