You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@roller.apache.org by Dave Johnson <Da...@Sun.COM> on 2006/01/09 16:47:09 UTC
How to make the user profile and user admin pages more secure
Regarding: http://opensource2.atlassian.com/projects/roller/browse/
ROL-989
The user profile page allows a user to change his/her password and
sends passwords in the clear, so I'd to make it more secure for sites
that require HTTPS for logins. The easiest way to do this seems to be
to force HTTPS on that page and that's what I've done in my local
workspace.
Here's a summary of my changes (code is below): inside the
YourProfileAction.edit() method, I check to see if secure login is
enabled. If secure login is enabled but the current request is not
secure, I redirect to a secure version of the URL.
I have two questions before I continue this work and add the same
code to user-admin:
1) Is this the right way to do this, given that we're now using Acegi?
2) Do we need the <roller:secure> tag on any of our pages anymore,
now that we're using Acegi?
- Dave
PS: here are the specific changes:
==================== roller.properties
Roller properties needs to change to allow the YourProfileAction to
run under HTTPS.
schemeenforcement.https.urls=/j_security_check,/auth,/login-
redirect.jsp,/login.jsp,/editor/yourProfile.do
==================== YourProfileAction.java
The YourProfileAction.java method needs code to test for
securelogin.enabled and isSecure(). We can't use the <roller:secure>
tag on the JSP page because by the time we get there the response is
already committed.
ActionForward forward = mapping.findForward
("yourProfile.page");
try
{
+ if (RollerConfig.getBooleanProperty
("securelogin.enabled") && !SslUtil.isSecure(request)) {
+ response.sendRedirect(SslUtil.getRedirectString(
+ request, request.getSession().getServletContext
(), true));
+ return mapping.findForward("access-denied");
+ }
RollerSession rollerSession =
RollerSession.getRollerSession(request);
UserData ud = rollerSession.getAuthenticatedUser();
UserFormEx form = (UserFormEx)actionForm;
==================== SslUtil.java
We need a way to test isSecure() using the appropirate properties:
+ /**
+ * Test for HTTPS connection by using request.isSecure() or,
+ * if httpsHeaderName is set, test for reqest header instead.
+ * If httpsHeaderValue is also set, test for that specific value.
+ */
+ public static boolean isSecure(HttpServletRequest request) {
+ String httpsHeaderName = RollerConfig.getProperty
("securelogin.https.headername");
+ String httpsHeaderValue = RollerConfig.getProperty
("securelogin.https.headervalue");
+ boolean secure = false;
+ if (httpsHeaderName == null) {
+ secure = request.isSecure();
+ } else {
+ String headerValue = request.getHeader(httpsHeaderName);
+ if (headerValue != null && headerValue.trim().length() >
0) {
+ secure = httpsHeaderValue==null ||
httpsHeaderValue.equals(headerValue);
+ }
+ }
+ return secure;
+ }
+
Re: How to make the user profile and user admin pages more secure
Posted by Matt Raible <mr...@gmail.com>.
Looks good Dave - thanks for doing this.
Matt
On 1/10/06, Allen Gilliland <Al...@sun.com> wrote:
> Nicely done Dave.
>
> I had thought the Acegi stuff for setting the secure urls would have been easier, but oh well. That's always one of the drawbacks to using new frameworks, there is often a steep learning curve :/
>
> -- Allen
>
>
> On Tue, 2006-01-10 at 07:36, David M Johnson wrote:
> > OK, Roller now does scheme enforcement via Acegi configured via
> > roller.properties. Since I'm new to Acegi, I've summarized the
> > changes below for your review.
> >
> > - Dave
> >
> >
> > ========== roller.properties
> >
> > If you want to protect URLs by using HTTPS, you simply turn on scheme
> > enforcement in your roller.properties override file. You can use Ant-
> > style URL patterns to specify which URLs need HTTPS. For example,
> > this turns on HTTPS for the user profile and admin pages:
> >
> > # Enable scheme enforcement?
> > # Scheme enforcement ensures that specific URLs are viewed only
> > via HTTPS
> > schemeenforcement.enabled=true
> > # URL patterns that require HTTPS
> > schemeenforcement.https.urls=/editor/yourProfile.do*,/admin/
> > user.do*
> >
> > Like secure login, scheme enforcement defaults to false.
> >
> > Note that I don't list the login pages as those are already
> > configured via the securelogin.enabled property.
