• Home
• com.stormpath.sdk
• stormpath-sdk-servlet
• 2.0.4-okta
• source code
• IsRequestSecureResolver.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.stormpath.sdk.servlet.config.IsRequestSecureResolver Maven / Gradle / Ivy

/*
 * Copyright 2016 Stormpath, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.stormpath.sdk.servlet.config;

import com.stormpath.sdk.lang.Assert;
import com.stormpath.sdk.servlet.http.Resolver;
import com.stormpath.sdk.servlet.util.SecureRequiredExceptForLocalhostResolver;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * A Resolver that will determine if the request is secure or not.
 *
 * 
It will decide so based on either criteria: 1) if the current request is HTTPS or if 2) the request
 * contains an X-Forwarded-Proto header whose value equals HTTPS.
 * 
This solves https://github.com/stormpath/stormpath-sdk-java/issues/139: support X-Forwarded-Proto HTTP header
 * if SSL termination is offloaded to dedicated hardware.
 *
 * @see SecureRequiredExceptForLocalhostResolver
 * @see SecureForwardedProtoAwareResolver
 *
 * @since 1.1.0
 */
public class IsRequestSecureResolver implements Resolver {

    private final Resolver secureRequiredExceptForLocalhostResolver;
    private final Resolver secureForwardedProtoAwareResolver;
    private static final String HTTPS = "https";

    public IsRequestSecureResolver(Resolver secureRequiredExceptForLocalhostResolver, Resolver secureForwardedProtoAwareResolver) {
        Assert.notNull(secureRequiredExceptForLocalhostResolver, "secureRequiredExceptForLocalhostResolver resolver cannot be null.");
        Assert.notNull(secureForwardedProtoAwareResolver, "secureForwardedProtoAwareResolver resolver cannot be null.");
        this.secureRequiredExceptForLocalhostResolver = secureRequiredExceptForLocalhostResolver;
        this.secureForwardedProtoAwareResolver = secureForwardedProtoAwareResolver;
    }

    @Override
    public Boolean get(HttpServletRequest request, HttpServletResponse response) {
        if (HTTPS.equals(request.getScheme())) {
            return true; //the request is HTTPS
        }

        boolean result = secureRequiredExceptForLocalhostResolver.get(request, response); //is the request coming from localhost?
        if (!result) {
            //Fix for https://github.com/stormpath/stormpath-sdk-java/issues/139
            result = secureForwardedProtoAwareResolver.get(request, response); //does the request have a X-Forwarded-Proto header whose value is HTTPS?
        }
        return result;
    }
}