Matt is the authority on Acegi, but I believe there is a way to list the urls that Acegi should guarantee for SSL transport in the security.xml. Then Acegi takes care of the protocol switching. Right now I don't think some of our secure login property info is being mapped to the Acegi config, so we still need to do that.
I definitely think that we shouldn't need the old "secure" tag that we were using and I'm also not sure that we need to continue with old secureheader stuff. I've moved the secureheader stuff outside of Roller for blogs.sun.com and I think that's the proper place for it. -- Allen On Mon, 2006-01-09 at 07:47, Dave Johnson wrote: > Regarding: > http://opensource2.atlassian.com/projects/roller/browse/ROL-989 > > The user profile page allows a user to change his/her password and > sends passwords in the clear, so I'd to make it more secure for sites > that require HTTPS for logins. The easiest way to do this seems to be > to force HTTPS on that page and that's what I've done in my local > workspace. > > Here's a summary of my changes (code is below): inside the > YourProfileAction.edit() method, I check to see if secure login is > enabled. If secure login is enabled but the current request is not > secure, I redirect to a secure version of the URL. > > I have two questions before I continue this work and add the same code > to user-admin: > 1) Is this the right way to do this, given that we're now using Acegi? > 2) Do we need the <roller:secure> tag on any of our pages anymore, now > that we're using Acegi? > > - Dave > > > > PS: here are the specific changes: > > > ==================== roller.properties > > Roller properties needs to change to allow the YourProfileAction to > run under HTTPS. > > schemeenforcement.https.urls=/j_security_check,/auth,/login-redirect.jsp,/login.jsp,/editor/yourProfile.do > > > > ==================== YourProfileAction.java > > The YourProfileAction.java method needs code to test for > securelogin.enabled and isSecure(). We can't use the <roller:secure> > tag on the JSP page because by the time we get there the response is > already committed. > > > ActionForward forward = > mapping.findForward("yourProfile.page"); > try > { > + if > (RollerConfig.getBooleanProperty("securelogin.enabled") && > !SslUtil.isSecure(request)) { > + response.sendRedirect(SslUtil.getRedirectString( > + request, > request.getSession().getServletContext(), true)); > + return mapping.findForward("access-denied"); > + } > RollerSession rollerSession = > RollerSession.getRollerSession(request); > UserData ud = rollerSession.getAuthenticatedUser(); > UserFormEx form = (UserFormEx)actionForm; > > > > ==================== SslUtil.java > > We need a way to test isSecure() using the appropirate properties: > > + /** > + * Test for HTTPS connection by using request.isSecure() or, > + * if httpsHeaderName is set, test for reqest header instead. > + * If httpsHeaderValue is also set, test for that specific value. > + */ > + public static boolean isSecure(HttpServletRequest request) { > + String httpsHeaderName = > RollerConfig.getProperty("securelogin.https.headername"); > + String httpsHeaderValue = > RollerConfig.getProperty("securelogin.https.headervalue"); > + boolean secure = false; > + if (httpsHeaderName == null) { > + secure = request.isSecure(); > + } else { > + String headerValue = request.getHeader(httpsHeaderName); > + if (headerValue != null && headerValue.trim().length() > > 0) { > + secure = httpsHeaderValue==null || > httpsHeaderValue.equals(headerValue); > + } > + } > + return secure; > + } > + >
