roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ghu...@apache.org
Subject svn commit: r1238815 - in /roller/trunk: weblogger-business/src/main/resources/org/apache/roller/weblogger/config/roller.properties weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters/SchemeEnforcementFilter.java
Date Tue, 31 Jan 2012 21:07:36 GMT
Author: ghuber
Date: Tue Jan 31 21:07:36 2012
New Revision: 1238815

URL: http://svn.apache.org/viewvc?rev=1238815&view=rev
Log:
Ignored extensions otherwise we get SSL mixed content issues.

Modified:
    roller/trunk/weblogger-business/src/main/resources/org/apache/roller/weblogger/config/roller.properties
    roller/trunk/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters/SchemeEnforcementFilter.java

Modified: roller/trunk/weblogger-business/src/main/resources/org/apache/roller/weblogger/config/roller.properties
URL: http://svn.apache.org/viewvc/roller/trunk/weblogger-business/src/main/resources/org/apache/roller/weblogger/config/roller.properties?rev=1238815&r1=1238814&r2=1238815&view=diff
==============================================================================
--- roller/trunk/weblogger-business/src/main/resources/org/apache/roller/weblogger/config/roller.properties
(original)
+++ roller/trunk/weblogger-business/src/main/resources/org/apache/roller/weblogger/config/roller.properties
Tue Jan 31 21:07:36 2012
@@ -385,6 +385,9 @@ schemeenforcement.https.urls=/roller_j_s
 /roller-ui/authoring/userdata,\
 /roller-ui/authoring/membersInvite.rol,/roller-ui/authoring/membersInvite!save.rol
 
+# Ignored extensions otherwise we get SSL mixed content issues
+schemeenforcement.https.ignored=css,gif,png,js
+
 #----------------------------------
 # Single-Sign-On
 

Modified: roller/trunk/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters/SchemeEnforcementFilter.java
URL: http://svn.apache.org/viewvc/roller/trunk/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters/SchemeEnforcementFilter.java?rev=1238815&r1=1238814&r2=1238815&view=diff
==============================================================================
--- roller/trunk/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters/SchemeEnforcementFilter.java
(original)
+++ roller/trunk/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters/SchemeEnforcementFilter.java
Tue Jan 31 21:07:36 2012
@@ -1,20 +1,20 @@
 /*
-* Licensed to the Apache Software Foundation (ASF) under one or more
-*  contributor license agreements.  The ASF licenses this file to You
-* under the Apache License, Version 2.0 (the "License"); you may not
-* use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-*     http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.  For additional information regarding
-* copyright in this work, please see the NOTICE file in the top level
-* directory of this distribution.
-*/
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  The ASF licenses this file to You
+ * under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.  For additional information regarding
+ * copyright in this work, please see the NOTICE file in the top level
+ * directory of this distribution.
+ */
 /*
  * SchemeEnforcementFilter.java
  *
@@ -25,8 +25,8 @@ package org.apache.roller.weblogger.ui.c
 
 import java.io.IOException;
 import java.util.HashSet;
-import java.util.Iterator;
 import java.util.Set;
+
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
@@ -35,140 +35,174 @@ import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.roller.weblogger.config.WebloggerConfig;
 
