1 package Catalyst::Plugin::RequireSSL;
4 use base qw/Class::Accessor::Fast/;
9 __PACKAGE__->mk_accessors( qw/_require_ssl _ssl_strip_output/ );
16 if ( !$c->req->secure && $c->req->method ne "POST" ) {
17 my $redir = $c->_redirect_uri('https');
18 if ( $c->config->{require_ssl}->{disabled} ) {
19 $c->log->warn( "RequireSSL: Would have redirected to $redir" );
22 $c->_ssl_strip_output(1);
23 $c->res->redirect( $redir );
31 # Do not redirect static files (only works with Static::Simple)
32 if ( $c->isa( "Catalyst::Plugin::Static::Simple" ) ) {
33 return $c->NEXT::finalize(@_) if $c->_static_file;
36 # redirect back to non-SSL mode
40 # we're not in SSL mode
41 last REDIRECT if !$c->req->secure;
43 last REDIRECT if $c->req->method eq "POST";
44 # we're already required to be in SSL for this request
45 last REDIRECT if $c->_require_ssl;
46 # or the user doesn't want us to redirect
47 last REDIRECT if $c->config->{require_ssl}->{remain_in_ssl};
49 $c->res->redirect( $c->_redirect_uri('http') );
52 # do not allow any output to be displayed on the insecure page
53 if ( $c->_ssl_strip_output ) {
57 return $c->NEXT::finalize(@_);
65 # disable the plugin when running under certain engines which don't
67 if ( $c->engine =~ /Catalyst::Engine::HTTP/ ) {
68 $c->config->{require_ssl}->{disabled} = 1;
69 $c->log->warn( "RequireSSL: Disabling SSL redirection while running "
70 . "under " . $c->engine );
75 my ( $c, $type ) = @_;
77 # XXX: Cat needs a $c->req->host method...
78 # until then, strip off the leading protocol from base
79 if ( !$c->config->{require_ssl}->{$type} ) {
80 my $host = $c->req->base;
81 $host =~ s/^http(s?):\/\///;
82 $c->config->{require_ssl}->{$type} = $host;
85 if ( $c->config->{require_ssl}->{$type} !~ /\/$/xms ) {
86 $c->config->{require_ssl}->{$type} .= '/';
90 = $type . '://' . $c->config->{require_ssl}->{$type} . $c->req->path;
92 if ( scalar $c->req->param ) {
94 foreach my $arg ( sort keys %{ $c->req->params } ) {
95 if ( ref $c->req->params->{$arg} ) {
96 my $list = $c->req->params->{$arg};
97 push @params, map { "$arg=" . $_ } sort @{$list};
100 push @params, "$arg=" . $c->req->params->{$arg};
103 $redir .= '?' . join( '&', @params );
106 if ( $c->config->{require_ssl}->{no_cache} ) {
107 delete $c->config->{require_ssl}->{$type};
118 Catalyst::Plugin::RequireSSL - Force SSL mode on select pages
124 MyApp->setup( qw/RequireSSL/ );
126 MyApp->config->{require_ssl} = {
127 https => 'secure.mydomain.com',
128 http => 'www.mydomain.com',
133 # in any controller methods that should be secured
138 Use this plugin if you wish to selectively force SSL mode on some of your web
139 pages, for example a user login form or shopping cart.
141 Simply place $c->require_ssl calls in any controller method you wish to be
144 This plugin will automatically disable itself if you are running under the
145 standalone HTTP::Daemon Catalyst server. A warning message will be printed to
146 the log file whenever an SSL redirect would have occurred.
150 If you utilize different servers or hostnames for non-SSL and SSL requests,
151 and you rely on a session cookie to determine redirection (i.e for a login
152 page), your cookie must be visible to both servers. For more information, see
153 the documentation for the Session plugin you are using.
157 Configuration is optional. You may define the following configuration values:
161 If your SSL domain name is different from your non-SSL domain, set this value.
163 http => $non_ssl_host
165 If you have set the https value above, you must also set the hostname of your
170 If you'd like your users to remain in SSL mode after visiting an SSL-required
171 page, you can set this option to 1. By default, this option is disabled and
172 users will be redirected back to non-SSL mode as soon as possible.
176 If you have a wildcard certificate you will need to set this option if you are
177 using multiple domains on one instance of Catalyst.
183 Call require_ssl in any controller method you wish to be secured.
187 The browser will be redirected to the same path on your SSL server. POST
188 requests are never redirected.
192 Disables this plugin if running under an engine which does not support SSL.
196 Performs the redirect to SSL url if required.
200 When viewing an SSL-required page that uses static files served from the
201 Static plugin, the static files are redirected to the non-SSL path.
203 In order to get the correct behaviour where static files are not redirected,
204 you should use the Static::Simple plugin or always serve static files
205 directly from your web server.
209 L<Catalyst>, L<Catalyst::Plugin::Static::Simple>
213 Andy Grundman, <andy@hybridized.org>
217 Simon Elliott <simon@browsing.co.uk> (support for wildcards)
221 This program is free software, you can redistribute it and/or modify it under
222 the same terms as Perl itself.