> >
> >
> > ========== RollerContext.java : initializeSecurityFeatures()
> >
> > Inside Roller's context init, here's what we do to tell Acegi about
> > our protected URLs:
> >
> > if (RollerConfig.getBooleanProperty
> > ("schemeenforcement.enabled")) {
> >
> > ChannelProcessingFilter procfilter =
> > (ChannelProcessingFilter)ctx.getBean
> > ("channelProcessingFilter");
> > ConfigAttributeDefinition secureDef = new
> > ConfigAttributeDefinition();
> > secureDef.addConfigAttribute(new SecurityConfig
> > ("REQUIRES_SECURE_CHANNEL"));
> > ConfigAttributeDefinition insecureDef = new
> > ConfigAttributeDefinition();
> > insecureDef.addConfigAttribute(new SecurityConfig
> > ("REQUIRES_INSECURE_CHANNEL"));
> > PathBasedFilterInvocationDefinitionMap defmap =
> > (PathBasedFilterInvocationDefinitionMap)
> > procfilter.getFilterInvocationDefinitionSource();
> >
> > // add HTTPS URL path patterns to Acegi config
> > String httpsUrlsProp = RollerConfig.getProperty
> > ("schemeenforcement.https.urls");
> > if (httpsUrlsProp != null) {
> > String[] httpsUrls = StringUtils.stripAll
> > (StringUtils.split(httpsUrlsProp, ",") );
> > for (int i=0; i<httpsUrls.length; i++) {
> > defmap.addSecureUrl(httpsUrls[i], secureDef);
> > }
> > }
> > // all other action URLs are non-HTTPS
> > defmap.addSecureUrl("/**/*.do*", insecureDef);
> > }
> >
> > It wasn't exactly easy to figure out how to do that, BTW.
> >
> >
> > ========== Cleanup
> >
> > We don't use these anymore so I deleted them:
> >
> > SslUtil.java
> > SecureTag.java
> > SchemeEnforcementFilter.java
> > securelogin.http.port property
> > securelogin.https.port property
> > securelogin.https.headername property
> > securelogin.https.headervalue property
> >
> >
> >
> >
> >
> >
> >
> >
> > On Jan 9, 2006, at 12:26 PM, Matt Raible wrote:
> >
> > > On 1/9/06, Allen Gilliland <Al...@sun.com> wrote:
> > >> Matt is the authority on Acegi, but I believe there is a way to
> > >> list the
> > >> urls that Acegi should guarantee for SSL transport in the
> > >> security.xml.
> > >> Then Acegi takes care of the protocol switching. Right now I don't
> > >> think some of our secure login property info is being mapped to the
> > >> Acegi config, so we still need to do that.
> > >
> > > I believe I did handle this as part of the integration, but didn't
> > > test it. If it doesn't work, let me know and I'll fix it.
> > >
> > >>
> > >> I definitely think that we shouldn't need the old "secure" tag
> > >> that we
> > >> were using and I'm also not sure that we need to continue with old
> > >> secureheader stuff. I've moved the secureheader stuff outside of
> > >> Roller
> > >> for blogs.sun.com and I think that's the proper place for it.
> > >
> > > Right, Acegi Security should be able to handle anything that the
> > > "secure" tag did. Also, I didn't account for the secureheader stuff,
> > > so moving it outside Roller would be great. ;-)
> > >
> > >>
> > >> -- Allen
> > >>
> > >>
> > >> On Mon, 2006-01-09 at 07:47, Dave Johnson wrote:
> > >>> Regarding:
> > >>> http://opensource2.atlassian.com/projects/roller/browse/ROL-989
> > >>>
> > >>> The user profile page allows a user to change his/her password and
> > >>> sends passwords in the clear, so I'd to make it more secure for
> > >>> sites
> > >>> that require HTTPS for logins. The easiest way to do this seems
> > >>> to be
> > >>> to force HTTPS on that page and that's what I've done in my local
> > >>> workspace.
> > >>>
> > >>> Here's a summary of my changes (code is below): inside the
> > >>> YourProfileAction.edit() method, I check to see if secure login is
> > >>> enabled. If secure login is enabled but the current request is not
> > >>> secure, I redirect to a secure version of the URL.
> > >>>
> > >>> I have two questions before I continue this work and add the same
> > >>> code
> > >>> to user-admin:
> > >>> 1) Is this the right way to do this, given that we're now using
> > >>> Acegi?
> > >
> > > You shouldn't need any code, just configure it in security.xml.
> > > Unfortunately, I don't think there's a way to say "only require SSL if
> > > secure login is enabled". ;-)
> > >
> > > ... so maybe you will need some code.
> > >
> > > Matt
> > >
> > >>> 2) Do we need the <roller:secure> tag on any of our pages
> > >>> anymore, now
> > >>> that we're using Acegi?
