Nicely done Dave.
I had thought the Acegi stuff for setting the secure urls would have been
easier, but oh well. That's always one of the drawbacks to using new
frameworks, there is often a steep learning curve :/
-- Allen
On Tue, 2006-01-10 at 07:36, David M Johnson wrote:
> OK, Roller now does scheme enforcement via Acegi configured via
> roller.properties. Since I'm new to Acegi, I've summarized the
> changes below for your review.
>
> - Dave
>
>
> ========== roller.properties
>
> If you want to protect URLs by using HTTPS, you simply turn on scheme
> enforcement in your roller.properties override file. You can use Ant-
> style URL patterns to specify which URLs need HTTPS. For example,
> this turns on HTTPS for the user profile and admin pages:
>
> # Enable scheme enforcement?
> # Scheme enforcement ensures that specific URLs are viewed only
> via HTTPS
> schemeenforcement.enabled=true
> # URL patterns that require HTTPS
> schemeenforcement.https.urls=/editor/yourProfile.do*,/admin/
> user.do*
>
> Like secure login, scheme enforcement defaults to false.
>
> Note that I don't list the login pages as those are already
> configured via the securelogin.enabled property.
>
>
> ========== RollerContext.java : initializeSecurityFeatures()
>
> Inside Roller's context init, here's what we do to tell Acegi about
> our protected URLs:
>
> if (RollerConfig.getBooleanProperty
> ("schemeenforcement.enabled")) {
>
> ChannelProcessingFilter procfilter =
> (ChannelProcessingFilter)ctx.getBean
> ("channelProcessingFilter");
> ConfigAttributeDefinition secureDef = new
> ConfigAttributeDefinition();
> secureDef.addConfigAttribute(new SecurityConfig
> ("REQUIRES_SECURE_CHANNEL"));
> ConfigAttributeDefinition insecureDef = new
> ConfigAttributeDefinition();
> insecureDef.addConfigAttribute(new SecurityConfig
> ("REQUIRES_INSECURE_CHANNEL"));
> PathBasedFilterInvocationDefinitionMap defmap =
> (PathBasedFilterInvocationDefinitionMap)
> procfilter.getFilterInvocationDefinitionSource();
>
> // add HTTPS URL path patterns to Acegi config
> String httpsUrlsProp = RollerConfig.getProperty
> ("schemeenforcement.https.urls");
> if (httpsUrlsProp != null) {
> String[] httpsUrls = StringUtils.stripAll
> (StringUtils.split(httpsUrlsProp, ",") );
> for (int i=0; i<httpsUrls.length; i++) {
> defmap.addSecureUrl(httpsUrls[i], secureDef);
> }
> }
> // all other action URLs are non-HTTPS
> defmap.addSecureUrl("/**/*.do*", insecureDef);
> }
>
> It wasn't exactly easy to figure out how to do that, BTW.
>
>
> ========== Cleanup
>
> We don't use these anymore so I deleted them:
>
> SslUtil.java
> SecureTag.java
> SchemeEnforcementFilter.java
> securelogin.http.port property
> securelogin.https.port property
> securelogin.https.headername property
> securelogin.https.headervalue property
>
>
>
>
>
>
>
>
> On Jan 9, 2006, at 12:26 PM, Matt Raible wrote:
>
> > On 1/9/06, Allen Gilliland <[EMAIL PROTECTED]> wrote:
> >> Matt is the authority on Acegi, but I believe there is a way to
> >> list the
> >> urls that Acegi should guarantee for SSL transport in the
> >> security.xml.
> >> Then Acegi takes care of the protocol switching. Right now I don't
> >> think some of our secure login property info is being mapped to the
> >> Acegi config, so we still need to do that.
> >
> > I believe I did handle this as part of the integration, but didn't
> > test it. If it doesn't work, let me know and I'll fix it.
> >
> >>
> >> I definitely think that we shouldn't need the old "secure" tag
> >> that we
> >> were using and I'm also not sure that we need to continue with old
> >> secureheader stuff. I've moved the secureheader stuff outside of
> >> Roller
> >> for blogs.sun.com and I think that's the proper place for it.
