Esempio n. 1
0
  /**
   * Determines whether we are using SSL or not. If we are logged in, then we should be using SSL.
   * SSL can also be forced by setting the forceSSL boolean. If we should be using SSL but aren't
   * (or vice versa) we do a redirect by returning an action forward with the correct URL to
   * redirect to. Otherwise we return null
   *
   * @param request
   * @param custId The customer id
   * @param forceSSL Set to true if we should force SSL.
   * @return ActionForward
   * @throws KKException
   */
  protected String checkSSL(KKAppEng eng, HttpServletRequest request, int custId, boolean forceSSL)
      throws KKException {
    try {
      if (eng == null) {
        throw new KKException("checkSSL called with KKAppEng set to null");
      }

      if (eng.isPortlet()) {
        // Take no action if in a Portlet
        return null;
      }

      String sslPort = eng.getSslPort();
      String standardPort = eng.getStandardPort();
      boolean activateCheck = eng.isEnableSSL();
      String sslBaseUrl = eng.getSslBaseUrl();

      if (activateCheck && request != null) {
        boolean isSSL = false;
        StringBuffer redirectUrl;

        if (request.getRequestURL() == null) {
          throw new KKException(
              "Cannot determine whether SSL is being used because getRequestURL() returns null");
        }

        if (request.getRequestURL().substring(0, 5).equalsIgnoreCase("https")) {
          isSSL = true;
        }

        if (log.isDebugEnabled()) {
          log.debug("getServerName = " + request.getServerName());
          log.debug("getServerPort = " + request.getServerPort());
          log.debug("getServletPath = " + request.getServletPath());
          log.debug("getRequestURI = " + request.getRequestURI());
          log.debug("getRequestURL = " + request.getRequestURL());
          log.debug("isSSL = " + isSSL);
          log.debug("custId = " + custId);
        }

        if (!isSSL && (custId > -1 || forceSSL)) {
          // We aren't using SSL but should be
          redirectUrl = new StringBuffer();
          if (sslBaseUrl != null) {
            redirectUrl.append(sslBaseUrl);
            redirectUrl.append(request.getRequestURI());
          } else {
            redirectUrl.append("https://");
            redirectUrl.append(request.getServerName());
            // Insert the port if it is non standard
            if (sslPort != null && !sslPort.equals("443")) {
              redirectUrl.append(":");
              redirectUrl.append(sslPort);
            }
            redirectUrl.append(request.getRequestURI());
          }

          /*
           * The following is called for security reasons. In some cases (such as when
           * using Tomcat) the session id is appended to the URL in the browser (i.e.
           * jsessionid=E2D1B0B2B8C5478B7F6F3C3C5D9BB0FB). If a hacker managed to get this
           * session id while the customer wasn't logged in, he could use it to access
           * sensitive information once the customer has logged in since the session id
           * doesn't change. The following method creates a new session and substitutes
           * it.
           */
          changeSession(request);
        } else if (isSSL && (custId < 0) && !forceSSL) {
          // We are using SSL but shouldn't be
          redirectUrl = new StringBuffer();
          redirectUrl.append("http://");
          redirectUrl.append(request.getServerName());
          // Insert the port if it is non standard
          if (standardPort != null && !standardPort.equals("80")) {
            redirectUrl.append(":");
            redirectUrl.append(standardPort);
          }
          redirectUrl.append(request.getRequestURI());
        } else {
          // Don't need to do anything
          return null;
        }

        // Get the parameters
        StringBuffer parms = new StringBuffer();
        Enumeration<String> en = request.getParameterNames();
        while (en.hasMoreElements()) {
          String paramName = en.nextElement();
          String paramValue = request.getParameter(paramName);
          if (parms.length() > 0) {
            parms.append("&");
          } else {
            parms.append("?");
          }
          parms.append(paramName);
          parms.append("=");
          parms.append(paramValue);
        }

        // Append the parameters to the redirect url
        redirectUrl.append(parms);
        if (log.isDebugEnabled()) {
          log.debug("redirectUrl = " + redirectUrl);
        }
        return redirectUrl.toString();
      }

      return null;
    } catch (Exception e) {
      log.error(e);
      return null;
    }
  }