mirror of
https://github.com/OrchardCMS/Orchard.git
synced 2026-02-09 09:16:41 +08:00
#5315: Adding new settings to configure SSL cookies
- Creating ISslSettingsProvider to define whether cookies can only be sent over SSL or not - Implementing DefaultSslSettingsProvider based on Sites.config and web.config making it configurable per tenant or for the whole site - Implementing SecureSocketsLayerSettingsProvider in Orchard.SecureSocketsLayerSettingsProvider Fixes 5315
This commit is contained in:
Sebastien Ros
@@ -282,5 +282,21 @@ namespace Orchard.Tests.Utility.Extensions {
|
|||||||
Assert.That("abc".Translate("d".ToCharArray(), "d".ToCharArray()), Is.StringMatching("abc"));
|
Assert.That("abc".Translate("d".ToCharArray(), "d".ToCharArray()), Is.StringMatching("abc"));
|
||||||
Assert.That("abc".Translate("abc".ToCharArray(), "def".ToCharArray()), Is.StringMatching("def"));
|
Assert.That("abc".Translate("abc".ToCharArray(), "def".ToCharArray()), Is.StringMatching("def"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
[Test]
|
||||||
|
public void ShouldEncodeToBase64() {
|
||||||
|
Assert.That("abc".ToBase64(), Is.EqualTo("YWJj"));
|
||||||
|
}
|
||||||
|
|
||||||
|
[Test]
|
||||||
|
public void ShouldDecodeFromBase64() {
|
||||||
|
Assert.That("YWJj".FromBase64(), Is.EqualTo("abc"));
|
||||||
|
}
|
||||||
|
|
||||||
|
[Test]
|
||||||
|
public void ShouldRoundtripBase64() {
|
||||||
|
Assert.That("abc".ToBase64().FromBase64(), Is.EqualTo("abc"));
|
||||||
|
Assert.That("YWJj".FromBase64().ToBase64(), Is.EqualTo("YWJj"));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -90,6 +90,7 @@
|
|||||||
<Compile Include="Filters\SecureSocketsLayersFilter.cs" />
|
<Compile Include="Filters\SecureSocketsLayersFilter.cs" />
|
||||||
<Compile Include="Handlers\SslSettingsPartHandler.cs" />
|
<Compile Include="Handlers\SslSettingsPartHandler.cs" />
|
||||||
<Compile Include="Models\SslSettingsPart.cs" />
|
<Compile Include="Models\SslSettingsPart.cs" />
|
||||||
|
<Compile Include="Services\SecureSocketsLayerSettingsProvider.cs" />
|
||||||
<Compile Include="Services\ISecureSocketsLayerService.cs" />
|
<Compile Include="Services\ISecureSocketsLayerService.cs" />
|
||||||
<Compile Include="Services\SecureSocketsLayerService.cs" />
|
<Compile Include="Services\SecureSocketsLayerService.cs" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|||||||
@@ -0,0 +1,17 @@
|
|||||||
|
using Orchard.Environment.Extensions;
|
||||||
|
using Orchard.Security;
|
||||||
|
|
||||||
|
namespace Orchard.SecureSocketsLayer.Services {
|
||||||
|
[OrchardSuppressDependency("Orchard.Security.Providers.DefaultSslSettingsProvider")]
|
||||||
|
public class SecureSocketsLayerSettingsProvider : ISslSettingsProvider {
|
||||||
|
private readonly ISecureSocketsLayerService _secureSocketsLayerService;
|
||||||
|
|
||||||
|
public SecureSocketsLayerSettingsProvider(ISecureSocketsLayerService secureSocketsLayerService) {
|
||||||
|
_secureSocketsLayerService = secureSocketsLayerService;
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool GetRequiresSSL() {
|
||||||
|
return _secureSocketsLayerService.GetSettings().Enabled;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -148,6 +148,8 @@
|
|||||||
<Reference Include="System.Xml.Linq" />
|
<Reference Include="System.Xml.Linq" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
|
<Compile Include="Security\ISslSettingsProvider.cs" />
|
||||||
|
<Compile Include="Security\Providers\DefaultSslSettingsProvider.cs" />
|
||||||
<Compile Include="StaticHttpContextScope.cs" />
|
<Compile Include="StaticHttpContextScope.cs" />
|
||||||
<Compile Include="StaticHttpContextScopeFactory.cs" />
|
<Compile Include="StaticHttpContextScopeFactory.cs" />
|
||||||
<Compile Include="Caching\DefaultCacheContextAccessor.cs" />
|
<Compile Include="Caching\DefaultCacheContextAccessor.cs" />
|
||||||
|
|||||||
11
src/Orchard/Security/ISslSettingsProvider.cs
Normal file
11
src/Orchard/Security/ISslSettingsProvider.cs
Normal file
@@ -0,0 +1,11 @@
|
|||||||
|
using System;
|
||||||
|
|
||||||
|
namespace Orchard.Security {
|
||||||
|
public interface ISslSettingsProvider : IDependency {
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Gets whether authentication cookies should only be transmitted over SSL or not.
