1 package Catalyst::Plugin::RequireSSL;
4 use base qw/Class::Accessor::Fast/;
9 __PACKAGE__->mk_accessors('_require_ssl');
16 if ( !$c->req->secure && $c->req->method ne "POST" ) {
17 my $redir = $c->_redirect_uri('https');
18 if ( $c->config->{require_ssl}->{disabled} ) {
19 $c->log->warn( "RequireSSL: Would have redirected to $redir" );
22 $c->res->redirect( $redir );
30 # Do not redirect static files (only works with Static::Simple)
31 if ( $c->isa( "Catalyst::Plugin::Static::Simple" ) ) {
32 return $c->NEXT::finalize(@_) if $c->_static_file;
35 # redirect back to non-SSL mode
39 # we're not in SSL mode
40 last REDIRECT if !$c->req->secure;
42 last REDIRECT if $c->req->method eq "POST";
43 # we're already required to be in SSL for this request
44 last REDIRECT if $c->_require_ssl;
45 # or the user doesn't want us to redirect
46 last REDIRECT if $c->config->{require_ssl}->{remain_in_ssl};
48 $c->res->redirect( $c->_redirect_uri('http') );
51 return $c->NEXT::finalize(@_);
59 # disable the plugin when running under certain engines which don't
61 # XXX: I didn't include Catalyst::Engine::Server here as it may be used as
62 # a backend in a proxy setup.
63 if ( $c->engine eq "Catalyst::Engine::HTTP" ) {
64 $c->config->{require_ssl}->{disabled} = 1;
65 $c->log->warn( "RequireSSL: Disabling SSL redirection while running "
66 . "under " . $c->engine );
71 my ( $c, $type ) = @_;
73 # XXX: Cat needs a $c->req->host method...
74 # until then, strip off the leading protocol from base
75 if ( !$c->config->{require_ssl}->{$type} ) {
76 my $host = $c->req->base;
77 $host =~ s/^http(s?):\/\///;
78 $c->config->{require_ssl}->{$type} = $host;
81 if ( $c->config->{require_ssl}->{$type} !~ /\/$/xms ) {
82 $c->config->{require_ssl}->{$type} .= '/';
86 = $type . '://' . $c->config->{require_ssl}->{$type} . $c->req->path;
88 if ( scalar $c->req->param ) {
90 = map { "$_=" . $c->req->params->{$_} } sort $c->req->param;
91 $redir .= "?" . join "&", @params;
102 Catalyst::Plugin::RequireSSL - Force SSL mode on select pages
108 MyApp->setup( qw/RequireSSL/ );
110 MyApp->config->{require_ssl} = {
111 https => 'secure.mydomain.com',
112 http => 'www.mydomain.com',
116 # in any controller methods that should be secured
121 Use this plugin if you wish to selectively force SSL mode on some of your web
122 pages, for example a user login form or shopping cart.
124 Simply place $c->require_ssl calls in any controller method you wish to be
127 This plugin will automatically disable itself if you are running under the
128 standalone HTTP::Daemon Catalyst server. A warning message will be printed to
129 the log file whenever an SSL redirect would have occurred.
133 If you utilize different servers or hostnames for non-SSL and SSL requests,
134 and you rely on a session cookie to determine redirection (i.e for a login
135 page), your cookie must be visible to both servers. For more information, see
136 the documentation for the Session plugin you are using.
140 Configuration is optional. You may define the following configuration values:
144 If your SSL domain name is different from your non-SSL domain, set this value.
146 http => $non_ssl_host
148 If you have set the https value above, you must also set the hostname of your
153 If you'd like your users to remain in SSL mode after visiting an SSL-required
154 page, you can set this option to 1. By default, this option is disabled and
155 users will be redirected back to non-SSL mode as soon as possible.
161 Call require_ssl in any controller method you wish to be secured.
165 The browser will be redirected to the same path on your SSL server. POST
166 requests are never redirected.
170 When viewing an SSL-required page that uses static files served from the
171 Static plugin, the static files are redirected to the non-SSL path.
173 In order to get the correct behaviour where static files are not redirected,
174 you should use the Static::Simple plugin or always serve static files
175 directly from your web server.
179 L<Catalyst>, L<Catalyst::Plugin::Static::Simple>
183 Andy Grundman, <andy@hybridized.org>
187 This program is free software, you can redistribute it and/or modify it under
188 the same terms as Perl itself.