diff options
Diffstat (limited to 'java/com/google/gerrit/httpd/RequireSslFilter.java')
-rw-r--r-- | java/com/google/gerrit/httpd/RequireSslFilter.java | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/java/com/google/gerrit/httpd/RequireSslFilter.java b/java/com/google/gerrit/httpd/RequireSslFilter.java new file mode 100644 index 0000000000..d8e6f847cc --- /dev/null +++ b/java/com/google/gerrit/httpd/RequireSslFilter.java @@ -0,0 +1,100 @@ +// Copyright (C) 2009 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.google.gerrit.httpd; + +import com.google.gerrit.common.Nullable; +import com.google.gerrit.server.config.CanonicalWebUrl; +import com.google.inject.Inject; +import com.google.inject.Provider; +import com.google.inject.Singleton; +import com.google.inject.servlet.ServletModule; +import java.io.IOException; +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +/** Requires the connection to use SSL, redirects if not. */ +@Singleton +public class RequireSslFilter implements Filter { + public static class Module extends ServletModule { + private final boolean wantSsl; + + @Inject + Module(@Nullable @CanonicalWebUrl String canonicalUrl) { + this.wantSsl = canonicalUrl != null && canonicalUrl.startsWith("https:"); + } + + @Override + protected void configureServlets() { + if (wantSsl) { + filter("/*").through(RequireSslFilter.class); + } + } + } + + private final Provider<String> urlProvider; + + @Inject + RequireSslFilter(@CanonicalWebUrl @Nullable Provider<String> urlProvider) { + this.urlProvider = urlProvider; + } + + @Override + public void init(FilterConfig filterConfig) {} + + @Override + public void destroy() {} + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) + throws IOException, ServletException { + final HttpServletRequest req = (HttpServletRequest) request; + final HttpServletResponse rsp = (HttpServletResponse) response; + + if (isSecure(req)) { + chain.doFilter(request, response); + + } else { + // If we wanted SSL, but the user didn't come to us over it, + // force SSL by issuing a protocol redirect. Try to keep the + // name "localhost" in case this is an SSH port tunnel. + // + final String url; + if (isLocalHost(req)) { + final StringBuffer b = req.getRequestURL(); + b.replace(0, b.indexOf(":"), "https"); + url = b.toString(); + + } else { + url = urlProvider.get() + req.getServletPath(); + } + rsp.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY); + rsp.setHeader("Location", url); + } + } + + private static boolean isSecure(HttpServletRequest req) { + return "https".equals(req.getScheme()) || req.isSecure(); + } + + private static boolean isLocalHost(HttpServletRequest req) { + return "localhost".equals(req.getServerName()) || "127.0.0.1".equals(req.getServerName()); + } +} |