/** * Determines whether we are using SSL or not. If we are logged in, then we should be using SSL. * SSL can also be forced by setting the forceSSL boolean. If we should be using SSL but aren't * (or vice versa) we do a redirect by returning an action forward with the correct URL to * redirect to. Otherwise we return null * * @param request * @param custId The customer id * @param forceSSL Set to true if we should force SSL. * @return ActionForward * @throws KKException */ protected String checkSSL(KKAppEng eng, HttpServletRequest request, int custId, boolean forceSSL) throws KKException { try { if (eng == null) { throw new KKException("checkSSL called with KKAppEng set to null"); } if (eng.isPortlet()) { // Take no action if in a Portlet return null; } String sslPort = eng.getSslPort(); String standardPort = eng.getStandardPort(); boolean activateCheck = eng.isEnableSSL(); String sslBaseUrl = eng.getSslBaseUrl(); if (activateCheck && request != null) { boolean isSSL = false; StringBuffer redirectUrl; if (request.getRequestURL() == null) { throw new KKException( "Cannot determine whether SSL is being used because getRequestURL() returns null"); } if (request.getRequestURL().substring(0, 5).equalsIgnoreCase("https")) { isSSL = true; } if (log.isDebugEnabled()) { log.debug("getServerName = " + request.getServerName()); log.debug("getServerPort = " + request.getServerPort()); log.debug("getServletPath = " + request.getServletPath()); log.debug("getRequestURI = " + request.getRequestURI()); log.debug("getRequestURL = " + request.getRequestURL()); log.debug("isSSL = " + isSSL); log.debug("custId = " + custId); } if (!isSSL && (custId > -1 || forceSSL)) { // We aren't using SSL but should be redirectUrl = new StringBuffer(); if (sslBaseUrl != null) { redirectUrl.append(sslBaseUrl); redirectUrl.append(request.getRequestURI()); } else { redirectUrl.append("https://"); redirectUrl.append(request.getServerName()); // Insert the port if it is non standard if (sslPort != null && !sslPort.equals("443")) { redirectUrl.append(":"); redirectUrl.append(sslPort); } redirectUrl.append(request.getRequestURI()); } /* * The following is called for security reasons. In some cases (such as when * using Tomcat) the session id is appended to the URL in the browser (i.e. * jsessionid=E2D1B0B2B8C5478B7F6F3C3C5D9BB0FB). If a hacker managed to get this * session id while the customer wasn't logged in, he could use it to access * sensitive information once the customer has logged in since the session id * doesn't change. The following method creates a new session and substitutes * it. */ changeSession(request); } else if (isSSL && (custId < 0) && !forceSSL) { // We are using SSL but shouldn't be redirectUrl = new StringBuffer(); redirectUrl.append("http://"); redirectUrl.append(request.getServerName()); // Insert the port if it is non standard if (standardPort != null && !standardPort.equals("80")) { redirectUrl.append(":"); redirectUrl.append(standardPort); } redirectUrl.append(request.getRequestURI()); } else { // Don't need to do anything return null; } // Get the parameters StringBuffer parms = new StringBuffer(); Enumeration<String> en = request.getParameterNames(); while (en.hasMoreElements()) { String paramName = en.nextElement(); String paramValue = request.getParameter(paramName); if (parms.length() > 0) { parms.append("&"); } else { parms.append("?"); } parms.append(paramName); parms.append("="); parms.append(paramValue); } // Append the parameters to the redirect url redirectUrl.append(parms); if (log.isDebugEnabled()) { log.debug("redirectUrl = " + redirectUrl); } return redirectUrl.toString(); } return null; } catch (Exception e) { log.error(e); return null; } }