Skip to content

Commit

Permalink
Avoid setting header in dev mode
Browse files Browse the repository at this point in the history
  • Loading branch information
@labkey-jeckels
labkey-jeckels committed Dec 21, 2024
1 parent 619a82c commit ac202af
Showing 1 changed file with 38 additions and 36 deletions.
74 changes: 38 additions & 36 deletions api/src/org/labkey/api/security/AuthFilter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,49 +125,51 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
}
}

// No startup failure, so check for SSL redirection
boolean sslRequired = AppProps.getInstance().isSSLRequired();
if (!req.getScheme().equalsIgnoreCase("https") && sslRequired)
if (AppProps.getInstance().isSSLRequired())
{
// We can't redirect posts (we'll lose the post body), so return an error code
if ("post".equalsIgnoreCase(req.getMethod()))
// No startup failure, so check for SSL redirection
if (!req.getScheme().equalsIgnoreCase("https"))
{
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "Can't POST to an http URL; POSTs to this server require https");
return;
}
// We can't redirect posts (we'll lose the post body), so return an error code
if ("post".equalsIgnoreCase(req.getMethod()))
{
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "Can't POST to an http URL; POSTs to this server require https");
return;
}

StringBuffer originalURL = req.getRequestURL();
if (!StringUtils.isBlank(req.getQueryString()))
{
originalURL.append("?");
originalURL.append(req.getQueryString());
}
URL url = new URL(originalURL.toString());
int port = AppProps.getInstance().getSSLPort();
StringBuffer originalURL = req.getRequestURL();
if (!StringUtils.isBlank(req.getQueryString()))
{
originalURL.append("?");
originalURL.append(req.getQueryString());
}
URL url = new URL(originalURL.toString());
int port = AppProps.getInstance().getSSLPort();

// Check the SSL configuration if this is the first time doing an SSL redirect. Note: The redirect and check must
// happen before ensureFirstRequestHandled() so AppProps gets initialized with the SSL scheme & port. That means
// this check can't be handled in a FirstRequestListener.
if (!_sslChecked)
{
HttpsUtil.checkSslRedirectConfiguration(req, port);
_sslChecked = true;
}
// Check the SSL configuration if this is the first time doing an SSL redirect. Note: The redirect and check must
// happen before ensureFirstRequestHandled() so AppProps gets initialized with the SSL scheme & port. That means
// this check can't be handled in a FirstRequestListener.
if (!_sslChecked)
{
HttpsUtil.checkSslRedirectConfiguration(req, port);
_sslChecked = true;
}

if (port == 443)
if (port == 443)
{
port = -1;
}
url = new URL("https", url.getHost(), port, url.getFile());
// Use 301 redirect instead of a 302 to indicate it's a permanent move
resp.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY);
resp.setHeader("Location", resp.encodeRedirectURL(url.toString()));
return;
}
else if (!AppProps.getInstance().isDevMode())
{
port = -1;
// Issue 51904: Strict-Transport-Security header when HTTPS is required
resp.setHeader("Strict-Transport-Security", "max-age=31536000");
}
url = new URL("https", url.getHost(), port, url.getFile());
// Use 301 redirect instead of a 302 to indicate it's a permanent move
resp.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY);
resp.setHeader("Location", resp.encodeRedirectURL(url.toString()));
return;
}

if (sslRequired)
{
resp.setHeader("Strict-Transport-Security", "max-age=31536000");
}

// allow CSRFUtil early access to req/resp if it wants to write cookies
Expand Down

0 comments on commit ac202af

Please sign in to comment.