Commit | Line | Data |
1763fe29 |
1 | package Catalyst::Plugin::RequireSSL; |
2 | |
3 | use strict; |
4 | use base qw/Class::Accessor::Fast/; |
962fe7ef |
5 | use MRO::Compat; |
1763fe29 |
6 | |
a6d3f752 |
7 | our $VERSION = '0.06_01'; |
1763fe29 |
8 | |
c4744895 |
9 | __PACKAGE__->mk_accessors( qw/_require_ssl _allow_ssl _ssl_strip_output/ ); |
eeefd598 |
10 | |
11 | sub require_ssl { |
12 | my $c = shift; |
13 | |
14 | $c->_require_ssl(1); |
15 | |
16 | if ( !$c->req->secure && $c->req->method ne "POST" ) { |
17 | my $redir = $c->_redirect_uri('https'); |
18 | if ( $c->config->{require_ssl}->{disabled} ) { |
19 | $c->log->warn( "RequireSSL: Would have redirected to $redir" ); |
20 | } |
21 | else { |
4585dfb1 |
22 | $c->_ssl_strip_output(1); |
eeefd598 |
23 | $c->res->redirect( $redir ); |
794abe2a |
24 | $c->detach if $c->config->{require_ssl}->{detach_on_redirect}; |
eeefd598 |
25 | } |
26 | } |
27 | } |
28 | |
c4744895 |
29 | sub allow_ssl { |
30 | my $c = shift; |
31 | |
32 | $c->_allow_ssl(1); |
33 | } |
34 | |
eeefd598 |
35 | sub finalize { |
36 | my $c = shift; |
37 | |
38 | # Do not redirect static files (only works with Static::Simple) |
39 | if ( $c->isa( "Catalyst::Plugin::Static::Simple" ) ) { |
962fe7ef |
40 | return $c->next::method(@_) if $c->_static_file; |
eeefd598 |
41 | } |
42 | |
43 | # redirect back to non-SSL mode |
44 | REDIRECT: |
45 | { |
46 | # No redirect if: |
47 | # we're not in SSL mode |
48 | last REDIRECT if !$c->req->secure; |
49 | # it's a POST request |
50 | last REDIRECT if $c->req->method eq "POST"; |
51 | # we're already required to be in SSL for this request |
52 | last REDIRECT if $c->_require_ssl; |
53 | # or the user doesn't want us to redirect |
c4744895 |
54 | last REDIRECT if $c->config->{require_ssl}->{remain_in_ssl} || $c->_allow_ssl; |
eeefd598 |
55 | |
56 | $c->res->redirect( $c->_redirect_uri('http') ); |
57 | } |
58 | |
4585dfb1 |
59 | # do not allow any output to be displayed on the insecure page |
60 | if ( $c->_ssl_strip_output ) { |
cc4f2717 |
61 | $c->res->body( '' ); |
4585dfb1 |
62 | } |
63 | |
962fe7ef |
64 | return $c->next::method(@_); |
eeefd598 |
65 | } |
66 | |
67 | sub setup { |
68 | my $c = shift; |
69 | |
962fe7ef |
70 | $c->next::method(@_); |
eeefd598 |
71 | |
72 | # disable the plugin when running under certain engines which don't |
73 | # support SSL |
cae2ad7f |
74 | if ( $c->engine =~ /Catalyst::Engine::HTTP/ ) { |
eeefd598 |
75 | $c->config->{require_ssl}->{disabled} = 1; |
76 | $c->log->warn( "RequireSSL: Disabling SSL redirection while running " |
77 | . "under " . $c->engine ); |
78 | } |
79 | } |
80 | |
81 | sub _redirect_uri { |
82 | my ( $c, $type ) = @_; |
83 | |
eeefd598 |
84 | if ( !$c->config->{require_ssl}->{$type} ) { |
61b31739 |
85 | my $req_uri = $c->req->uri; |
86 | $c->config->{require_ssl}->{$type} = |
87 | join(':', $req_uri->host, $req_uri->_port); |
eeefd598 |
88 | } |
89 | |
61b31739 |
90 | $c->config->{require_ssl}->{$type} =~ s/\/+$//; |
91 | |
92 | my $redir = $c->req->uri->clone; |
93 | $redir->scheme($type); |
94 | $redir->host_port($c->config->{require_ssl}->{$type}); |
eeefd598 |
95 | |
b0b7bb46 |
96 | if ( $c->config->{require_ssl}->{no_cache} ) { |
ffd9355f |
97 | delete $c->config->{require_ssl}->{$type}; |
98 | } |
99 | |
eeefd598 |
100 | return $redir; |
101 | } |
102 | |
103 | 1; |
104 | __END__ |
1763fe29 |
105 | |
106 | =head1 NAME |
107 | |
108 | Catalyst::Plugin::RequireSSL - Force SSL mode on select pages |
109 | |
110 | =head1 SYNOPSIS |
111 | |
eeefd598 |
112 | # in MyApp.pm |
113 | use Catalyst; |
114 | MyApp->setup( qw/RequireSSL/ ); |
1763fe29 |
115 | |
116 | MyApp->config->{require_ssl} = { |
117 | https => 'secure.mydomain.com', |
118 | http => 'www.mydomain.com', |
119 | remain_in_ssl => 0, |
ffd9355f |
120 | no_cache => 0, |
794abe2a |
121 | detach_on_redirect => 1, |
1763fe29 |
122 | }; |
123 | |
eeefd598 |
124 | # in any controller methods that should be secured |
1763fe29 |
125 | $c->require_ssl; |
126 | |
127 | =head1 DESCRIPTION |
128 | |
eaea4c66 |
129 | B<Note:> This module is considered to be deprecated for most purposes. Consider |
130 | using L<Catalyst::ActionRole::RequireSSL> instead. |
131 | |
eeefd598 |
132 | Use this plugin if you wish to selectively force SSL mode on some of your web |
133 | pages, for example a user login form or shopping cart. |
1763fe29 |
134 | |
eeefd598 |
135 | Simply place $c->require_ssl calls in any controller method you wish to be |
136 | secured. |
1763fe29 |
137 | |
eeefd598 |
138 | This plugin will automatically disable itself if you are running under the |
139 | standalone HTTP::Daemon Catalyst server. A warning message will be printed to |
140 | the log file whenever an SSL redirect would have occurred. |
1763fe29 |
141 | |
142 | =head1 WARNINGS |
143 | |
eeefd598 |
144 | If you utilize different servers or hostnames for non-SSL and SSL requests, |
145 | and you rely on a session cookie to determine redirection (i.e for a login |
146 | page), your cookie must be visible to both servers. For more information, see |
147 | the documentation for the Session plugin you are using. |
1763fe29 |
148 | |
149 | =head1 CONFIGURATION |
150 | |
151 | Configuration is optional. You may define the following configuration values: |
152 | |
153 | https => $ssl_host |
154 | |
155 | If your SSL domain name is different from your non-SSL domain, set this value. |
156 | |
157 | http => $non_ssl_host |
158 | |
eeefd598 |
159 | If you have set the https value above, you must also set the hostname of your |
160 | non-SSL server. |
1763fe29 |
161 | |
162 | remain_in_ssl |
163 | |
eeefd598 |
164 | If you'd like your users to remain in SSL mode after visiting an SSL-required |
165 | page, you can set this option to 1. By default, this option is disabled and |
166 | users will be redirected back to non-SSL mode as soon as possible. |
1763fe29 |
167 | |
ffd9355f |
168 | no_cache |
11f9b043 |
169 | |
170 | If you have a wildcard certificate you will need to set this option if you are |
51ef6cb3 |
171 | using multiple domains on one instance of Catalyst. |
11f9b043 |
172 | |
794abe2a |
173 | detach_on_redirect |
174 | |
175 | By default C<< $c->require_ssl >> only calls C<< $c->response->redirect >> but |
176 | does not stop request processing (so it returns and subsequent statements are |
177 | run). This is probably not what you want. If you set this option to a true |
178 | value C<< $c->require_ssl >> will call C<< $c->detach >> when it redirects. |
179 | |
eeefd598 |
180 | =head1 METHODS |
1763fe29 |
181 | |
eeefd598 |
182 | =head2 require_ssl |
1763fe29 |
183 | |
184 | Call require_ssl in any controller method you wish to be secured. |
185 | |
186 | $c->require_ssl; |
187 | |
eeefd598 |
188 | The browser will be redirected to the same path on your SSL server. POST |
189 | requests are never redirected. |
1763fe29 |
190 | |
c4744895 |
191 | =head2 allow_ssl |
192 | |
193 | Call allow_ssl in any controller method you wish to access both in SSL and |
194 | non-SSL mode. |
195 | |
196 | $c->allow_ssl; |
197 | |
198 | The browser will not be redirected, independently of whether the request was |
199 | made to the SSL or non-SSL server. |
200 | |
ffd9355f |
201 | =head2 setup |
202 | |
203 | Disables this plugin if running under an engine which does not support SSL. |
204 | |
205 | =head2 finalize |
206 | |
207 | Performs the redirect to SSL url if required. |
208 | |
1763fe29 |
209 | =head1 KNOWN ISSUES |
210 | |
eeefd598 |
211 | When viewing an SSL-required page that uses static files served from the |
212 | Static plugin, the static files are redirected to the non-SSL path. |
1763fe29 |
213 | |
eeefd598 |
214 | In order to get the correct behaviour where static files are not redirected, |
215 | you should use the Static::Simple plugin or always serve static files |
216 | directly from your web server. |
1763fe29 |
217 | |
218 | =head1 SEE ALSO |
219 | |
eaea4c66 |
220 | L<Catalyst>, L<Catalyst::ActionRole::RequireSSL>, |
221 | L<Catalyst::Plugin::Static::Simple> |
1763fe29 |
222 | |
223 | =head1 AUTHOR |
224 | |
eeefd598 |
225 | Andy Grundman, <andy@hybridized.org> |
1763fe29 |
226 | |
11f9b043 |
227 | =head1 CONTRIBUTORS |
228 | |
229 | Simon Elliott <simon@browsing.co.uk> (support for wildcards) |
230 | |
1763fe29 |
231 | =head1 COPYRIGHT |
232 | |
233 | This program is free software, you can redistribute it and/or modify it under |
234 | the same terms as Perl itself. |
235 | |
236 | =cut |