org.hippoecm.hst.core.container

Class AbstractHttpsSchemeValve

java.lang.Object

org.hippoecm.hst.container.valves.AbstractValve

org.hippoecm.hst.container.valves.AbstractOrderableValve

org.hippoecm.hst.core.container.AbstractHttpsSchemeValve

All Implemented Interfaces:

OrderableValve, Valve

public abstract class AbstractHttpsSchemeValve
extends AbstractOrderableValve

Abstract class with facility methods for implementing domain specific https scheme valve. Example Spring configuration:

     <bean id="httpsSchemeValve" init-method="initialize" destroy-method="destroy"
              class="com.example.hst.core.container.HttpsSchemeValve">
      <property name="valveName" value="httpsSchemeExampleValve" />
      <!-- Make sure it gets injected *after* the initializationValve -->
      <property name="afterValves" value="initializationValve"/>
      <property name="beforeValves" value="cmsSecurityValve"/>
      <!-- only use repository and configReaderCredentials below if you rely on getHstConfigSession() -->
      <property name="repository" ref="javax.jcr.Repository"/>
      <property name="configReaderCredentials" ref="javax.jcr.Credentials.hstconfigreader"/>
      <!-- value 301 below is default when not set -->
      <property name="redirectStatusCode" value="301"/>
     </bean>

     <!--below inject the valve in the  DefaultSitePipeline -->
     <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
          <property name="targetObject">
              <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
                  <property name="targetObject" ref="org.hippoecm.hst.core.container.Pipelines" />
                  <property name="targetMethod" value="getPipeline"/>
                  <property name="arguments">
                      <value>DefaultSitePipeline</value>
                  </property>
              </bean>
          </property>
          <property name="targetMethod" value="addInitializationValve"/>
          <property name="arguments">
              <ref bean="httpsSchemeValve" />
          </property>
     </bean>

 

Note above the init-method and destroy-method are optional and in most cases not needed.

Field Summary

Fields

Modifier and Type	Field and Description
protected javax.jcr.Credentials	configReaderCredentials
static String	HTTP_SCHEME
static String	HTTPS_SCHEME
protected static org.slf4j.Logger	log
protected int	redirectStatusCode
protected javax.jcr.Repository	repository

Constructor Summary

Constructors

Constructor and Description
AbstractHttpsSchemeValve()

Method Summary

Modifier and Type	Method and Description
protected javax.jcr.Session	getHstConfigSession() Returns the config user Session which in general has read-access to most parts of the repository.
protected int	getRedirectStatusCode()
protected String	getScheme(javax.servlet.http.HttpServletRequest request)
void	invoke(ValveContext context) this valve might do a client side redirect status code getRedirectStatusCode().
protected boolean	isSchemeHttps(javax.servlet.http.HttpServletRequest request)
abstract boolean	requiresHttps(ValveContext context) Implementations of this AbstractHttpsSchemeValve should decide in this method whether the request ValveContext.getServletRequest() is required to be served over https, Whether the request in the end will actually be served over https also depends on other variables, see the javadoc from invoke(ValveContext)
void	setConfigReaderCredentials(javax.jcr.Credentials configReaderCredentials)
void	setRedirectStatusCode(int redirectStatusCode)
void	setRepository(javax.jcr.Repository repository)

Methods inherited from class org.hippoecm.hst.container.valves.AbstractOrderableValve

getAfterValves, getBeforeValves, getValveName, setAfterValves, setBeforeValves, setValveName

Methods inherited from class org.hippoecm.hst.container.valves.AbstractValve

destroy, initialize

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.hippoecm.hst.core.container.Valve

destroy, initialize

Field Detail

log

protected static final org.slf4j.Logger log

HTTPS_SCHEME

public static final String HTTPS_SCHEME

See Also:

Constant Field Values

HTTP_SCHEME

public static final String HTTP_SCHEME

See Also:

Constant Field Values

repository

protected javax.jcr.Repository repository

configReaderCredentials

protected javax.jcr.Credentials configReaderCredentials

redirectStatusCode

protected int redirectStatusCode

Constructor Detail

AbstractHttpsSchemeValve

public AbstractHttpsSchemeValve()

Method Detail

setRedirectStatusCode

public void setRedirectStatusCode(int redirectStatusCode)

Parameters:

redirectStatusCode - setter should only be invoked during Spring bean construction

setRepository

public void setRepository(javax.jcr.Repository repository)

Parameters:

repository - setter should only be invoked during Spring bean construction

setConfigReaderCredentials

public void setConfigReaderCredentials(javax.jcr.Credentials configReaderCredentials)

Parameters:

configReaderCredentials - setter should only be invoked during Spring bean construction

requiresHttps

public abstract boolean requiresHttps(ValveContext context)

