1 package Catalyst::Plugin::RequireSSL;
4 use base qw/Class::Accessor::Fast/;
9 __PACKAGE__->mk_accessors( qw/_require_ssl _ssl_strip_output/ );
16 if ( !$c->req->secure && $c->req->method ne "POST" ) {
17 my $redir = $c->_redirect_uri('https');
18 if ( $c->config->{require_ssl}->{disabled} ) {
19 $c->log->warn( "RequireSSL: Would have redirected to $redir" );
22 $c->_ssl_strip_output(1);
23 $c->res->redirect( $redir );
31 # Do not redirect static files (only works with Static::Simple)
32 if ( $c->isa( "Catalyst::Plugin::Static::Simple" ) ) {
33 return $c->NEXT::finalize(@_) if $c->_static_file;
36 # redirect back to non-SSL mode
40 # we're not in SSL mode
41 last REDIRECT if !$c->req->secure;
43 last REDIRECT if $c->req->method eq "POST";
44 # we're already required to be in SSL for this request
45 last REDIRECT if $c->_require_ssl;
46 # or the user doesn't want us to redirect
47 last REDIRECT if $c->config->{require_ssl}->{remain_in_ssl};
49 $c->res->redirect( $c->_redirect_uri('http') );
52 # do not allow any output to be displayed on the insecure page
53 if ( $c->_ssl_strip_output ) {
57 return $c->NEXT::finalize(@_);
65 # disable the plugin when running under certain engines which don't
67 # XXX: I didn't include Catalyst::Engine::Server here as it may be used as
68 # a backend in a proxy setup.
69 if ( $c->engine =~ /Catalyst::Engine::HTTP/ ) {
70 $c->config->{require_ssl}->{disabled} = 1;
71 $c->log->warn( "RequireSSL: Disabling SSL redirection while running "
72 . "under " . $c->engine );
77 my ( $c, $type ) = @_;
79 # XXX: Cat needs a $c->req->host method...
80 # until then, strip off the leading protocol from base
81 if ( !$c->config->{require_ssl}->{$type} ) {
82 my $host = $c->req->base;
83 $host =~ s/^http(s?):\/\///;
84 $c->config->{require_ssl}->{$type} = $host;
87 if ( $c->config->{require_ssl}->{$type} !~ /\/$/xms ) {
88 $c->config->{require_ssl}->{$type} .= '/';
92 = $type . '://' . $c->config->{require_ssl}->{$type} . $c->req->path;
94 if ( scalar $c->req->param ) {
96 foreach my $arg ( sort keys %{ $c->req->params } ) {
97 if ( ref $c->req->params->{$arg} ) {
98 my $list = $c->req->params->{$arg};
99 push @params, map { "$arg=" . $_ } sort @{$list};
102 push @params, "$arg=" . $c->req->params->{$arg};
105 $redir .= '?' . join( '&', @params );
116 Catalyst::Plugin::RequireSSL - Force SSL mode on select pages
122 MyApp->setup( qw/RequireSSL/ );
124 MyApp->config->{require_ssl} = {
125 https => 'secure.mydomain.com',
126 http => 'www.mydomain.com',
130 # in any controller methods that should be secured
135 Use this plugin if you wish to selectively force SSL mode on some of your web
136 pages, for example a user login form or shopping cart.
138 Simply place $c->require_ssl calls in any controller method you wish to be
141 This plugin will automatically disable itself if you are running under the
142 standalone HTTP::Daemon Catalyst server. A warning message will be printed to
143 the log file whenever an SSL redirect would have occurred.
147 If you utilize different servers or hostnames for non-SSL and SSL requests,
148 and you rely on a session cookie to determine redirection (i.e for a login
149 page), your cookie must be visible to both servers. For more information, see
150 the documentation for the Session plugin you are using.
154 Configuration is optional. You may define the following configuration values:
158 If your SSL domain name is different from your non-SSL domain, set this value.
160 http => $non_ssl_host
162 If you have set the https value above, you must also set the hostname of your
167 If you'd like your users to remain in SSL mode after visiting an SSL-required
168 page, you can set this option to 1. By default, this option is disabled and
169 users will be redirected back to non-SSL mode as soon as possible.
175 Call require_ssl in any controller method you wish to be secured.
179 The browser will be redirected to the same path on your SSL server. POST
180 requests are never redirected.
184 When viewing an SSL-required page that uses static files served from the
185 Static plugin, the static files are redirected to the non-SSL path.
187 In order to get the correct behaviour where static files are not redirected,
188 you should use the Static::Simple plugin or always serve static files
189 directly from your web server.
193 L<Catalyst>, L<Catalyst::Plugin::Static::Simple>
197 Andy Grundman, <andy@hybridized.org>
201 This program is free software, you can redistribute it and/or modify it under
202 the same terms as Perl itself.