use base qw/Class::Accessor::Fast/;
use NEXT;
-our $VERSION = '0.05';
+our $VERSION = '0.07';
-__PACKAGE__->mk_accessors( qw/_require_ssl _ssl_strip_output/ );
+__PACKAGE__->mk_accessors( qw/_require_ssl _allow_ssl _ssl_strip_output/ );
sub require_ssl {
my $c = shift;
else {
$c->_ssl_strip_output(1);
$c->res->redirect( $redir );
+ $c->detach if $c->config->{require_ssl}->{detach_on_redirect};
}
}
}
+sub allow_ssl {
+ my $c = shift;
+
+ $c->_allow_ssl(1);
+}
+
sub finalize {
my $c = shift;
# we're already required to be in SSL for this request
last REDIRECT if $c->_require_ssl;
# or the user doesn't want us to redirect
- last REDIRECT if $c->config->{require_ssl}->{remain_in_ssl};
+ last REDIRECT if $c->config->{require_ssl}->{remain_in_ssl} || $c->_allow_ssl;
$c->res->redirect( $c->_redirect_uri('http') );
}
# disable the plugin when running under certain engines which don't
# support SSL
- # XXX: I didn't include Catalyst::Engine::Server here as it may be used as
- # a backend in a proxy setup.
- if ( $c->engine eq "Catalyst::Engine::HTTP" ) {
+ if ( $c->engine =~ /Catalyst::Engine::HTTP/ ) {
$c->config->{require_ssl}->{disabled} = 1;
$c->log->warn( "RequireSSL: Disabling SSL redirection while running "
. "under " . $c->engine );
}
}
$redir .= '?' . join( '&', @params );
- }
-
+ }
+
+ if ( $c->config->{require_ssl}->{no_cache} ) {
+ delete $c->config->{require_ssl}->{$type};
+ }
+
return $redir;
}
https => 'secure.mydomain.com',
http => 'www.mydomain.com',
remain_in_ssl => 0,
+ no_cache => 0,
+ detach_on_redirect => 1,
};
# in any controller methods that should be secured
page, you can set this option to 1. By default, this option is disabled and
users will be redirected back to non-SSL mode as soon as possible.
+ no_cache
+
+If you have a wildcard certificate you will need to set this option if you are
+using multiple domains on one instance of Catalyst.
+
+ detach_on_redirect
+
+By default C<< $c->require_ssl >> only calls C<< $c->response->redirect >> but
+does not stop request processing (so it returns and subsequent statements are
+run). This is probably not what you want. If you set this option to a true
+value C<< $c->require_ssl >> will call C<< $c->detach >> when it redirects.
+
=head1 METHODS
=head2 require_ssl
The browser will be redirected to the same path on your SSL server. POST
requests are never redirected.
+=head2 allow_ssl
+
+Call allow_ssl in any controller method you wish to access both in SSL and
+non-SSL mode.
+
+ $c->allow_ssl;
+
+The browser will not be redirected, independently of whether the request was
+made to the SSL or non-SSL server.
+
+=head2 setup
+
+Disables this plugin if running under an engine which does not support SSL.
+
+=head2 finalize
+
+Performs the redirect to SSL url if required.
+
=head1 KNOWN ISSUES
When viewing an SSL-required page that uses static files served from the
Andy Grundman, <andy@hybridized.org>
+=head1 CONTRIBUTORS
+
+Simon Elliott <simon@browsing.co.uk> (support for wildcards)
+
=head1 COPYRIGHT
This program is free software, you can redistribute it and/or modify it under