You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@roller.apache.org by ag...@apache.org on 2005/09/21 02:54:14 UTC
svn commit: r290594 - in /incubator/roller/branches/roller_2.0:
metadata/xdoclet/filter-mappings.xml
src/org/roller/presentation/filters/SchemeEnforcementFilter.java
web/WEB-INF/classes/roller.properties
Author: agilliland
Date: Tue Sep 20 17:54:10 2005
New Revision: 290594
URL: http://svn.apache.org/viewcvs?rev=290594&view=rev
Log:
new scheme enforcement filter.
this is a new filter that can be configured to only allow certain urls to be accessed under https for Roller sites that use scheme switching for logins, etc.
Added:
incubator/roller/branches/roller_2.0/src/org/roller/presentation/filters/SchemeEnforcementFilter.java
Modified:
incubator/roller/branches/roller_2.0/metadata/xdoclet/filter-mappings.xml
incubator/roller/branches/roller_2.0/web/WEB-INF/classes/roller.properties
Modified: incubator/roller/branches/roller_2.0/metadata/xdoclet/filter-mappings.xml
URL: http://svn.apache.org/viewcvs/incubator/roller/branches/roller_2.0/metadata/xdoclet/filter-mappings.xml?rev=290594&r1=290593&r2=290594&view=diff
==============================================================================
--- incubator/roller/branches/roller_2.0/metadata/xdoclet/filter-mappings.xml (original)
+++ incubator/roller/branches/roller_2.0/metadata/xdoclet/filter-mappings.xml Tue Sep 20 17:54:10 2005
@@ -26,6 +26,11 @@
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
+<filter-mapping>
+ <filter-name>SchemeEnforcementFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+</filter-mapping>
+
<!-- Map everything to the PersistenceSessionFilter.
NOTE: Any filters preceding this one MUST NOT use persistence sessions.-->
<filter-mapping>
Added: incubator/roller/branches/roller_2.0/src/org/roller/presentation/filters/SchemeEnforcementFilter.java
URL: http://svn.apache.org/viewcvs/incubator/roller/branches/roller_2.0/src/org/roller/presentation/filters/SchemeEnforcementFilter.java?rev=290594&view=auto
==============================================================================
--- incubator/roller/branches/roller_2.0/src/org/roller/presentation/filters/SchemeEnforcementFilter.java (added)
+++ incubator/roller/branches/roller_2.0/src/org/roller/presentation/filters/SchemeEnforcementFilter.java Tue Sep 20 17:54:10 2005
@@ -0,0 +1,161 @@
+/*
+ * SchemeEnforcementFilter.java
+ *
+ * Created on September 16, 2005, 3:17 PM
+ */
+
+package org.roller.presentation.filters;
+
+import java.io.IOException;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.roller.config.RollerConfig;
+
+
+/**
+ * The SchemeEnforcementFilter is provided for Roller sites that enable secure
+ * logins and want to ensure that only login urls are used under https.
+ *
+ * @author Allen Gilliland
+ *
+ * @web.filter name="SchemeEnforcementFilter"
+ */
+public class SchemeEnforcementFilter implements Filter {
+
+ private static Log mLogger =
+ LogFactory.getLog(SchemeEnforcementFilter.class);
+
+ private FilterConfig filterConfig = null;
+
+ private boolean schemeEnforcementEnabled = false;
+ private boolean secureLoginEnabled = false;
+ private int httpPort = 80;
+ private int httpsPort = 443;
+ private String httpsHeaderName = null;
+ private String httpsHeaderValue = null;
+
+ private Set allowedUrls = new HashSet();
+
+
+ /**
+ * Process filter.
+ *
+ * We'll take the incoming request and first determine if this is a
+ * secure request. If the request is secure then we'll see if it matches
+ * one of the allowed secure urls, if not then we will redirect back out
+ * of https.
+ */
+ public void doFilter(ServletRequest request, ServletResponse response,
+ FilterChain chain)
+ throws IOException, ServletException {
+
+ if(this.schemeEnforcementEnabled && this.secureLoginEnabled) {
+
+ HttpServletRequest req = (HttpServletRequest) request;
+ HttpServletResponse res = (HttpServletResponse) response;
+
+ mLogger.debug("checking path = "+req.getServletPath());
+
+ // first determine if request is secure
+ boolean requestIsSecure = request.isSecure();
+ if(!requestIsSecure && this.httpsHeaderName != null) {
+ // try checking custom header
+ String value = req.getHeader(this.httpsHeaderName);
+ if(value != null && value.equals(this.httpsHeaderValue))
+ requestIsSecure = true;
+ }
+
+ // if request is secure then see if it's an allowable https url
+ if(requestIsSecure && !allowedUrls.contains(req.getServletPath())) {
+ String redirect = "http://"+req.getServerName();
+
+ if(this.httpPort != 80)
+ redirect += ":"+this.httpPort;
+
+ redirect += req.getRequestURI();
+
+ if(req.getQueryString() != null)
+ redirect += "?"+req.getQueryString();
+
+ mLogger.debug("Redirecting to "+redirect);
+ res.sendRedirect(redirect);
+ return;
+ }
+ }
+
+ chain.doFilter(request, response);
+ }
+
+
+ public void destroy() {}
+
+
+ /**
+ * Filter init.