|
||||||
|
/// </summary>
|
||||||
|
bool GetRequiresSSL();
|
||||||
|
}
|
||||||
|
}
|
||||||
15
src/Orchard/Security/Providers/DefaultSslSettingsProvider.cs
Normal file
15
src/Orchard/Security/Providers/DefaultSslSettingsProvider.cs
Normal file
@@ -0,0 +1,15 @@
|
|||||||
|
using System.Web.Security;
|
||||||
|
|
||||||
|
namespace Orchard.Security.Providers {
|
||||||
|
public class DefaultSslSettingsProvider : ISslSettingsProvider {
|
||||||
|
public bool RequireSSL { get; set; }
|
||||||
|
|
||||||
|
public DefaultSslSettingsProvider() {
|
||||||
|
RequireSSL = FormsAuthentication.RequireSSL;
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool GetRequiresSSL() {
|
||||||
|
return RequireSSL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -3,25 +3,34 @@ using System.Web;
|
|||||||
using System.Web.Security;
|
using System.Web.Security;
|
||||||
using Orchard.Environment.Configuration;
|
using Orchard.Environment.Configuration;
|
||||||
using Orchard.Logging;
|
using Orchard.Logging;
|
||||||
using Orchard.ContentManagement;
|
|
||||||
using Orchard.Mvc;
|
using Orchard.Mvc;
|
||||||
using Orchard.Mvc.Extensions;
|
using Orchard.Mvc.Extensions;
|
||||||
using Orchard.Services;
|
using Orchard.Services;
|
||||||
|
using Orchard.Utility.Extensions;
|
||||||
|
|
||||||
namespace Orchard.Security.Providers {
|
namespace Orchard.Security.Providers {
|
||||||
public class FormsAuthenticationService : IAuthenticationService {
|
public class FormsAuthenticationService : IAuthenticationService {
|
||||||
|
private const int _version = 3;
|
||||||
|
|
||||||
private readonly ShellSettings _settings;
|
private readonly ShellSettings _settings;
|
||||||
private readonly IClock _clock;
|
private readonly IClock _clock;
|
||||||
private readonly IContentManager _contentManager;
|
private readonly IMembershipService _membershipService;
|
||||||
private readonly IHttpContextAccessor _httpContextAccessor;
|
private readonly IHttpContextAccessor _httpContextAccessor;
|
||||||
|
private readonly ISslSettingsProvider _sslSettingsProvider;
|
||||||
private IUser _signedInUser;
|
private IUser _signedInUser;
|
||||||
private bool _isAuthenticated;
|
private bool _isAuthenticated;
|
||||||
|
|
||||||
public FormsAuthenticationService(ShellSettings settings, IClock clock, IContentManager contentManager, IHttpContextAccessor httpContextAccessor) {
|
public FormsAuthenticationService(
|
||||||
|
ShellSettings settings,
|
||||||
|
IClock clock,
|
||||||
|
IMembershipService membershipService,
|
||||||
|
IHttpContextAccessor httpContextAccessor,
|
||||||
|
ISslSettingsProvider sslSettingsProvider) {
|
||||||
_settings = settings;
|
_settings = settings;
|
||||||
_clock = clock;
|
_clock = clock;
|
||||||
_contentManager = contentManager;
|
_membershipService = membershipService;
|
||||||
_httpContextAccessor = httpContextAccessor;
|
_httpContextAccessor = httpContextAccessor;
|
||||||
|
_sslSettingsProvider = sslSettingsProvider;
|
||||||
|
|
||||||
Logger = NullLogger.Instance;
|
Logger = NullLogger.Instance;
|
||||||
|
|
||||||
@@ -35,11 +44,12 @@ namespace Orchard.Security.Providers {
|
|||||||
public void SignIn(IUser user, bool createPersistentCookie) {
|
public void SignIn(IUser user, bool createPersistentCookie) {
|
||||||
var now = _clock.UtcNow.ToLocalTime();
|
var now = _clock.UtcNow.ToLocalTime();
|
||||||
|
|
||||||
// the cookie user data is {userId};{tenant}
