Author: agilliland
Date: Wed Jan 25 14:46:16 2006
New Revision: 372349
URL: http://svn.apache.org/viewcvs?rev=372349&view=rev
Log:
reimplementing our custom scheme enforcement. this should only be until we
figure out how to get Acegi scheme enforcement fully functioning. scheme
enforcement is still disabled by default.
Added:
incubator/roller/trunk/src/org/roller/presentation/filters/SchemeEnforcementFilter.java
Modified:
incubator/roller/trunk/metadata/xdoclet/filter-mappings.xml
incubator/roller/trunk/src/org/roller/presentation/RollerContext.java
incubator/roller/trunk/web/WEB-INF/classes/roller.properties
Modified: incubator/roller/trunk/metadata/xdoclet/filter-mappings.xml
URL:
http://svn.apache.org/viewcvs/incubator/roller/trunk/metadata/xdoclet/filter-mappings.xml?rev=372349&r1=372348&r2=372349&view=diff
==============================================================================
--- incubator/roller/trunk/metadata/xdoclet/filter-mappings.xml (original)
+++ incubator/roller/trunk/metadata/xdoclet/filter-mappings.xml Wed Jan 25
14:46:16 2006
@@ -26,6 +26,12 @@
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
+<!-- Scheme enforcement. Only here until we get Acegi scheme enforcement
working -->
+<filter-mapping>
+ <filter-name>SchemeEnforcementFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+</filter-mapping>
+
<!-- Acegi Security filters - controls secure access to different parts of
Roller -->
<filter-mapping>
<filter-name>securityFilter</filter-name>
Modified: incubator/roller/trunk/src/org/roller/presentation/RollerContext.java
URL:
http://svn.apache.org/viewcvs/incubator/roller/trunk/src/org/roller/presentation/RollerContext.java?rev=372349&r1=372348&r2=372349&view=diff
==============================================================================
--- incubator/roller/trunk/src/org/roller/presentation/RollerContext.java
(original)
+++ incubator/roller/trunk/src/org/roller/presentation/RollerContext.java Wed
Jan 25 14:46:16 2006
@@ -306,7 +306,7 @@
(AuthenticationProcessingFilterEntryPoint)ctx.getBean("authenticationProcessingFilterEntryPoint");
entryPoint.setForceHttps(true);
}
-
+ /*
if (RollerConfig.getBooleanProperty("schemeenforcement.enabled")) {
ChannelProcessingFilter procfilter =
@@ -327,8 +327,9 @@
}
}
// all other action URLs are non-HTTPS
- defmap.addSecureUrl("/**/*.do*", insecureDef);
+ defmap.addSecureUrl("/**<!-- need to remove this when uncommenting
-->/*.do*", insecureDef);
}
+ */
}
Added:
incubator/roller/trunk/src/org/roller/presentation/filters/SchemeEnforcementFilter.java
URL:
http://svn.apache.org/viewcvs/incubator/roller/trunk/src/org/roller/presentation/filters/SchemeEnforcementFilter.java?rev=372349&view=auto
==============================================================================
---
incubator/roller/trunk/src/org/roller/presentation/filters/SchemeEnforcementFilter.java
(added)
+++
incubator/roller/trunk/src/org/roller/presentation/filters/SchemeEnforcementFilter.java
Wed Jan 25 14:46:16 2006
@@ -0,0 +1,157 @@
+/*
+ * SchemeEnforcementFilter.java
+ *
+ * Created on September 16, 2005, 3:17 PM
+ */
+
+package org.roller.presentation.filters;
+
+import java.io.IOException;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.roller.config.RollerConfig;
+
+
+/**
+ * The SchemeEnforcementFilter is provided for Roller sites that enable secure
+ * logins and want to ensure that only login urls are used under https.
+ *
+ * @author Allen Gilliland
+ *
+ * @web.filter name="SchemeEnforcementFilter"
+ */
+public class SchemeEnforcementFilter implements Filter {
+
+ private static Log mLogger =
+ LogFactory.getLog(SchemeEnforcementFilter.class);
+
+ private FilterConfig filterConfig = null;
+
+ private boolean schemeEnforcementEnabled = false;
+ private boolean secureLoginEnabled = false;
+ private int httpPort = 80;
+ private int httpsPort = 443;
+ private String httpsHeaderName = null;
+ private String httpsHeaderValue = null;
+
+ private Set allowedUrls = new HashSet();
+
+
+ /**
+ * Process filter.