+ *
+ * We are just collecting init properties which we'll use for each request.
+ */
+ public void init(FilterConfig filterConfig) {
+ this.filterConfig = filterConfig;
+
+ // determine if we are doing scheme enforcement
+ this.schemeEnforcementEnabled =
+ RollerConfig.getBooleanProperty("schemeenforcement.enabled");
+ this.secureLoginEnabled =
+ RollerConfig.getBooleanProperty("securelogin.enabled");
+
+ if(this.schemeEnforcementEnabled && this.secureLoginEnabled) {
+ // gather some more properties
+ String http_port =
+ RollerConfig.getProperty("securelogin.http.port");
+ String https_port =
+ RollerConfig.getProperty("securelogin.https.port");
+
+ try {
+ this.httpPort = Integer.parseInt(http_port);
+ this.httpsPort = Integer.parseInt(https_port);
+ } catch(NumberFormatException nfe) {
+ // ignored ... guess we'll have to use the defaults
+ mLogger.warn("error with secure login ports", nfe);
+ }
+
+ // also note if we are using a custom https header
+ String header =
+ RollerConfig.getProperty("securelogin.https.headername");
+ String headerValue =
+ RollerConfig.getProperty("securelogin.https.headervalue");
+
+ if(header != null && headerValue != null) {
+ this.httpsHeaderName = header;
+ this.httpsHeaderValue = headerValue;
+ }
+
+ // finally, construct our list of allowable https urls
+ String urls =
+ RollerConfig.getProperty("schemeenforcement.https.urls");
+ String[] urlsArray = urls.split(",");
+ for(int i=0; i < urlsArray.length; i++)
+ this.allowedUrls.add(urlsArray[i]);
+
+ // some logging for the curious
+ mLogger.info("Scheme enforcement = enabled");
+ if(mLogger.isDebugEnabled()) {
+ mLogger.debug("allowed urls are:");
+ for(Iterator it = this.allowedUrls.iterator(); it.hasNext();)
+ mLogger.debug(it.next());
+ }
+ }
+ }
+
+}
Modified: incubator/roller/branches/roller_2.0/web/WEB-INF/classes/roller.properties
URL: http://svn.apache.org/viewcvs/incubator/roller/branches/roller_2.0/web/WEB-INF/classes/roller.properties?rev=290594&r1=290593&r2=290594&view=diff
==============================================================================
--- incubator/roller/branches/roller_2.0/web/WEB-INF/classes/roller.properties (original)
+++ incubator/roller/branches/roller_2.0/web/WEB-INF/classes/roller.properties Tue Sep 20 17:54:10 2005
@@ -94,6 +94,14 @@
# to simply check for the existance of the header.
#securelogin.https.headervalue=
+# enable scheme enforcement?
+# scheme enforcement ensures that only specific urls are accessed under https
+# this is typically good because it keeps people from browsing a site in https
+schemeenforcement.enabled=true
+# https urls allowed by scheme enforcer, all other urls are redirected to http
+schemeenforcement.https.urls=/j_security_check,/auth,/login-redirect.jsp,\
+/login.jsp
+
# Password security settings. Warning enabling password encryption may make
# if more difficult to support the Atom Protocol (due in Fall 2005).
passwds.encryption.enabled=false
Re: svn commit: r290594 - in /incubator/roller/branches/roller_2.0: metadata/xdoclet/filter-mappings.xml src/org/roller/presentation/filters/SchemeEnforcementFilter.java web/WEB-INF/classes/roller.properties
Posted by Matt Raible <mr...@gmail.com>.
FWIW, Acegi Security has built-in support for SSL Switching, so this
would be another class that could be removed if we integrated Acegi.
http://acegisecurity.sourceforge.net/docbook/acegi.html#security-channels
Matt
On 9/20/05, agilliland@apache.org <ag...@apache.org> wrote:
> Author: agilliland
> Date: Tue Sep 20 17:54:10 2005
> New Revision: 290594
>
> URL: http://svn.apache.org/viewcvs?rev=290594&view=rev
> Log:
> new scheme enforcement filter.
