LibreCCM
/
libreccm-legacy
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

incorporating: 

r1649 | chrisg23 | 2007-09-18 11:57:51 +0200 (Di, 18 Sep 2007)
Sourceforge patch 1793030 - small fix to prevent possibility of creating infinite group hierarchy

------------------------------------------------------------------------

r1650 | chrisg23 | 2007-09-18 12:01:35 +0200 (Di, 18 Sep 2007)
Sourceforge patch 1793009 - allow requests to switch back from https to http (eg when user logs out)


git-svn-id: https://svn.libreccm.org/ccm/trunk@22 8810af33-2d31-482b-a856-94f89814c4df
master
pb 2008-02-15 16:59:50 +00:00
parent 51956f6120
commit b4846550c0
4 changed files with 49 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ccm-core/src/com/arsdigita/ui/admin/GroupSearchForm.java
View File

@ -101,10 +101,11 @@ public class GroupSearchForm extends Form implements FormProcessListener, AdminC
excludedList.add(subgroups.getGroup().getID()); excludedList.add(subgroups.getGroup().getID());
} }
GroupCollection supergroups = parent.getAllSupergroups(); GroupCollection supergroups = parent.getAllSupergroups();
List supergroupsList = new ArrayList();
while (supergroups.next()) { while (supergroups.next()) {
excludedList.add(supergroups.getGroup().getID()); excludedList.add(supergroups.getGroup().getID());
} }
// make sure we can't add current group as child of itself!!!
excludedList.add(parent.getID());
if (!excludedList.isEmpty()) { if (!excludedList.isEmpty()) {

27
ccm-core/src/com/arsdigita/web/SecureFilter.java
View File

@ -10,6 +10,7 @@ import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse; import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import com.arsdigita.util.servlet.HttpHost; import com.arsdigita.util.servlet.HttpHost;
@ -21,6 +22,8 @@ import com.arsdigita.util.servlet.HttpHost;
*/ */
public class SecureFilter implements Filter { public class SecureFilter implements Filter {
private static Logger s_log = Logger.getLogger(SecureFilter.class);
public void init(FilterConfig filterConfig) throws ServletException { public void init(FilterConfig filterConfig) throws ServletException {
} }
@ -31,7 +34,8 @@ public class SecureFilter implements Filter {
HttpServletResponse hresp = (HttpServletResponse) response; HttpServletResponse hresp = (HttpServletResponse) response;
String uri = hreq.getRequestURI(); String uri = hreq.getRequestURI();
WebConfig conf = Web.getConfig(); WebConfig conf = Web.getConfig();
if (conf.isSecureRequired(uri) && !request.isSecure()) { if (conf.isSecureRequired(uri) && !request.isSecure() && !conf.isNonSecureSwitchRequired(uri)) {
s_log.debug("uri - " + uri + " should be accessed via https - redirecting");
StringBuffer secureEquivalent = new StringBuffer("https://"); StringBuffer secureEquivalent = new StringBuffer("https://");
HttpHost secureServer = conf.getSecureServer(); HttpHost secureServer = conf.getSecureServer();
secureEquivalent.append(secureServer.getName()); secureEquivalent.append(secureServer.getName());
@ -50,6 +54,27 @@ public class SecureFilter implements Filter {
.append(queryString); .append(queryString);
} }
hresp.sendRedirect(secureEquivalent.toString()); hresp.sendRedirect(secureEquivalent.toString());
} else if (conf.isNonSecureSwitchRequired(uri) && request.isSecure()) {
s_log.debug("uri - " + uri + " triggers a return to http from https - redirecting");
StringBuffer nonSecureEquivalent = new StringBuffer("http://");
HttpHost standardServer = conf.getServer();
nonSecureEquivalent.append(standardServer.getName());
int securePort = standardServer.getPort();
if (securePort != 80) {
nonSecureEquivalent
.append(':')
.append(securePort);
}
if (uri != null) {
nonSecureEquivalent.append(uri);
}
String queryString = hreq.getQueryString();
if (queryString != null) {
nonSecureEquivalent.append('?')
.append(queryString);
}
hresp.sendRedirect(nonSecureEquivalent.toString());
} else { } else {
filterChain.doFilter(request, response); filterChain.doFilter(request, response);
} }