> >
> > Right, Acegi Security should be able to handle anything that the
> > "secure" tag did. Also, I didn't account for the secureheader stuff,
> > so moving it outside Roller would be great. ;-)
> >
> >>
> >> -- Allen
> >>
> >>
> >> On Mon, 2006-01-09 at 07:47, Dave Johnson wrote:
> >>> Regarding:
> >>> http://opensource2.atlassian.com/projects/roller/browse/ROL-989
> >>>
> >>> The user profile page allows a user to change his/her password and
> >>> sends passwords in the clear, so I'd to make it more secure for
> >>> sites
> >>> that require HTTPS for logins. The easiest way to do this seems
> >>> to be
> >>> to force HTTPS on that page and that's what I've done in my local
> >>> workspace.
> >>>
> >>> Here's a summary of my changes (code is below): inside the
> >>> YourProfileAction.edit() method, I check to see if secure login is
> >>> enabled. If secure login is enabled but the current request is not
> >>> secure, I redirect to a secure version of the URL.
> >>>
> >>> I have two questions before I continue this work and add the same
> >>> code
> >>> to user-admin:
> >>> 1) Is this the right way to do this, given that we're now using
> >>> Acegi?
> >
> > You shouldn't need any code, just configure it in security.xml.
> > Unfortunately, I don't think there's a way to say "only require SSL if
> > secure login is enabled". ;-)
> >
> > ... so maybe you will need some code.
> >
> > Matt
> >
> >>> 2) Do we need the <roller:secure> tag on any of our pages
> >>> anymore, now
> >>> that we're using Acegi?
> >>>
> >>> - Dave
> >>>
> >>>
> >>>
> >>> PS: here are the specific changes:
> >>>
> >>>
> >>> ==================== roller.properties
> >>>
> >>> Roller properties needs to change to allow the YourProfileAction to
> >>> run under HTTPS.
> >>>
> >>> schemeenforcement.https.urls=/j_security_check,/auth,/login-
> >>> redirect.jsp,/login.jsp,/editor/yourProfile.do
> >>>
> >>>
> >>>
> >>> ==================== YourProfileAction.java
> >>>
> >>> The YourProfileAction.java method needs code to test for
> >>> securelogin.enabled and isSecure(). We can't use the <roller:secure>
> >>> tag on the JSP page because by the time we get there the response is
> >>> already committed.
> >>>
> >>>
> >>> ActionForward forward =
> >>> mapping.findForward("yourProfile.page");
> >>> try
> >>> {
> >>> + if
> >>> (RollerConfig.getBooleanProperty("securelogin.enabled") &&
> >>> !SslUtil.isSecure(request)) {
> >>> + response.sendRedirect(SslUtil.getRedirectString(
> >>> + request,
> >>> request.getSession().getServletContext(), true));
> >>> + return mapping.findForward("access-denied");
> >>> + }
> >>> RollerSession rollerSession =
> >>> RollerSession.getRollerSession(request);
> >>> UserData ud = rollerSession.getAuthenticatedUser();
> >>> UserFormEx form = (UserFormEx)actionForm;
> >>>
> >>>
> >>>
> >>> ==================== SslUtil.java
> >>>
> >>> We need a way to test isSecure() using the appropirate properties:
> >>>
> >>> + /**
> >>> + * Test for HTTPS connection by using request.isSecure() or,
> >>> + * if httpsHeaderName is set, test for reqest header instead.
> >>> + * If httpsHeaderValue is also set, test for that specific
> >>> value.
> >>> + */
> >>> + public static boolean isSecure(HttpServletRequest request) {
> >>> + String httpsHeaderName =
> >>> RollerConfig.getProperty("securelogin.https.headername");
> >>> + String httpsHeaderValue =
> >>> RollerConfig.getProperty("securelogin.https.headervalue");
> >>> + boolean secure = false;
> >>> + if (httpsHeaderName == null) {
> >>> + secure = request.isSecure();
> >>> + } else {
> >>> + String headerValue = request.getHeader
> >>> (httpsHeaderName);
> >>> + if (headerValue != null && headerValue.trim().length
> >>> () >
> >>> 0) {
> >>> + secure = httpsHeaderValue==null ||
> >>> httpsHeaderValue.equals(headerValue);
> >>> + }
> >>> + }
> >>> + return secure;
> >>> + }
> >>> +
> >>>
> >>
> >>
>