+ *
+ * We'll take the incoming request and first determine if this is a
+ * secure request. If the request is secure then we'll see if it matches
+ * one of the allowed secure urls, if not then we will redirect back out
+ * of https.
+ */
+ public void doFilter(ServletRequest request, ServletResponse response,
+ FilterChain chain)
+ throws IOException, ServletException {
+
+ if(this.schemeEnforcementEnabled && this.secureLoginEnabled) {
+
+ HttpServletRequest req = (HttpServletRequest) request;
+ HttpServletResponse res = (HttpServletResponse) response;
+
+ mLogger.debug("checking path = "+req.getServletPath());
+
+ if(!request.isSecure() &&
allowedUrls.contains(req.getServletPath())) {
+ // http insecure request that should be over https
+ String redirect = "https://"+req.getServerName();
+
+ if(this.httpsPort != 443)
+ redirect += ":"+this.httpsPort;
+
+ redirect += req.getRequestURI();
+
+ if(req.getQueryString() != null)
+ redirect += "?"+req.getQueryString();
+
+ mLogger.debug("Redirecting to "+redirect);
+ res.sendRedirect(redirect);
+ return;
+
+ } else if(request.isSecure() &&
!allowedUrls.contains(req.getServletPath())) {
+ // https secure request that should be over http
+ String redirect = "http://"+req.getServerName();
+
+ if(this.httpPort != 80)
+ redirect += ":"+this.httpPort;
+
+ redirect += req.getRequestURI();
+
+ if(req.getQueryString() != null)
+ redirect += "?"+req.getQueryString();
+
+ mLogger.debug("Redirecting to "+redirect);
+ res.sendRedirect(redirect);
+ return;
+ }
+ }
+
+ chain.doFilter(request, response);
+ }
+
+
+ public void destroy() {}
+
+
+ /**
+ * Filter init.
+ *
+ * We are just collecting init properties which we'll use for each request.
+ */
+ public void init(FilterConfig filterConfig) {
+ this.filterConfig = filterConfig;
+
+ // determine if we are doing scheme enforcement
+ this.schemeEnforcementEnabled =
+ RollerConfig.getBooleanProperty("schemeenforcement.enabled");
+ this.secureLoginEnabled =
+ RollerConfig.getBooleanProperty("securelogin.enabled");
+
+ if(this.schemeEnforcementEnabled && this.secureLoginEnabled) {
+ // gather some more properties
+ String http_port =
+ RollerConfig.getProperty("securelogin.http.port");
+ String https_port =
+ RollerConfig.getProperty("securelogin.https.port");
+
+ try {
+ this.httpPort = Integer.parseInt(http_port);
+ this.httpsPort = Integer.parseInt(https_port);
+ } catch(NumberFormatException nfe) {
+ // ignored ... guess we'll have to use the defaults
+ mLogger.warn("error with secure login ports", nfe);
+ }
+
+ // finally, construct our list of allowable https urls
+ String urls =
+ RollerConfig.getProperty("schemeenforcement.https.urls");
+ String[] urlsArray = urls.split(",");
+ for(int i=0; i < urlsArray.length; i++)
+ this.allowedUrls.add(urlsArray[i]);
+
+ // some logging for the curious
+ mLogger.info("Scheme enforcement = enabled");
+ if(mLogger.isDebugEnabled()) {
+ mLogger.debug("allowed urls are:");
+ for(Iterator it = this.allowedUrls.iterator(); it.hasNext();)
+ mLogger.debug(it.next());
+ }
+ }
+ }
+
+}
Modified: incubator/roller/trunk/web/WEB-INF/classes/roller.properties
URL:
http://svn.apache.org/viewcvs/incubator/roller/trunk/web/WEB-INF/classes/roller.properties?rev=372349&r1=372348&r2=372349&view=diff
==============================================================================
--- incubator/roller/trunk/web/WEB-INF/classes/roller.properties (original)
+++ incubator/roller/trunk/web/WEB-INF/classes/roller.properties Wed Jan 25
14:46:16 2006
@@ -118,7 +118,8 @@
# Scheme enforcement ensures that specific URLs are viewed only via HTTPS
schemeenforcement.enabled=false
# URL patterns that require HTTPS
-schemeenforcement.https.urls=/editor/yourProfile.do*,/admin/user.do*
+schemeenforcement.https.urls=/j_security_check,/login-redirect.jsp,/login.jsp,\
+/user.do,/editor/yourProfile.do,/admin/user.do
# Password security settings
passwds.encryption.enabled=false
