Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-261: Secure/Insecure Channel Processor #523

Closed
spring-issuemaster opened this issue May 3, 2006 · 3 comments
Closed

SEC-261: Secure/Insecure Channel Processor #523

spring-issuemaster opened this issue May 3, 2006 · 3 comments

Comments

@spring-issuemaster
Copy link

@spring-issuemaster spring-issuemaster commented May 3, 2006

David Hainlin(Migrated from SEC-261) said:

When operating ACEGI behind a Load Balancer or Web Server that performs SSL on behalf of the App Server, channel security doesn’t work. It would be useful if there was a ChannelProcessor implementation that could review the remote port of a request (which survives even if the LB switches from https to http before landing in the Acegi stack). The idea would be to allow configuration of a SecureChannelProcessor and an InsecureChannelProcessor based on port mapper configuration.

One possible implementation could be:

package …;

import java.io.IOException;
import java.util.Iterator;

import javax.servlet.ServletException;

import net.sf.acegisecurity.ConfigAttribute;
import net.sf.acegisecurity.ConfigAttributeDefinition;
import net.sf.acegisecurity.intercept.web.FilterInvocation;
import net.sf.acegisecurity.securechannel.ChannelEntryPoint;
import net.sf.acegisecurity.securechannel.ChannelProcessor;
import net.sf.acegisecurity.securechannel.RetryWithHttpsEntryPoint;
import net.sf.acegisecurity.util.PortMapper;
import net.sf.acegisecurity.util.PortMapperImpl;

import org.springframework.util.Assert;

/**
- A ChannelProcessor that makes decisions based on the requests server port. By
- default, this processor will look to see if the port is a designated SSL port
- by using the provided portMapper. If not, it fires the entry point (which
- should force a redirect).
-
- This processor can also be used to see if the current port is an http port
- and if not, redirect to it. In essence, it can hancle secure and insecure
- redirects.
-
-
-
- To use as an insecure processor, set the secureMode to false and set a
- different secureKeyword.
-
- The default secureKeyword is “REQUIRES_SECURE_CHANNEL” and the default
- portMapper is the standard PortMapperImpl which handles 80/443 and 8080/8443
- by default. The default entryPoint is RetryWithHttpsEntryPoint so be sure to
- set this if using this processor as an insecure processor.
-
- This implementation was borrowed from Acegi’s SecureChannelProcessor.
- @see net.sf.acegisecurity.securechannel.SecureChannelProcessor
*/
public class PortBasedChannelProcessor implements ChannelProcessor
{
private static final String REQUIRES_SECURE_CHANNEL = “REQUIRES_SECURE_CHANNEL”;
private ChannelEntryPoint entryPoint = new RetryWithHttpsEntryPoint();
private String secureKeyword = REQUIRES_SECURE_CHANNEL;
private PortMapper portMapper;
private boolean secureMode = true;

/** - Set this to true if this processor should fire the endpoint if not running - on a designated https port. Set to false if the endpoint should fire if - not running on a designated http port. - - @param secureMode - The secureMode to set. */ public void setSecureMode(boolean secureMode) { this.secureMode = secureMode; } /** - The portMapper to use in making decisions about ports. - - @param portMapper - The portMapper to set. */ public void setPortMapper(PortMapper portMapper) { this.portMapper = portMapper; } /** - The entrypoint to use when a redirect decision is made. Defaults to - RetryWithHttpsEntryPoint. - - @param entryPoint - The entryPoint to set. - @see RetryWithHttpsEntryPoint */ public void setEntryPoint(ChannelEntryPoint entryPoint) { this.entryPoint = entryPoint; } /** - The keyword in the configuration to designate this processor should be - used. Defaults to “REQUIRES_SECURE_CHANNEL”. - - @param secureKeyword - The secureKeyword to set. */ public void setSecureKeyword(String secureKeyword) { this.secureKeyword = secureKeyword; } /** - @see net.sf.acegisecurity.securechannel.ChannelProcessor#decide(net.sf.acegisecurity.intercept.web.FilterInvocation, - ``` net.sf.acegisecurity.ConfigAttributeDefinition) ``` */ public void decide(FilterInvocation invocation, ConfigAttributeDefinition config) throws IOException, ServletException { Assert.isTrue((invocation != null) && (config != null), “Nulls cannot be provided”); Iterator iter = config.getConfigAttributes(); while (iter.hasNext()) { ConfigAttribute attribute = (ConfigAttribute) iter.next(); if (supports(attribute)) { Integer currentPort = new Integer(invocation.getHttpRequest().getServerPort()); boolean foundPort = false; if (secureMode) { foundPort = getPortMapper().lookupHttpPort(currentPort) != null; } else { foundPort = getPortMapper().lookupHttpsPort(currentPort) != null; } if (!foundPort) { entryPoint.commence(invocation.getRequest(), invocation.getResponse()); } } } } /** - @see net.sf.acegisecurity.securechannel.ChannelProcessor#supports(net.sf.acegisecurity.ConfigAttribute) */ public boolean supports(ConfigAttribute attribute) { return (attribute != null) && (attribute.getAttribute() != null) && attribute.getAttribute().equals(secureKeyword); } /** - Gets the portMapper. Defaults to PortMapperImpl if not set. - - @return Returns the portMapper. - @see PortMapperImpl */ public PortMapper getPortMapper() { if (portMapper == null) { portMapper = new PortMapperImpl(); } return portMapper; } }

The Springbean configs might be:



These would be wired into the ChannelDecisionManager as needed.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented May 22, 2006

Ben Alex said:

David, thanks for the contribution. Would you please provide it as a modification to the existing channel processor together with a unit test? I’ll be pleased to add it to SVN with these changes. Thanks!

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented May 30, 2008

Luke Taylor said:

I’m not quite clear on why this is required, i.e. why “channel security doesn’t work” when behind a proxy which handles SSL.

I would’ve thought it was possible to configure connectors appropriately in Tomcat, for example. I.e. setting secure=“true” scheme=“https” (and setting proxyName and proxyPort) for the connector to which the HTTPS connections are being proxied would label it as secure as far as the channel processor was concerned, even though only the connection to apache was actually encrypted.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Jul 17, 2008

Luke Taylor said:

As explained above, I don’t think this is necessary as it should be possible using tomcat configuration (or equivalents for other containers).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.