Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SHIRO-740] SslFilter with HTTP Strict Transport Security (HSTS) #55

Merged
merged 3 commits into from
Aug 21, 2020

Conversation

raupachz
Copy link
Contributor

Hi Brian,

we talked on the mailing list. For anyone not involved here is the summary.

HTTP Strict Transport Security (HSTS) would be a nice addition for all the SSL only sites out there. I think in recent years more and more pages have gone full SSL, with good reasons to do so. It is a bit problematic with SslFilter since this one is path based. If you go HSTS then everything on the site uses https. This might break thinks if you have a path with ssl and one without. You can do that with shiro but not with HSTS.

Some words on the implementation, I am not sure on some things.

I have never used EasyMock before. The test cases in SslFilterTest run fine, but maybe I did it very overcomplicated.

Is postHandle invoked even if isAccessAllowed returns false? The user agent has to ignore the HTTP header if it is send over HTTP, but I would prefer to send it only over HTTPS. So isAccessAllowed needs to return true. I could move the logic to isAccessAllowed, but it looked like the wrong place.

@bdemers
Copy link
Member

bdemers commented Jan 16, 2017

Yeah, you would need to use preHandle() Take a look at AdviceFilter.doFilterInternal().

Though on this topic the filter actually executing is still based on the order filters are defined, and applied to paths.

[urls]
/** = ssl
/foobar = ssl
/barfoo = authc
/abcxyz = authc, ssl

in the example above the path /barfoo does NOT execute the ssl filter, and /abcxyz executes the authc filter before the ssl one. I had a similar problem when working on the Stormpath Shiro integration, and used a ShiroPrioritizedFilterChainResolver which is configured with a set of filters that will execute before any path filters. So in this case, it would probably look something like:

[main]
# enable hsts
ssl.hsts.enabled = true

# All paths go through ssl filter
priorityFilter.filters = ssl

[urls]
/** = authc

That said, this is not part of Shiro at the moment, and I think this pull request can be completed independent of this, but it may help both with your other question:

The issue with the path configuration of the ssl filter and path, does seem odd, but I think this solution makes it easier to configure and explain/configure. I'd love to hear other thoughts on this though.

@fpapon fpapon requested review from fpapon and bdemers October 21, 2019 07:44
@fpapon
Copy link
Member

fpapon commented Oct 21, 2019

@bdemers I would like to add this PR to the next release.
I also like the ShiroPrioritizedFilterChainResolver from Stormpath that you mentioned. Any chance to add this in Shiro?

@asf-ci
Copy link
Contributor

asf-ci commented Oct 21, 2019

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/Shiro-pr/163/

@bdemers
Copy link
Member

bdemers commented Oct 21, 2019

@fpapon
Sure, I can add that!

@fpapon fpapon changed the title SslFilter with HTTP Strict Transport Security (HSTS) [SHIRO-740] SslFilter with HTTP Strict Transport Security (HSTS) Feb 1, 2020
@fpapon
Copy link
Member

fpapon commented May 29, 2020

@bdemers can I create a Jira for adding the ShiroPrioritizedFilterChainResolver?

@bdemers
Copy link
Member

bdemers commented May 29, 2020

Please do! sorry I lost track of this one. I'm going to block out some time in the next week or so to focus on Shiro :)

@fpapon
Copy link
Member

fpapon commented May 29, 2020

Please do! sorry I lost track of this one. I'm going to block out some time in the next week or so to focus on Shiro :)

done: https://issues.apache.org/jira/browse/SHIRO-779

Copy link
Member

@fpapon fpapon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fpapon
Copy link
Member

fpapon commented Jul 22, 2020

@bdemers can you review please?

Copy link
Member

@bdemers bdemers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1
We should probably add this to 1.6 too

We will need to add doc after we cut a release too, I'm assuming the ini config would look something like:

ssl.hsts.enabled = true
ssl.hsts.includeSubDomains =true

@fpapon
Copy link
Member

fpapon commented Jul 22, 2020

+1
We should probably add this to 1.6 too

We will need to add doc after we cut a release too, I'm assuming the ini config would look something like:

ssl.hsts.enabled = true
ssl.hsts.includeSubDomains =true

Agree for the doc.
I will add a 1.6 version on Jira and tag the issue to this version. We will just have to cherry-pick the commit.

@bmarwell
Copy link
Contributor

retest this please

@fpapon fpapon merged commit 4aa4e3e into apache:master Aug 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants