1 package Catalyst::Plugin::RequireSSL;
4 use base qw/Class::Accessor::Fast/;
9 __PACKAGE__->mk_accessors( '_require_ssl' );
13 Catalyst::Plugin::RequireSSL - Force SSL mode on select pages
17 use Catalyst 'RequireSSL';
19 MyApp->config->{require_ssl} = {
20 https => 'secure.mydomain.com',
21 http => 'www.mydomain.com',
29 Use this plugin if you wish to selectively force SSL mode on some of your web pages,
30 for example a user login form or shopping cart.
32 Simply place $c->require_ssl calls in any controller method you wish to be secured.
34 This plugin will automatically disable itself if you are running under the standalone
35 HTTP::Daemon Catalyst server. A warning message will be printed to the log file whenever
36 an SSL redirect would have occurred.
40 If you utilize different servers or hostnames for non-SSL and SSL requests, and you rely
41 on a session cookie to determine redirection (i.e for a login page), your cookie must
42 be visible to both servers. For more information, see the documentation for the Session plugin
47 Configuration is optional. You may define the following configuration values:
51 If your SSL domain name is different from your non-SSL domain, set this value.
55 If you have set the https value above, you must also set the hostname of your non-SSL
60 If you'd like your users to remain in SSL mode after visiting an SSL-required page, you can
61 set this option to 1. By default, users will be redirected back to non-SSL mode as soon as
70 Call require_ssl in any controller method you wish to be secured.
74 The browser will be redirected to the same path on your SSL server. POST requests
82 $c->_require_ssl( 1 );
84 unless ( $c->req->secure || $c->req->method eq "POST" ) {
85 if ( $c->config->{require_ssl}->{disabled} ) {
86 $c->log->warn( "RequireSSL: Would have redirected to " . $c->_redirect_uri( 'https' ) );
88 $c->res->redirect( $c->_redirect_uri( 'https' ) );
93 =item finalize (extended)
95 Redirect back to non-SSL mode if necessary.
103 # we're not in SSL mode,
104 # it's a POST request,
105 # we're already required to be in SSL for this request,
106 # or the user doesn't want us to redirect
107 unless ( !$c->req->secure
108 || $c->req->method eq "POST"
110 || $c->config->{require_ssl}->{remain_in_ssl} ) {
111 $c->res->redirect( $c->_redirect_uri( 'http' ) );
114 return $c->NEXT::finalize(@_);
119 Setup default values.
128 # disable the plugin when running under certain engines which don't support SSL
129 # XXX: I didn't include Catalyst::Engine::Server here as it may be used as a backend
131 if ( $c->engine eq "Catalyst::Engine::HTTP" ) {
132 $c->config->{require_ssl}->{disabled} = 1;
133 $c->log->warn( "RequireSSL: Disabling SSL redirection while running under " . $c->engine );
139 Generate the redirection URI.
144 my ( $c, $type ) = @_;
146 # XXX: Cat needs a $c->req->host method...
147 # until then, strip off the leading protocol from base
148 unless ( $c->config->{require_ssl}->{$type} ) {
149 my $host = $c->req->base;
150 $host =~ s/^http(s?):\/\///;
151 $c->config->{require_ssl}->{$type} = $host;
154 $c->config->{require_ssl}->{$type} .= '/'
155 unless ( $c->config->{require_ssl}->{$type} =~ /\/$/ );
157 my $redir = $type . '://' . $c->config->{require_ssl}->{$type} . $c->req->path;
158 if ( scalar keys %{ $c->req->params } ) {
160 foreach my $k ( sort keys %{ $c->req->params } ) {
161 push @params, $k . "=" . $c->req->params->{$k};
163 $redir .= "?" . join "&", @params;
173 When viewing an SSL-required page that uses static files served from the Static plugin, the static
174 files are redirected to the non-SSL path. It may be possible to work around this by checking the
175 referer protocol, but currently there is no way to determine if a file being served is static content.
177 For best results, always serve static files directly from your web server without using the Static
186 Andy Grundman, C<andy@hybridized.org>
190 This program is free software, you can redistribute it and/or modify it under
191 the same terms as Perl itself.