On 1/9/06, Allen Gilliland <[EMAIL PROTECTED]> wrote: > Matt is the authority on Acegi, but I believe there is a way to list the > urls that Acegi should guarantee for SSL transport in the security.xml. > Then Acegi takes care of the protocol switching. Right now I don't > think some of our secure login property info is being mapped to the > Acegi config, so we still need to do that.
I believe I did handle this as part of the integration, but didn't test it. If it doesn't work, let me know and I'll fix it. > > I definitely think that we shouldn't need the old "secure" tag that we > were using and I'm also not sure that we need to continue with old > secureheader stuff. I've moved the secureheader stuff outside of Roller > for blogs.sun.com and I think that's the proper place for it. Right, Acegi Security should be able to handle anything that the "secure" tag did. Also, I didn't account for the secureheader stuff, so moving it outside Roller would be great. ;-) > > -- Allen > > > On Mon, 2006-01-09 at 07:47, Dave Johnson wrote: > > Regarding: > > http://opensource2.atlassian.com/projects/roller/browse/ROL-989 > > > > The user profile page allows a user to change his/her password and > > sends passwords in the clear, so I'd to make it more secure for sites > > that require HTTPS for logins. The easiest way to do this seems to be > > to force HTTPS on that page and that's what I've done in my local > > workspace. > > > > Here's a summary of my changes (code is below): inside the > > YourProfileAction.edit() method, I check to see if secure login is > > enabled. If secure login is enabled but the current request is not > > secure, I redirect to a secure version of the URL. > > > > I have two questions before I continue this work and add the same code > > to user-admin: > > 1) Is this the right way to do this, given that we're now using Acegi? You shouldn't need any code, just configure it in security.xml. Unfortunately, I don't think there's a way to say "only require SSL if secure login is enabled". ;-) ... so maybe you will need some code. Matt > > 2) Do we need the <roller:secure> tag on any of our pages anymore, now > > that we're using Acegi? > > > > - Dave > > > > > > > > PS: here are the specific changes: > > > > > > ==================== roller.properties > > > > Roller properties needs to change to allow the YourProfileAction to > > run under HTTPS. > > > > schemeenforcement.https.urls=/j_security_check,/auth,/login-redirect.jsp,/login.jsp,/editor/yourProfile.do > > > > > > > > ==================== YourProfileAction.java > > > > The YourProfileAction.java method needs code to test for > > securelogin.enabled and isSecure(). We can't use the <roller:secure> > > tag on the JSP page because by the time we get there the response is > > already committed. > > > > > > ActionForward forward = > > mapping.findForward("yourProfile.page"); > > try > > { > > + if > > (RollerConfig.getBooleanProperty("securelogin.enabled") && > > !SslUtil.isSecure(request)) { > > + response.sendRedirect(SslUtil.getRedirectString( > > + request, > > request.getSession().getServletContext(), true)); > > + return mapping.findForward("access-denied"); > > + } > > RollerSession rollerSession = > > RollerSession.getRollerSession(request); > > UserData ud = rollerSession.getAuthenticatedUser(); > > UserFormEx form = (UserFormEx)actionForm; > > > > > > > > ==================== SslUtil.java > > > > We need a way to test isSecure() using the appropirate properties: > > > > + /** > > + * Test for HTTPS connection by using request.isSecure() or, > > + * if httpsHeaderName is set, test for reqest header instead. > > + * If httpsHeaderValue is also set, test for that specific value. > > + */ > > + public static boolean isSecure(HttpServletRequest request) { > > + String httpsHeaderName = > > RollerConfig.getProperty("securelogin.https.headername"); > > + String httpsHeaderValue = > > RollerConfig.getProperty("securelogin.https.headervalue"); > > + boolean secure = false; > > + if (httpsHeaderName == null) { > > + secure = request.isSecure(); > > + } else { > > + String headerValue = request.getHeader(httpsHeaderName); > > + if (headerValue != null && headerValue.trim().length() > > > 0) { > > + secure = httpsHeaderValue==null || > > httpsHeaderValue.equals(headerValue); > > + } > > + } > > + return secure; > > + } > > + > > > >
