Dan, First, thanks for your work on this. I was one of the "wishers" for this plugin, and much appreciate this effort.
> because I had a need to scratch, I've written a module that checks that > designated run modes are invoked under SSL. I figure I should modify it > to meet the requirements for CGI::Application::Plugin::RequireSSL, as > requested at http://cgiapp.erlbaum.net/index.cgi?PluginsWanted, but I > have a few questions about these requirements: > > * If the param 'require_ssl' is present in the instance script, > everything accessed through it will be protected. > * If the subroutine attribute 'RequireSSL' is used, an individual > runmode will be protected. > * If the param 'rewrite_to_ssl' is present, any run modes that are > labeled as 'RequireSSL' (or all run modes if the param > 'require_ssl' is present) that are accessed as non-SSL will be > redirected to the same run mode but as HTTPS. > > I'm not sure I understand what is meant by "protected." Does this mean > an error is raised if standard HTTP is used when HTTPS is required? Some will want an error, others will want an auto-redirect. The smart default seems to be to redirect if you can, throw an error if you can't. > In the cases where a request is "rewritten," what do keep in the > redirect? I assume all query parameters if the method is "GET," but an > error is raised if "POST" is used. > > In my case, I'd like to be able to turn the SSL checks on or off based > on a flag in my app's config file. This is because the team members all > have personal name-based virtual hosts, and SSL isn't supported in their > environments, although it is in the test, staging and prod envs, where > we could turn the checks on. Is such a flag something others would find > useful? Definitely. Sometimes development environments don't have SSL, and it can be a pain to get set up. The question is, how do we communicate that to users when they see "RequireSSL" on a run mode, and assume it will "just work"? Maybe we don't do anything, and expect people to check the flag. Maybe we always warn to log: "RequireSSL plugin used but not enabled". That could be annoying for a project that works in SSL and non-SSL production environments. I'm OK with having a silent-disable flag. I think to make it really clear, we'd have to use an alternate design which centralized all the RequireSSL declarations in one place, like the run_modes() definitions. Then these could be clearly conditionally enabled or disabled. I'd proceed with the design you have now and we can see how well it works in practice. Thanks again! Mark --------------------------------------------------------------------- Web Archive: http://www.mail-archive.com/[email protected]/ http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2 To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