> > >>>
> > >>> - Dave
> > >>>
> > >>>
> > >>>
> > >>> PS: here are the specific changes:
> > >>>
> > >>>
> > >>> ==================== roller.properties
> > >>>
> > >>> Roller properties needs to change to allow the YourProfileAction to
> > >>> run under HTTPS.
> > >>>
> > >>> schemeenforcement.https.urls=/j_security_check,/auth,/login-
> > >>> redirect.jsp,/login.jsp,/editor/yourProfile.do
> > >>>
> > >>>
> > >>>
> > >>> ==================== YourProfileAction.java
> > >>>
> > >>> The YourProfileAction.java method needs code to test for
> > >>> securelogin.enabled and isSecure(). We can't use the <roller:secure>
> > >>> tag on the JSP page because by the time we get there the response is
> > >>> already committed.
> > >>>
> > >>>
> > >>> ActionForward forward =
> > >>> mapping.findForward("yourProfile.page");
> > >>> try
> > >>> {
> > >>> + if
> > >>> (RollerConfig.getBooleanProperty("securelogin.enabled") &&
> > >>> !SslUtil.isSecure(request)) {
> > >>> + response.sendRedirect(SslUtil.getRedirectString(
> > >>> + request,
> > >>> request.getSession().getServletContext(), true));
> > >>> + return mapping.findForward("access-denied");
> > >>> + }
> > >>> RollerSession rollerSession =
> > >>> RollerSession.getRollerSession(request);
> > >>> UserData ud = rollerSession.getAuthenticatedUser();
> > >>> UserFormEx form = (UserFormEx)actionForm;
> > >>>
> > >>>
> > >>>
> > >>> ==================== SslUtil.java
> > >>>
> > >>> We need a way to test isSecure() using the appropirate properties:
> > >>>
> > >>> + /**
> > >>> + * Test for HTTPS connection by using request.isSecure() or,
> > >>> + * if httpsHeaderName is set, test for reqest header instead.
> > >>> + * If httpsHeaderValue is also set, test for that specific
> > >>> value.
> > >>> + */
> > >>> + public static boolean isSecure(HttpServletRequest request) {
> > >>> + String httpsHeaderName =
> > >>> RollerConfig.getProperty("securelogin.https.headername");
> > >>> + String httpsHeaderValue =
> > >>> RollerConfig.getProperty("securelogin.https.headervalue");
> > >>> + boolean secure = false;
> > >>> + if (httpsHeaderName == null) {
> > >>> + secure = request.isSecure();
> > >>> + } else {
> > >>> + String headerValue = request.getHeader
> > >>> (httpsHeaderName);
> > >>> + if (headerValue != null && headerValue.trim().length
> > >>> () >
> > >>> 0) {
> > >>> + secure = httpsHeaderValue==null ||
> > >>> httpsHeaderValue.equals(headerValue);
> > >>> + }
> > >>> + }
> > >>> + return secure;
> > >>> + }
> > >>> +
> > >>>
> > >>
> > >>
> >
>
>
Re: How to make the user profile and user admin pages more secure
Posted by Allen Gilliland <Al...@Sun.COM>.
Nicely done Dave.
I had thought the Acegi stuff for setting the secure urls would have been easier, but oh well. That's always one of the drawbacks to using new frameworks, there is often a steep learning curve :/
-- Allen
On Tue, 2006-01-10 at 07:36, David M Johnson wrote:
> OK, Roller now does scheme enforcement via Acegi configured via
> roller.properties. Since I'm new to Acegi, I've summarized the
> changes below for your review.
>
> - Dave
>
>
> ========== roller.properties
>
> If you want to protect URLs by using HTTPS, you simply turn on scheme
> enforcement in your roller.properties override file. You can use Ant-
> style URL patterns to specify which URLs need HTTPS. For example,
> this turns on HTTPS for the user profile and admin pages:
>
> # Enable scheme enforcement?
> # Scheme enforcement ensures that specific URLs are viewed only
> via HTTPS
> schemeenforcement.enabled=true
> # URL patterns that require HTTPS
> schemeenforcement.https.urls=/editor/yourProfile.do*,/admin/
> user.do*
>
> Like secure login, scheme enforcement defaults to false.
>
> Note that I don't list the login pages as those are already
> configured via the securelogin.enabled property.