> this is a new filter that can be configured to only allow certain urls to be accessed under https for Roller sites that use scheme switching for logins, etc.
>
>
> Added:
> incubator/roller/branches/roller_2.0/src/org/roller/presentation/filters/SchemeEnforcementFilter.java
> Modified:
> incubator/roller/branches/roller_2.0/metadata/xdoclet/filter-mappings.xml
> incubator/roller/branches/roller_2.0/web/WEB-INF/classes/roller.properties
>
> Modified: incubator/roller/branches/roller_2.0/metadata/xdoclet/filter-mappings.xml
> URL: http://svn.apache.org/viewcvs/incubator/roller/branches/roller_2.0/metadata/xdoclet/filter-mappings.xml?rev=290594&r1=290593&r2=290594&view=diff
> ==============================================================================
> --- incubator/roller/branches/roller_2.0/metadata/xdoclet/filter-mappings.xml (original)
> +++ incubator/roller/branches/roller_2.0/metadata/xdoclet/filter-mappings.xml Tue Sep 20 17:54:10 2005
> @@ -26,6 +26,11 @@
> <dispatcher>FORWARD</dispatcher>
> </filter-mapping>
>
> +<filter-mapping>
> + <filter-name>SchemeEnforcementFilter</filter-name>
> + <url-pattern>/*</url-pattern>
> +</filter-mapping>
> +
> <!-- Map everything to the PersistenceSessionFilter.
> NOTE: Any filters preceding this one MUST NOT use persistence sessions.-->
> <filter-mapping>
>
> Added: incubator/roller/branches/roller_2.0/src/org/roller/presentation/filters/SchemeEnforcementFilter.java
> URL: http://svn.apache.org/viewcvs/incubator/roller/branches/roller_2.0/src/org/roller/presentation/filters/SchemeEnforcementFilter.java?rev=290594&view=auto
> ==============================================================================
> --- incubator/roller/branches/roller_2.0/src/org/roller/presentation/filters/SchemeEnforcementFilter.java (added)
> +++ incubator/roller/branches/roller_2.0/src/org/roller/presentation/filters/SchemeEnforcementFilter.java Tue Sep 20 17:54:10 2005
> @@ -0,0 +1,161 @@
> +/*
> + * SchemeEnforcementFilter.java
> + *
> + * Created on September 16, 2005, 3:17 PM
> + */
> +
> +package org.roller.presentation.filters;
> +
> +import java.io.IOException;
> +import java.util.HashSet;
> +import java.util.Iterator;
> +import java.util.Set;
> +import javax.servlet.Filter;
> +import javax.servlet.FilterChain;
> +import javax.servlet.FilterConfig;
> +import javax.servlet.ServletException;
> +import javax.servlet.ServletRequest;
> +import javax.servlet.ServletResponse;
> +import javax.servlet.http.HttpServletRequest;
> +import javax.servlet.http.HttpServletResponse;
> +import org.apache.commons.logging.Log;
> +import org.apache.commons.logging.LogFactory;
> +import org.roller.config.RollerConfig;
> +
> +
> +/**
> + * The SchemeEnforcementFilter is provided for Roller sites that enable secure
> + * logins and want to ensure that only login urls are used under https.
> + *
> + * @author Allen Gilliland
> + *
> + * @web.filter name="SchemeEnforcementFilter"
> + */
> +public class SchemeEnforcementFilter implements Filter {
> +
> + private static Log mLogger =
> + LogFactory.getLog(SchemeEnforcementFilter.class);
> +
> + private FilterConfig filterConfig = null;
> +
> + private boolean schemeEnforcementEnabled = false;
> + private boolean secureLoginEnabled = false;
> + private int httpPort = 80;
> + private int httpsPort = 443;
> + private String httpsHeaderName = null;
> + private String httpsHeaderValue = null;
> +
> + private Set allowedUrls = new HashSet();
> +
> +
> + /**
> + * Process filter.
> + *
> + * We'll take the incoming request and first determine if this is a
> + * secure request. If the request is secure then we'll see if it matches
> + * one of the allowed secure urls, if not then we will redirect back out
> + * of https.
