How to make the user profile and user admin pages more secure

Mon, 09 Jan 2006 07:47:35 -0800
Regarding: http://opensource2.atlassian.com/projects/roller/browse/ ROL-989 


The user profile page allows a user to change his/her password and  
sends passwords in the clear, so I'd to make it more secure for sites  
that require HTTPS for logins. The easiest way to do this seems to be  
to force HTTPS on that page and that's what I've done in my local  
workspace.



Here's a summary of my changes (code is below): inside the  
YourProfileAction.edit() method, I check to see if secure login is  
enabled. If secure login is enabled but the current request is not  
secure, I redirect to a secure version of the URL.



I have two questions before I continue this work and add the same  
code to user-admin:

1) Is this the right way to do this, given that we're now using Acegi?

2) Do we need the <roller:secure> tag on any of our pages anymore,  
now that we're using Acegi?


- Dave



PS: here are the specific changes:


==================== roller.properties


Roller properties needs to change to allow the YourProfileAction to  
run under HTTPS.



schemeenforcement.https.urls=/j_security_check,/auth,/login- 
redirect.jsp,/login.jsp,/editor/yourProfile.do




==================== YourProfileAction.java


The YourProfileAction.java method needs code to test for  
securelogin.enabled and isSecure(). We can't use the <roller:secure>  
tag on the JSP page because by the time we get there the response is  
already committed.




         ActionForward forward = mapping.findForward 
("yourProfile.page");

         try
         {

+            if (RollerConfig.getBooleanProperty 
("securelogin.enabled") && !SslUtil.isSecure(request)) {

+                response.sendRedirect(SslUtil.getRedirectString(

+                    request, request.getSession().getServletContext 
(), true));

+                return mapping.findForward("access-denied");
+            }

             RollerSession rollerSession =  
RollerSession.getRollerSession(request);

             UserData ud = rollerSession.getAuthenticatedUser();
             UserFormEx form = (UserFormEx)actionForm;



==================== SslUtil.java

We need a way to test isSecure() using the appropirate properties:

+    /**
+     * Test for HTTPS connection by using request.isSecure() or,
+     * if httpsHeaderName is set, test for reqest header instead.
+     * If httpsHeaderValue is also set, test for that specific value.
+     */
+    public static boolean isSecure(HttpServletRequest request) {

+        String httpsHeaderName = RollerConfig.getProperty 
("securelogin.https.headername");
+        String httpsHeaderValue = RollerConfig.getProperty 
("securelogin.https.headervalue");

+        boolean secure = false;
+        if (httpsHeaderName == null) {
+            secure = request.isSecure();
+        } else {
+            String headerValue = request.getHeader(httpsHeaderName);

+            if (headerValue != null && headerValue.trim().length() >  
0) {
+                secure = httpsHeaderValue==null ||  
httpsHeaderValue.equals(headerValue);

+            }
+        }
+        return secure;
+    }
+























					Reply via email to