>
>
> ========== RollerContext.java : initializeSecurityFeatures()
>
> Inside Roller's context init, here's what we do to tell Acegi about
> our protected URLs:
>
> if (RollerConfig.getBooleanProperty
> ("schemeenforcement.enabled")) {
>
> ChannelProcessingFilter procfilter =
> (ChannelProcessingFilter)ctx.getBean
> ("channelProcessingFilter");
> ConfigAttributeDefinition secureDef = new
> ConfigAttributeDefinition();
> secureDef.addConfigAttribute(new SecurityConfig
> ("REQUIRES_SECURE_CHANNEL"));
> ConfigAttributeDefinition insecureDef = new
> ConfigAttributeDefinition();
> insecureDef.addConfigAttribute(new SecurityConfig
> ("REQUIRES_INSECURE_CHANNEL"));
> PathBasedFilterInvocationDefinitionMap defmap =
> (PathBasedFilterInvocationDefinitionMap)
> procfilter.getFilterInvocationDefinitionSource();
>
> // add HTTPS URL path patterns to Acegi config
> String httpsUrlsProp = RollerConfig.getProperty
> ("schemeenforcement.https.urls");
> if (httpsUrlsProp != null) {
> String[] httpsUrls = StringUtils.stripAll
> (StringUtils.split(httpsUrlsProp, ",") );
> for (int i=0; i<httpsUrls.length; i++) {
> defmap.addSecureUrl(httpsUrls[i], secureDef);
> }
> }
> // all other action URLs are non-HTTPS
> defmap.addSecureUrl("/**/*.do*", insecureDef);
> }
>
> It wasn't exactly easy to figure out how to do that, BTW.
>
>
> ========== Cleanup
>
> We don't use these anymore so I deleted them:
>
> SslUtil.java
> SecureTag.java
> SchemeEnforcementFilter.java
> securelogin.http.port property
> securelogin.https.port property
> securelogin.https.headername property
> securelogin.https.headervalue property
>
>
>
>
>
>
>
>
> On Jan 9, 2006, at 12:26 PM, Matt Raible wrote:
>
> > On 1/9/06, Allen Gilliland <Al...@sun.com> wrote:
> >> Matt is the authority on Acegi, but I believe there is a way to
> >> list the
> >> urls that Acegi should guarantee for SSL transport in the
> >> security.xml.
> >> Then Acegi takes care of the protocol switching. Right now I don't
> >> think some of our secure login property info is being mapped to the
> >> Acegi config, so we still need to do that.
> >
> > I believe I did handle this as part of the integration, but didn't
> > test it. If it doesn't work, let me know and I'll fix it.
> >
> >>
> >> I definitely think that we shouldn't need the old "secure" tag
> >> that we
> >> were using and I'm also not sure that we need to continue with old
> >> secureheader stuff. I've moved the secureheader stuff outside of
> >> Roller
> >> for blogs.sun.com and I think that's the proper place for it.
> >
> > Right, Acegi Security should be able to handle anything that the
> > "secure" tag did. Also, I didn't account for the secureheader stuff,
> > so moving it outside Roller would be great. ;-)
> >
> >>
> >> -- Allen
> >>
> >>
> >> On Mon, 2006-01-09 at 07:47, Dave Johnson wrote:
> >>> Regarding:
> >>> http://opensource2.atlassian.com/projects/roller/browse/ROL-989
> >>>
> >>> The user profile page allows a user to change his/her password and
> >>> sends passwords in the clear, so I'd to make it more secure for
> >>> sites
> >>> that require HTTPS for logins. The easiest way to do this seems
> >>> to be
> >>> to force HTTPS on that page and that's what I've done in my local
> >>> workspace.
> >>>
> >>> Here's a summary of my changes (code is below): inside the
> >>> YourProfileAction.edit() method, I check to see if secure login is
> >>> enabled. If secure login is enabled but the current request is not
> >>> secure, I redirect to a secure version of the URL.
> >>>
> >>> I have two questions before I continue this work and add the same
> >>> code
> >>> to user-admin:
> >>> 1) Is this the right way to do this, given that we're now using
> >>> Acegi?
> >
> > You shouldn't need any code, just configure it in security.xml.
> > Unfortunately, I don't think there's a way to say "only require SSL if
> > secure login is enabled". ;-)
> >
> > ... so maybe you will need some code.
> >
> > Matt
> >
> >>> 2) Do we need the <roller:secure> tag on any of our pages
> >>> anymore, now
> >>> that we're using Acegi?
> >>>
> >>> - Dave
> >>>
> >>>
> >>>
> >>> PS: here are the specific changes:
> >>>
> >>>
> >>> ==================== roller.properties
> >>>
> >>> Roller properties needs to change to allow the YourProfileAction to
> >>> run under HTTPS.