-
 /**
  * The SchemeEnforcementFilter is provided for Roller sites that enable secure
  * logins and want to ensure that only login urls are used under https.
- *
- * @author  Allen Gilliland
- *
+ * 
+ * @author Allen Gilliland
+ * 
  * @web.filter name="SchemeEnforcementFilter"
  */
 public class SchemeEnforcementFilter implements Filter {
-    
-    private static Log mLogger = 
-            LogFactory.getLog(SchemeEnforcementFilter.class);
-    
-    private FilterConfig filterConfig = null;
-    
-    private boolean schemeEnforcementEnabled = false;
-    private boolean secureLoginEnabled = false;
-    private int httpPort = 80;
-    private int httpsPort = 443;
-    private String httpsHeaderName = null;
-    private String httpsHeaderValue = null;
-    
-    private Set allowedUrls = new HashSet();
-    
-    
-    /**
-     * Process filter.
-     *
-     * We'll take the incoming request and first determine if this is a
-     * secure request.  If the request is secure then we'll see if it matches
-     * one of the allowed secure urls, if not then we will redirect back out
-     * of https.
-     */
-    public void doFilter(ServletRequest request, ServletResponse response,
-                        FilterChain chain)
-            throws IOException, ServletException {
-        
-        if(this.schemeEnforcementEnabled && this.secureLoginEnabled) {
-            
-            HttpServletRequest req = (HttpServletRequest) request;
-            HttpServletResponse res = (HttpServletResponse) response;
-            
-            mLogger.debug("checking path = "+req.getServletPath());
-            
-            if(!request.isSecure() && allowedUrls.contains(req.getServletPath()))
{
-                // http insecure request that should be over https
-                String redirect = "https://"+req.getServerName();
-                
-                if(this.httpsPort != 443)
-                    redirect += ":"+this.httpsPort;
-                
-                redirect += req.getRequestURI();
-                
-                if(req.getQueryString() != null)
-                    redirect += "?"+req.getQueryString();
-                
-                mLogger.debug("Redirecting to "+redirect);
-                res.sendRedirect(redirect);
-                return;
-                
-            } else if(request.isSecure() && !allowedUrls.contains(req.getServletPath()))
{
-                // https secure request that should be over http
-                String redirect = "http://"+req.getServerName();
-                
-                if(this.httpPort != 80)
-                    redirect += ":"+this.httpPort;
-                
-                redirect += req.getRequestURI();
-                
-                if(req.getQueryString() != null)
-                    redirect += "?"+req.getQueryString();
-                
-                mLogger.debug("Redirecting to "+redirect);
-                res.sendRedirect(redirect);
-                return;
-            }
-        }
-        
-        chain.doFilter(request, response);
-    }
-    
-    
-    public void destroy() {}
-    
-    
-    /**
-     * Filter init.
-     *
-     * We are just collecting init properties which we'll use for each request.
-     */
-    public void init(FilterConfig filterConfig) {
-        this.filterConfig = filterConfig;
-        
-        // determine if we are doing scheme enforcement
-        this.schemeEnforcementEnabled = 
-                WebloggerConfig.getBooleanProperty("schemeenforcement.enabled");
-        this.secureLoginEnabled = 
-                WebloggerConfig.getBooleanProperty("securelogin.enabled");
-        
-        if(this.schemeEnforcementEnabled && this.secureLoginEnabled) {
-            // gather some more properties
-            String http_port = 
-                    WebloggerConfig.getProperty("securelogin.http.port");
-            String https_port = 
-                    WebloggerConfig.getProperty("securelogin.https.port");
-            
-            try {
-                this.httpPort = Integer.parseInt(http_port);
-                this.httpsPort = Integer.parseInt(https_port);
-            } catch(NumberFormatException nfe) {
-                // ignored ... guess we'll have to use the defaults
-                mLogger.warn("error with secure login ports", nfe);
-            }
-            
-            // finally, construct our list of allowable https urls
-            String urls = 
-                    WebloggerConfig.getProperty("schemeenforcement.https.urls");
-            String[] urlsArray = urls.split(",");
-            for(int i=0; i < urlsArray.length; i++)
-                this.allowedUrls.add(urlsArray[i]);
-            
-            // some logging for the curious
-            mLogger.info("Scheme enforcement = enabled");