Implementations of this AbstractHttpsSchemeValve should decide in this method whether the request ValveContext.getServletRequest() is required to be served over https, Whether the request in the end will actually be served over https also depends on other variables, see the javadoc from invoke(ValveContext)

Example 1: Assume you want documents of (sub)type myproject:form to be served over https, you can achieve this as follows:

        try {
            final HippoBean contentBean = context.getRequestContext().getContentBean();
            if (contentBean != null && contentBean.getNode().isNodeType("myproject:form")) {
              return true;
            }
            return false;
        } catch (RepositoryException e) {
            throw new RuntimeRepositoryException(e);
        }
     

Example 2: Assume you want documents with mixin myproject:secure to be served over https, you can achieve this exactly the same as the code above. The myproject:secure can be added to prototype documents in the CMS to easily have by default some document marked to be secure

Example 3: Assume you want to read some configuration from some node below /hippo:configuration, and depending on some regexp matching the current pathInfo to redirect or not

         Session configSession = getHstConfigSession();
         try {
             String regexp = configSession.getNode("/hippo:configuration/redirects/regexp").getProperty("matches").getString();
             return context.getServletRequest().getPathInfo().matches(regexp);
         } catch (PathNotFoundException e) {
         } catch (ValueFormatException e) {
         } catch (RepositoryException e) {
         } finally {
             configSession.logout();
         }
         return false;
     

Example 4: Assume you want to redirect any content bean that contains any form. Assume your form is a compound with bean MyForm and in your base bean you have public MyForm getForm() that returns null in case there is no form.

          try {
              final HippoBean contentBean = context.getRequestContext().getContentBean();
              if (contentBean == null || !(contentBean instanceof MyBaseBean)) {
               return false;
              }
              return ((MyBaseBean)contentBean).getForm() != null;
              } catch (RepositoryException e) {
                  throw new RuntimeRepositoryException(e);
              }
      

Example 5: Assume you want to redirect any content bean that contains some boolean field (clickable in the cms document editor) that marks it to be secure. Assume you expose this property through MyBaseBean#isSecure();

          try {
              final HippoBean contentBean = context.getRequestContext().getContentBean();
              if (contentBean == null || !(contentBean instanceof MyBaseBean)) {
               return false;
              }
              return ((MyBaseBean)contentBean).isSecure();
              } catch (RepositoryException e) {
                  throw new RuntimeRepositoryException(e);
              }
      

Note that this method only gets conditionally invoked: For example if the request is already over https there is no pointing in checking this method. Same goes in case the request is for example a cms request. See invoke(ValveContext) javadoc for more.

Returns:

true when the request should be secure

invoke

public void invoke(ValveContext context)
            throws ContainerException

this valve might do a client side redirect status code getRedirectStatusCode(). The redirect will be to the same URL as for the current request, only with scheme https instead. A redirect is done only if:

1. The request is not a HstRequestContext.isCmsRequest() : For cms requests no redirect is done as the scheme of the cms host is used to piggyback on.
2. The ResolvedSiteMapItem is not null and not HstSiteMapItem.isSchemeAgnostic()
3. The ResolvedSiteMapItem is null and ResolvedMount is not Mount.isSchemeAgnostic()
4. requiresHttps(ValveContext) returns true

In case a redirect is done, processing valves are short-circuited and the cleanup valves are invoked directly after this valve.

that the custom to be implemented requiresHttps(ValveContext) is not always invoked. requiresHttps(ValveContext) is for example skipped when the request is already over https, or when the mount/sitemapitem is marked to be scheme agnostic, or when the request is a cms request,

Note 2: This valve requires that the matched host has 'https approved = true'. This can be achieved by setting the property hst:customhttpssupport = true on the matching hst:virtualhost or one of its ancestors.

Specified by:

invoke in interface Valve

Specified by:

invoke in class AbstractValve

Throws:

ContainerException

getRedirectStatusCode

protected int getRedirectStatusCode()

Returns:

the response status code to use in case of a redirect. Default value is HttpServletResponse.SC_MOVED_PERMANENTLY

isSchemeHttps

protected boolean isSchemeHttps(javax.servlet.http.HttpServletRequest request)

Returns:

true when the request scheme from the original host information requested by the client is equals to 'https'

getScheme

protected String getScheme(javax.servlet.http.HttpServletRequest request)

Returns:

the request scheme from the original host information requested by the client

getHstConfigSession

protected javax.jcr.Session getHstConfigSession()

Returns the config user Session which in general has read-access to most parts of the repository. This Session might be useful if you need to for example read some jcr node below say '/hippo:configuration' where in general the preview and live jcr session users do not have read access.

Note make sure that after you are finished with this Session you invoke Session.logout()

Returns:

the Session for the config user

Throws:

javax.jcr.RepositoryException - is login or some other repository exception happens

IllegalStateException - if not repository or configReaderCredentials are set