> >>>
> >>> schemeenforcement.https.urls=/j_security_check,/auth,/login-
> >>> redirect.jsp,/login.jsp,/editor/yourProfile.do
> >>>
> >>>
> >>>
> >>> ==================== YourProfileAction.java
> >>>
> >>> The YourProfileAction.java method needs code to test for
> >>> securelogin.enabled and isSecure(). We can't use the <roller:secure>
> >>> tag on the JSP page because by the time we get there the response is
> >>> already committed.
> >>>
> >>>
> >>> ActionForward forward =
> >>> mapping.findForward("yourProfile.page");
> >>> try
> >>> {
> >>> + if
> >>> (RollerConfig.getBooleanProperty("securelogin.enabled") &&
> >>> !SslUtil.isSecure(request)) {
> >>> + response.sendRedirect(SslUtil.getRedirectString(
> >>> + request,
> >>> request.getSession().getServletContext(), true));
> >>> + return mapping.findForward("access-denied");
> >>> + }
> >>> RollerSession rollerSession =
> >>> RollerSession.getRollerSession(request);
> >>> UserData ud = rollerSession.getAuthenticatedUser();
> >>> UserFormEx form = (UserFormEx)actionForm;
> >>>
> >>>
> >>>
> >>> ==================== SslUtil.java
> >>>
> >>> We need a way to test isSecure() using the appropirate properties:
> >>>
> >>> + /**
> >>> + * Test for HTTPS connection by using request.isSecure() or,
> >>> + * if httpsHeaderName is set, test for reqest header instead.
> >>> + * If httpsHeaderValue is also set, test for that specific
> >>> value.
> >>> + */
> >>> + public static boolean isSecure(HttpServletRequest request) {
> >>> + String httpsHeaderName =
> >>> RollerConfig.getProperty("securelogin.https.headername");
> >>> + String httpsHeaderValue =
> >>> RollerConfig.getProperty("securelogin.https.headervalue");
> >>> + boolean secure = false;
> >>> + if (httpsHeaderName == null) {
> >>> + secure = request.isSecure();
> >>> + } else {
> >>> + String headerValue = request.getHeader
> >>> (httpsHeaderName);
> >>> + if (headerValue != null && headerValue.trim().length
> >>> () >
> >>> 0) {
> >>> + secure = httpsHeaderValue==null ||
> >>> httpsHeaderValue.equals(headerValue);
> >>> + }
> >>> + }
> >>> + return secure;
> >>> + }
> >>> +
> >>>
> >>
> >>
>
Re: How to make the user profile and user admin pages more secure
Posted by David M Johnson <Da...@Sun.COM>.
OK, Roller now does scheme enforcement via Acegi configured via
roller.properties. Since I'm new to Acegi, I've summarized the
changes below for your review.
- Dave
========== roller.properties
If you want to protect URLs by using HTTPS, you simply turn on scheme
enforcement in your roller.properties override file. You can use Ant-
style URL patterns to specify which URLs need HTTPS. For example,
this turns on HTTPS for the user profile and admin pages:
# Enable scheme enforcement?
# Scheme enforcement ensures that specific URLs are viewed only
via HTTPS
schemeenforcement.enabled=true
# URL patterns that require HTTPS
schemeenforcement.https.urls=/editor/yourProfile.do*,/admin/
user.do*
Like secure login, scheme enforcement defaults to false.
Note that I don't list the login pages as those are already
configured via the securelogin.enabled property.
========== RollerContext.java : initializeSecurityFeatures()
Inside Roller's context init, here's what we do to tell Acegi about
our protected URLs:
if (RollerConfig.getBooleanProperty
("schemeenforcement.enabled")) {
ChannelProcessingFilter procfilter =
(ChannelProcessingFilter)ctx.getBean
("channelProcessingFilter");
ConfigAttributeDefinition secureDef = new
ConfigAttributeDefinition();
secureDef.addConfigAttribute(new SecurityConfig
("REQUIRES_SECURE_CHANNEL"));
ConfigAttributeDefinition insecureDef = new
ConfigAttributeDefinition();
insecureDef.addConfigAttribute(new SecurityConfig
("REQUIRES_INSECURE_CHANNEL"));
PathBasedFilterInvocationDefinitionMap defmap =
(PathBasedFilterInvocationDefinitionMap)
procfilter.getFilterInvocationDefinitionSource();
// add HTTPS URL path patterns to Acegi config
String httpsUrlsProp = RollerConfig.getProperty
("schemeenforcement.https.urls");
if (httpsUrlsProp != null) {
String[] httpsUrls = StringUtils.stripAll
(StringUtils.split(httpsUrlsProp, ",") );
for (int i=0; i<httpsUrls.length; i++) {
defmap.addSecureUrl(httpsUrls[i], secureDef);
}
}
// all other action URLs are non-HTTPS
defmap.addSecureUrl("/**/*.do*", insecureDef);
}
It wasn't exactly easy to figure out how to do that, BTW.
