SSL Interceptor Regex...

Can someone help me writing the regex for the SSL interceptor
pattern...

I want to specify all events that start with:
^security
^admin
^user

...but I'm not sure how to put them all together?

I've tried the following, but it doesn't work...

<Interceptor class="interceptors.ssl">
<Property name="checkSSL">true</Property>
<Property name="pattern">^security,^admin,^user</Property>
<Property name="addToken">false</Property>
</Interceptor>

You do a decision group

^(security|admin|user)

Each decision group is in parenthesis and pipes.

Luis F. Majano
President
Ortus Solutions, Corp

ColdBox Platform: http://www.coldbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Blog: http://www.luismajano.com
IECFUG Manager: http://www.iecfug.com

nice...!

Thanks Luis.

I have SES URL's turned on using addRoute(pattern=":handler/:action?")
and I'm using Luis' web.config rewrite rules for the URL Rewrite
plugin for IIS.

My problem is that when the login page is secure and submitted to:
<form name="Login" method="post" action="/security/dologin/">

Firefox complains that... "Although this page is encrypted, the
information you have entered is to be sent over an unecrypted
connection and could easily be read by a third party"

The problem goes away if I change it to:
<form name="Login" method="post" action="https://localhost/security/
dologin/">

Is this because of the BaseURL in Routes.cfm?

  if( len(getSetting('AppMapping') ) lte 1){
    setBaseURL("http://#cgi.HTTP_HOST#");
  }

Thanks,
T

Changing the BaseURL fixes the problem:
setBaseURL("https://#cgi.HTTP_HOST#");

What is the best way to check if SSL is required inside Routes.cfm?

well, I don’t know if your requirements are SSL always on or not.

Luis F. Majano
President
Ortus Solutions, Corp

ColdBox Platform: http://www.coldbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Blog: http://www.luismajano.com
IECFUG Manager: http://www.iecfug.com

SSL not always on.

Is there a way to access the SSL interceptor 'pattern' property from
the Routes.cfm file?

Thanks,
Thomas

What do you need to do?Remember that you can chane the base URL on a
per request basis by using the event.setsesbaseurl() method

I need SES URL's working together with SSL (without index.cfm), and
for the site to easily transfer from http to https or vice-versa,
depending on the regex in the pattern property. Most of this works
except for the form post situation above. I don't think using
event.setbaseurl() on a per request basis would serve my needs, as it
would have to be managed along side of the pattern property.

What I initially wanted to do was switch the baseurl to http or https
in Routes.cfm based on something like isSSLRequired, but I'm having a
hard time figuring out the best way to go about it.

T

T,

I guess I don’t fully see it yet, sorry. Do you mind explaining further.
Luis F. Majano
President
Ortus Solutions, Corp

ColdBox Platform: http://www.coldbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Blog: http://www.luismajano.com
IECFUG Manager: http://www.iecfug.com

Sure Luis, sorry for the confusion...

I have my website using minimal URL's (without index.cfm in the URL)
like:

http://localhost/home/about

I've also enabled the ssl interceptor, using a pattern of ^(security|
admin>user)

This works as expected, the events that match the pattern are all
redirected to https:// (if needed), and the events that don't match
are redirected to http:// (if needed).

The one case where this doesn't work is form post like on the login
page. When the 'login' link is clicked, it matches the security
pattern, so the login URL is:

https://localhost/security/login

The action for the login form looks like:
<form name="Login" method="post" action="#event.buildLink
('security.dologin')#">
OR
<form name="Login" method="post" action="/security/dologin">

The problem is that the post link is converted to a non secure link:
http://localhost/security/dologin

Now, I know I can set the event.setsesbaseurl() on a per request
basis, but if I have a lot of handlers, I need to remember to
setsesbaseurl() in each handler so it matches the regex for the SSL
interceptor?

What I want(ed) to do is make the Routes.cfm file smarter, so that if
SSL is required, the setBaseURL is updated automatically.

Something like the following would be ideal...

// Base URL
if( isSSLRequired(event) ){
  setBaseURL("https://#cgi.HTTP_HOST#");
}
else{
  setBaseURL("http://#cgi.HTTP_HOST#");
}

Buildlink() has an ssl argument. When you do:

event.buildLink(‘security.dologin’)

Would the following work for you?

event.buildLink(linkto = ‘security.dologin’, ssl = true)

  • Gabriel