-            if(mLogger.isDebugEnabled()) {
-                mLogger.debug("allowed urls are:");
-                for(Iterator it = this.allowedUrls.iterator(); it.hasNext();)
-                    mLogger.debug(it.next());
-            }
-        }
-    }
-    
+
+	private static Log log = LogFactory.getLog(SchemeEnforcementFilter.class);
+
+	private boolean schemeEnforcementEnabled = false;
+	private boolean secureLoginEnabled = false;
+	private int httpPort = 80;
+	private int httpsPort = 443;
+
+	private Set<String> allowedUrls = new HashSet<String>();
+	private Set<String> ignored = new HashSet<String>();
+
+	/**
+	 * Process filter.
+	 * 
+	 * We'll take the incoming request and first determine if this is a secure
+	 * request. If the request is secure then we'll see if it matches one of the
+	 * allowed secure urls, if not then we will redirect back out of https.
+	 */
+	public void doFilter(ServletRequest request, ServletResponse response,
+			FilterChain chain) throws IOException, ServletException {
+
+		if (this.schemeEnforcementEnabled && this.secureLoginEnabled) {
+
+			HttpServletRequest req = (HttpServletRequest) request;
+			HttpServletResponse res = (HttpServletResponse) response;
+
+			if (log.isDebugEnabled())
+				log.debug("checking path = " + req.getServletPath());
+
+			if (!request.isSecure()
+					&& allowedUrls.contains(req.getServletPath())) {
+
+				// http insecure request that should be over https
+				String redirect = "https://" + req.getServerName();
+
+				if (this.httpsPort != 443)
+					redirect += ":" + this.httpsPort;
+
+				redirect += req.getRequestURI();
+
+				if (req.getQueryString() != null)
+					redirect += "?" + req.getQueryString();
+
+				if (log.isDebugEnabled())
+					log.debug("Redirecting to " + redirect);
+
+				res.sendRedirect(redirect);
+				return;
+
+			} else if (request.isSecure()
+					&& !isIgnoredURL(req.getServletPath())
+					&& !allowedUrls.contains(req.getServletPath())) {
+
+				// https secure request that should be over http
+				String redirect = "http://" + req.getServerName();
+
+				if (this.httpPort != 80)
+					redirect += ":" + this.httpPort;
+
+				redirect += req.getRequestURI();
+
+				if (req.getQueryString() != null)
+					redirect += "?" + req.getQueryString();
+
+				if (log.isDebugEnabled())
+					log.debug("Redirecting to " + redirect);
+
+				res.sendRedirect(redirect);
+				return;
+			}
+		}
+
+		chain.doFilter(request, response);
+	}
+
+	/**
+	 * Checks if the url is to be ignored.
+	 * 
+	 * @param theUrl
+	 *            the the url
+	 * 
+	 * @return true, if the url is to be ignored.
+	 */
+	private boolean isIgnoredURL(String theUrl) {
+
+		int i = theUrl.lastIndexOf(".");
+
+		if (i <= 0 || i == theUrl.length() - 1)
+			return true;
+
+		return ignored.contains(theUrl.substring(i + 1));
+
+	}
+
+	/**
+	 * @see javax.servlet.Filter#destroy()
+	 */
+	public void destroy() {
+	}
+
+	/**
+	 * Filter init.
+	 * 
+	 * We are just collecting init properties which we'll use for each request.
+	 */
+	public void init(FilterConfig filterConfig) {
+
+		// determine if we are doing scheme enforcement
+		this.schemeEnforcementEnabled = WebloggerConfig
+				.getBooleanProperty("schemeenforcement.enabled");
+		this.secureLoginEnabled = WebloggerConfig
+				.getBooleanProperty("securelogin.enabled");
+
+		if (this.schemeEnforcementEnabled && this.secureLoginEnabled) {
+			// gather some more properties
+			String http_port = WebloggerConfig
+					.getProperty("securelogin.http.port");
+			String https_port = WebloggerConfig
+					.getProperty("securelogin.https.port");
+
+			try {
+				this.httpPort = Integer.parseInt(http_port);
+				this.httpsPort = Integer.parseInt(https_port);
+			} catch (NumberFormatException nfe) {
+				// ignored ... guess we'll have to use the defaults
+				log.warn("error with secure login ports", nfe);
+			}
+
+			// finally, construct our list of allowable https urls and ignored
+			// resources
+			String cfgs = WebloggerConfig
+					.getProperty("schemeenforcement.https.urls");
+			String[] cfgsArray = cfgs.split(",");
+			for (int i = 0; i < cfgsArray.length; i++)
+				this.allowedUrls.add(cfgsArray[i]);
+
+			cfgs = WebloggerConfig
+					.getProperty("schemeenforcement.https.ignored");
+			cfgsArray = StringUtils.stripAll(StringUtils.split(cfgs, ","));
+			for (int i = 0; i < cfgsArray.length; i++)
+				this.ignored.add(cfgsArray[i]);
+
+			// some logging for the curious
+			log.info("Scheme enforcement = enabled");
+			if (log.isDebugEnabled()) {
+				log.debug("allowed urls are:");
+				for (String allowedUrl : allowedUrls)
+					log.debug(allowedUrl);
+				log.debug("ignored extensions are:");
+				for (String ignore : ignored)
+					log.debug(ignore);
+			}
+		}
+	}
+
 }



Mime
View raw message