========== Cleanup
We don't use these anymore so I deleted them:
SslUtil.java
SecureTag.java
SchemeEnforcementFilter.java
securelogin.http.port property
securelogin.https.port property
securelogin.https.headername property
securelogin.https.headervalue property
On Jan 9, 2006, at 12:26 PM, Matt Raible wrote:
> On 1/9/06, Allen Gilliland <Al...@sun.com> wrote:
>> Matt is the authority on Acegi, but I believe there is a way to
>> list the
>> urls that Acegi should guarantee for SSL transport in the
>> security.xml.
>> Then Acegi takes care of the protocol switching. Right now I don't
>> think some of our secure login property info is being mapped to the
>> Acegi config, so we still need to do that.
>
> I believe I did handle this as part of the integration, but didn't
> test it. If it doesn't work, let me know and I'll fix it.
>
>>
>> I definitely think that we shouldn't need the old "secure" tag
>> that we
>> were using and I'm also not sure that we need to continue with old
>> secureheader stuff. I've moved the secureheader stuff outside of
>> Roller
>> for blogs.sun.com and I think that's the proper place for it.
>
> Right, Acegi Security should be able to handle anything that the
> "secure" tag did. Also, I didn't account for the secureheader stuff,
> so moving it outside Roller would be great. ;-)
>
>>
>> -- Allen
>>
>>
>> On Mon, 2006-01-09 at 07:47, Dave Johnson wrote:
>>> Regarding:
>>> http://opensource2.atlassian.com/projects/roller/browse/ROL-989
>>>
>>> The user profile page allows a user to change his/her password and
>>> sends passwords in the clear, so I'd to make it more secure for
>>> sites
>>> that require HTTPS for logins. The easiest way to do this seems
>>> to be
>>> to force HTTPS on that page and that's what I've done in my local
>>> workspace.
>>>
>>> Here's a summary of my changes (code is below): inside the
>>> YourProfileAction.edit() method, I check to see if secure login is
>>> enabled. If secure login is enabled but the current request is not
>>> secure, I redirect to a secure version of the URL.
>>>
>>> I have two questions before I continue this work and add the same
>>> code
>>> to user-admin:
>>> 1) Is this the right way to do this, given that we're now using
>>> Acegi?
>
> You shouldn't need any code, just configure it in security.xml.
> Unfortunately, I don't think there's a way to say "only require SSL if
> secure login is enabled". ;-)
>
> ... so maybe you will need some code.
>
> Matt
>
>>> 2) Do we need the <roller:secure> tag on any of our pages
>>> anymore, now
>>> that we're using Acegi?
>>>
>>> - Dave
>>>
>>>
>>>
>>> PS: here are the specific changes:
>>>
>>>
>>> ==================== roller.properties
>>>
>>> Roller properties needs to change to allow the YourProfileAction to
>>> run under HTTPS.
>>>
>>> schemeenforcement.https.urls=/j_security_check,/auth,/login-
>>> redirect.jsp,/login.jsp,/editor/yourProfile.do
>>>
>>>
>>>
>>> ==================== YourProfileAction.java
>>>
>>> The YourProfileAction.java method needs code to test for
>>> securelogin.enabled and isSecure(). We can't use the <roller:secure>
>>> tag on the JSP page because by the time we get there the response is
>>> already committed.
>>>
>>>
>>> ActionForward forward =
>>> mapping.findForward("yourProfile.page");
>>> try
>>> {
>>> + if
>>> (RollerConfig.getBooleanProperty("securelogin.enabled") &&
>>> !SslUtil.isSecure(request)) {
>>> + response.sendRedirect(SslUtil.getRedirectString(
>>> + request,
>>> request.getSession().getServletContext(), true));
>>> + return mapping.findForward("access-denied");
>>> + }
>>> RollerSession rollerSession =
>>> RollerSession.getRollerSession(request);
>>> UserData ud = rollerSession.getAuthenticatedUser();
>>> UserFormEx form = (UserFormEx)actionForm;
>>>
>>>
>>>
>>> ==================== SslUtil.java
>>>
>>> We need a way to test isSecure() using the appropirate properties:
>>>
>>> + /**
>>> + * Test for HTTPS connection by using request.isSecure() or,
>>> + * if httpsHeaderName is set, test for reqest header instead.