17
ccm-core/src/com/arsdigita/web/WebConfig.java
View File

@ -66,6 +66,7 @@ public final class WebConfig extends AbstractConfig {
private final Parameter m_dynamic_host_provider; private final Parameter m_dynamic_host_provider;
private final Parameter m_deactivate_cache_host_notifications; private final Parameter m_deactivate_cache_host_notifications;
private final Parameter m_secureRequired; private final Parameter m_secureRequired;
private final Parameter m_secureSwitchBack;
public WebConfig() { public WebConfig() {
m_scheme = new DefaultSchemeParameter m_scheme = new DefaultSchemeParameter
@ -113,6 +114,9 @@ public final class WebConfig extends AbstractConfig {
m_secureRequired = new StringArrayParameter( m_secureRequired = new StringArrayParameter(
"waf.web.secure_required", Parameter.OPTIONAL, null); "waf.web.secure_required", Parameter.OPTIONAL, null);
m_secureSwitchBack = new StringArrayParameter (
"waf.web.secure_switchback", Parameter.OPTIONAL, null);
m_dynamic_host_provider = new StringParameter m_dynamic_host_provider = new StringParameter
("waf.web.dynamic_host_provider", Parameter.OPTIONAL, ""); ("waf.web.dynamic_host_provider", Parameter.OPTIONAL, "");
@ -131,6 +135,7 @@ public final class WebConfig extends AbstractConfig {
register(m_dynamic_host_provider); register(m_dynamic_host_provider);
register(m_deactivate_cache_host_notifications); register(m_deactivate_cache_host_notifications);
register(m_secureRequired); register(m_secureRequired);
register(m_secureSwitchBack);
loadInfo(); loadInfo();
} }
@ -159,6 +164,18 @@ public final class WebConfig extends AbstractConfig {
return false; return false;
} }
public final boolean isNonSecureSwitchRequired(String uri) {
String[] switchBack = (String[])get(m_secureSwitchBack);
if (switchBack != null) {
for (int i=0, n=switchBack.length; i<n; i++) {
if (uri.startsWith(switchBack[i])) {
return true;
}
}
}
return false;
}
public final HttpHost getHost() { public final HttpHost getHost() {
return (HttpHost) get(m_host); return (HttpHost) get(m_host);
} }

4
ccm-core/src/com/arsdigita/web/WebConfig_parameter.properties
View File

@ -34,6 +34,10 @@ waf.web.secure_required.title=List of URLs where HTTPS is required
waf.web.secure_required.purpose=List of URLs which accessed by insecure (normal HTTP) connection produce a redirect to a HTTPS equivalent waf.web.secure_required.purpose=List of URLs which accessed by insecure (normal HTTP) connection produce a redirect to a HTTPS equivalent
waf.web.secure_required.example=/ccm/register/,/ccm/admin/ waf.web.secure_required.example=/ccm/register/,/ccm/admin/
waf.web.secure_required.format=url1,url2,... waf.web.secure_required.format=url1,url2,...
waf.web.secure_switchback.title=List of URLs that switch back to unsecure
waf.web.secure_switchback.purpose=List of URLs which accessed by secure (HTTPS) connection produce a redirect to a HTTP equivalent
waf.web.secure_switchback.example=/ccm/register/logout
waf.web.secure_switchback.format=url1,url2,...
waf.web.site_name.title=Site name waf.web.site_name.title=Site name
waf.web.site_name.purpose=The name of your website, for use in page footers for example waf.web.site_name.purpose=The name of your website, for use in page footers for example
waf.web.site_name.example=Joe's House of HTML waf.web.site_name.example=Joe's House of HTML