> + */
> + public void doFilter(ServletRequest request, ServletResponse response,
> + FilterChain chain)
> + throws IOException, ServletException {
> +
> + if(this.schemeEnforcementEnabled && this.secureLoginEnabled) {
> +
> + HttpServletRequest req = (HttpServletRequest) request;
> + HttpServletResponse res = (HttpServletResponse) response;
> +
> + mLogger.debug("checking path = "+req.getServletPath());
> +
> + // first determine if request is secure
> + boolean requestIsSecure = request.isSecure();
> + if(!requestIsSecure && this.httpsHeaderName != null) {
> + // try checking custom header
> + String value = req.getHeader(this.httpsHeaderName);
> + if(value != null && value.equals(this.httpsHeaderValue))
> + requestIsSecure = true;
> + }
> +
> + // if request is secure then see if it's an allowable https url
> + if(requestIsSecure && !allowedUrls.contains(req.getServletPath())) {
> + String redirect = "http://"+req.getServerName();
> +
> + if(this.httpPort != 80)
> + redirect += ":"+this.httpPort;
> +
> + redirect += req.getRequestURI();
> +
> + if(req.getQueryString() != null)
> + redirect += "?"+req.getQueryString();
> +
> + mLogger.debug("Redirecting to "+redirect);
> + res.sendRedirect(redirect);
> + return;
> + }
> + }
> +
> + chain.doFilter(request, response);
> + }
> +
> +
> + public void destroy() {}
> +
> +
> + /**
> + * Filter init.
> + *
> + * We are just collecting init properties which we'll use for each request.
> + */
> + public void init(FilterConfig filterConfig) {
> + this.filterConfig = filterConfig;
> +
> + // determine if we are doing scheme enforcement
> + this.schemeEnforcementEnabled =
> + RollerConfig.getBooleanProperty("schemeenforcement.enabled");
> + this.secureLoginEnabled =
> + RollerConfig.getBooleanProperty("securelogin.enabled");
> +
> + if(this.schemeEnforcementEnabled && this.secureLoginEnabled) {
> + // gather some more properties
> + String http_port =
> + RollerConfig.getProperty("securelogin.http.port");
> + String https_port =
> + RollerConfig.getProperty("securelogin.https.port");
> +
> + try {
> + this.httpPort = Integer.parseInt(http_port);
> + this.httpsPort = Integer.parseInt(https_port);
> + } catch(NumberFormatException nfe) {
> + // ignored ... guess we'll have to use the defaults
> + mLogger.warn("error with secure login ports", nfe);
> + }
> +
> + // also note if we are using a custom https header
> + String header =
> + RollerConfig.getProperty("securelogin.https.headername");
> + String headerValue =
> + RollerConfig.getProperty("securelogin.https.headervalue");
> +
> + if(header != null && headerValue != null) {
> + this.httpsHeaderName = header;
> + this.httpsHeaderValue = headerValue;
> + }
> +
> + // finally, construct our list of allowable https urls
> + String urls =
> + RollerConfig.getProperty("schemeenforcement.https.urls");
> + String[] urlsArray = urls.split(",");
> + for(int i=0; i < urlsArray.length; i++)
> + this.allowedUrls.add(urlsArray[i]);
> +
> + // some logging for the curious
> + mLogger.info("Scheme enforcement = enabled");
> + if(mLogger.isDebugEnabled()) {
> + mLogger.debug("allowed urls are:");
> + for(Iterator it = this.allowedUrls.iterator(); it.hasNext();)
> + mLogger.debug(it.next());
> + }
> + }
> + }
> +
> +}
>
> Modified: incubator/roller/branches/roller_2.0/web/WEB-INF/classes/roller.properties
> URL: http://svn.apache.org/viewcvs/incubator/roller/branches/roller_2.0/web/WEB-INF/classes/roller.properties?rev=290594&r1=290593&r2=290594&view=diff
> ==============================================================================
> --- incubator/roller/branches/roller_2.0/web/WEB-INF/classes/roller.properties (original)
> +++ incubator/roller/branches/roller_2.0/web/WEB-INF/classes/roller.properties Tue Sep 20 17:54:10 2005
> @@ -94,6 +94,14 @@
> # to simply check for the existance of the header.
> #securelogin.https.headervalue=
>
> +# enable scheme enforcement?
> +# scheme enforcement ensures that only specific urls are accessed under https
> +# this is typically good because it keeps people from browsing a site in https
> +schemeenforcement.enabled=true
> +# https urls allowed by scheme enforcer, all other urls are redirected to http
> +schemeenforcement.https.urls=/j_security_check,/auth,/login-redirect.jsp,\
> +/login.jsp
> +
> # Password security settings. Warning enabling password encryption may make
> # if more difficult to support the Atom Protocol (due in Fall 2005).
> passwds.encryption.enabled=false
>
>
>