>>> + * If httpsHeaderValue is also set, test for that specific
>>> value.
>>> + */
>>> + public static boolean isSecure(HttpServletRequest request) {
>>> + String httpsHeaderName =
>>> RollerConfig.getProperty("securelogin.https.headername");
>>> + String httpsHeaderValue =
>>> RollerConfig.getProperty("securelogin.https.headervalue");
>>> + boolean secure = false;
>>> + if (httpsHeaderName == null) {
>>> + secure = request.isSecure();
>>> + } else {
>>> + String headerValue = request.getHeader
>>> (httpsHeaderName);
>>> + if (headerValue != null && headerValue.trim().length
>>> () >
>>> 0) {
>>> + secure = httpsHeaderValue==null ||
>>> httpsHeaderValue.equals(headerValue);
>>> + }
>>> + }
>>> + return secure;
>>> + }
>>> +
>>>
>>
>>
Re: How to make the user profile and user admin pages more secure
Posted by Matt Raible <mr...@gmail.com>.
On 1/9/06, Allen Gilliland <Al...@sun.com> wrote:
> Matt is the authority on Acegi, but I believe there is a way to list the
> urls that Acegi should guarantee for SSL transport in the security.xml.
> Then Acegi takes care of the protocol switching. Right now I don't
> think some of our secure login property info is being mapped to the
> Acegi config, so we still need to do that.
I believe I did handle this as part of the integration, but didn't
test it. If it doesn't work, let me know and I'll fix it.
>
> I definitely think that we shouldn't need the old "secure" tag that we
> were using and I'm also not sure that we need to continue with old
> secureheader stuff. I've moved the secureheader stuff outside of Roller
> for blogs.sun.com and I think that's the proper place for it.
Right, Acegi Security should be able to handle anything that the
"secure" tag did. Also, I didn't account for the secureheader stuff,
so moving it outside Roller would be great. ;-)
>
> -- Allen
>
>
> On Mon, 2006-01-09 at 07:47, Dave Johnson wrote:
> > Regarding:
> > http://opensource2.atlassian.com/projects/roller/browse/ROL-989
> >
> > The user profile page allows a user to change his/her password and
> > sends passwords in the clear, so I'd to make it more secure for sites
> > that require HTTPS for logins. The easiest way to do this seems to be
> > to force HTTPS on that page and that's what I've done in my local
> > workspace.
> >
> > Here's a summary of my changes (code is below): inside the
> > YourProfileAction.edit() method, I check to see if secure login is
> > enabled. If secure login is enabled but the current request is not
> > secure, I redirect to a secure version of the URL.
> >
> > I have two questions before I continue this work and add the same code
> > to user-admin:
> > 1) Is this the right way to do this, given that we're now using Acegi?
You shouldn't need any code, just configure it in security.xml.
Unfortunately, I don't think there's a way to say "only require SSL if
secure login is enabled". ;-)
... so maybe you will need some code.
Matt
> > 2) Do we need the <roller:secure> tag on any of our pages anymore, now
> > that we're using Acegi?
> >
> > - Dave
> >
> >
> >
> > PS: here are the specific changes:
> >
> >
> > ==================== roller.properties
> >
> > Roller properties needs to change to allow the YourProfileAction to
> > run under HTTPS.
> >
> > schemeenforcement.https.urls=/j_security_check,/auth,/login-redirect.jsp,/login.jsp,/editor/yourProfile.do
> >
> >
> >
> > ==================== YourProfileAction.java
> >
> > The YourProfileAction.java method needs code to test for
> > securelogin.enabled and isSecure(). We can't use the <roller:secure>
> > tag on the JSP page because by the time we get there the response is
> > already committed.
> >
> >
> > ActionForward forward =
> > mapping.findForward("yourProfile.page");
> > try
> > {
> > + if
> > (RollerConfig.getBooleanProperty("securelogin.enabled") &&
> > !SslUtil.isSecure(request)) {
> > + response.sendRedirect(SslUtil.getRedirectString(
> > + request,
> > request.getSession().getServletContext(), true));
> > + return mapping.findForward("access-denied");
> > + }
> > RollerSession rollerSession =
> > RollerSession.getRollerSession(request);
> > UserData ud = rollerSession.getAuthenticatedUser();
> > UserFormEx form = (UserFormEx)actionForm;
> >
> >
> >
> > ==================== SslUtil.java
> >
> > We need a way to test isSecure() using the appropirate properties:
> >
> > + /**
> > + * Test for HTTPS connection by using request.isSecure() or,
> > + * if httpsHeaderName is set, test for reqest header instead.
> > + * If httpsHeaderValue is also set, test for that specific value.
> > + */
> > + public static boolean isSecure(HttpServletRequest request) {
> > + String httpsHeaderName =
> > RollerConfig.getProperty("securelogin.https.headername");
> > + String httpsHeaderValue =
> > RollerConfig.getProperty("securelogin.https.headervalue");
> > + boolean secure = false;
> > + if (httpsHeaderName == null) {
> > + secure = request.isSecure();
> > + } else {
> > + String headerValue = request.getHeader(httpsHeaderName);
> > + if (headerValue != null && headerValue.trim().length() >
> > 0) {
> > + secure = httpsHeaderValue==null ||
> > httpsHeaderValue.equals(headerValue);
> > + }
> > + }
> > + return secure;
> > + }
> > +
> >
>
>
Re: How to make the user profile and user admin pages more secure
Posted by Allen Gilliland <Al...@Sun.COM>.
Matt is the authority on Acegi, but I believe there is a way to list the
urls that Acegi should guarantee for SSL transport in the security.xml.
Then Acegi takes care of the protocol switching. Right now I don't
think some of our secure login property info is being mapped to the
Acegi config, so we still need to do that.
I definitely think that we shouldn't need the old "secure" tag that we
were using and I'm also not sure that we need to continue with old
secureheader stuff. I've moved the secureheader stuff outside of Roller
for blogs.sun.com and I think that's the proper place for it.
-- Allen
On Mon, 2006-01-09 at 07:47, Dave Johnson wrote:
> Regarding:
> http://opensource2.atlassian.com/projects/roller/browse/ROL-989
>
> The user profile page allows a user to change his/her password and
> sends passwords in the clear, so I'd to make it more secure for sites
> that require HTTPS for logins. The easiest way to do this seems to be
> to force HTTPS on that page and that's what I've done in my local
> workspace.
>
> Here's a summary of my changes (code is below): inside the
> YourProfileAction.edit() method, I check to see if secure login is
> enabled. If secure login is enabled but the current request is not
> secure, I redirect to a secure version of the URL.
>
> I have two questions before I continue this work and add the same code
> to user-admin:
> 1) Is this the right way to do this, given that we're now using Acegi?
> 2) Do we need the <roller:secure> tag on any of our pages anymore, now
> that we're using Acegi?
>
> - Dave
>
>
>
> PS: here are the specific changes:
>
>
> ==================== roller.properties
>
> Roller properties needs to change to allow the YourProfileAction to
> run under HTTPS.
>
> schemeenforcement.https.urls=/j_security_check,/auth,/login-redirect.jsp,/login.jsp,/editor/yourProfile.do
>
>
>
> ==================== YourProfileAction.java
>
> The YourProfileAction.java method needs code to test for
> securelogin.enabled and isSecure(). We can't use the <roller:secure>
> tag on the JSP page because by the time we get there the response is
> already committed.
>
>
> ActionForward forward =
> mapping.findForward("yourProfile.page");
> try
> {
> + if
> (RollerConfig.getBooleanProperty("securelogin.enabled") &&
> !SslUtil.isSecure(request)) {
> + response.sendRedirect(SslUtil.getRedirectString(
> + request,
> request.getSession().getServletContext(), true));
> + return mapping.findForward("access-denied");
> + }
> RollerSession rollerSession =
> RollerSession.getRollerSession(request);
> UserData ud = rollerSession.getAuthenticatedUser();
> UserFormEx form = (UserFormEx)actionForm;
>
>
>
> ==================== SslUtil.java
>
> We need a way to test isSecure() using the appropirate properties:
>
> + /**
> + * Test for HTTPS connection by using request.isSecure() or,
> + * if httpsHeaderName is set, test for reqest header instead.
> + * If httpsHeaderValue is also set, test for that specific value.
> + */
> + public static boolean isSecure(HttpServletRequest request) {
> + String httpsHeaderName =
> RollerConfig.getProperty("securelogin.https.headername");
> + String httpsHeaderValue =
> RollerConfig.getProperty("securelogin.https.headervalue");
> + boolean secure = false;
> + if (httpsHeaderName == null) {
> + secure = request.isSecure();
> + } else {
> + String headerValue = request.getHeader(httpsHeaderName);
> + if (headerValue != null && headerValue.trim().length() >
> 0) {
> + secure = httpsHeaderValue==null ||
> httpsHeaderValue.equals(headerValue);
> + }
> + }
> + return secure;
> + }
> +
>