|
// the cookie user data is {userName.Base64};{tenant}
|
||||||
var userData = String.Concat(Convert.ToString(user.Id), ";", _settings.Name);
|
// the username is encoded to base64 to prevent collisions with the ';' seprarator
|
||||||
|
var userData = String.Concat(Convert.ToString(user.UserName).ToBase64(), ";", _settings.Name);
|
||||||
|
|
||||||
var ticket = new FormsAuthenticationTicket(
|
var ticket = new FormsAuthenticationTicket(
|
||||||
1 /*version*/,
|
_version,
|
||||||
user.UserName,
|
user.UserName,
|
||||||
now,
|
now,
|
||||||
now.Add(ExpirationTimeSpan),
|
now.Add(ExpirationTimeSpan),
|
||||||
@@ -50,8 +60,8 @@ namespace Orchard.Security.Providers {
|
|||||||
var encryptedTicket = FormsAuthentication.Encrypt(ticket);
|
var encryptedTicket = FormsAuthentication.Encrypt(ticket);
|
||||||
|
|
||||||
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket) {
|
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket) {
|
||||||
HttpOnly = true,
|
HttpOnly = true, // can't retrieve the cookie from JavaScript
|
||||||
Secure = FormsAuthentication.RequireSSL,
|
Secure = _sslSettingsProvider.GetRequiresSSL(),
|
||||||
Path = FormsAuthentication.FormsCookiePath
|
Path = FormsAuthentication.FormsCookiePath
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -108,30 +118,37 @@ namespace Orchard.Security.Providers {
|
|||||||
}
|
}
|
||||||
|
|
||||||
var formsIdentity = (FormsIdentity)httpContext.User.Identity;
|
var formsIdentity = (FormsIdentity)httpContext.User.Identity;
|
||||||
|
|
||||||
|
// if the cookie is from a previous format, ignore
|
||||||
|
if (formsIdentity.Ticket.Version != _version) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
var userData = formsIdentity.Ticket.UserData ?? "";
|
var userData = formsIdentity.Ticket.UserData ?? "";
|
||||||
|
|
||||||
// the cookie user data is {userId};{tenant}
|
// the cookie user data is {userName};{tenant}
|
||||||
var userDataSegments = userData.Split(';');
|
var userDataSegments = userData.Split(';');
|
||||||
|
|
||||||
if (userDataSegments.Length < 2) {
|
if (userDataSegments.Length < 2) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
var userDataId = userDataSegments[0];
|
var userDataName = userDataSegments[0];
|
||||||
var userDataTenant = userDataSegments[1];
|
var userDataTenant = userDataSegments[1];
|
||||||
|
|
||||||
|
try {
|
||||||
|
userDataName = userDataName.FromBase64();
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
if (!String.Equals(userDataTenant, _settings.Name, StringComparison.Ordinal)) {
|
if (!String.Equals(userDataTenant, _settings.Name, StringComparison.Ordinal)) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
int userId;
|
|
||||||
if (!int.TryParse(userDataId, out userId)) {
|
|
||||||
Logger.Error("User id not a parsable integer");
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
|
|
||||||
_isAuthenticated = true;
|
_isAuthenticated = true;
|
||||||
return _signedInUser = _contentManager.Get(userId).As<IUser>();
|
return _signedInUser = _membershipService.GetUser(userDataName);
|
||||||
}
|
}
|
||||||
|
|
||||||
private string GetCookiePath(HttpContextBase httpContext) {
|
private string GetCookiePath(HttpContextBase httpContext) {
|
||||||
|
|||||||
@@ -348,5 +348,13 @@ namespace Orchard.Utility.Extensions {
|
|||||||
var pattern = String.Format("{0}", String.Join("|", replacements.Keys));
|
var pattern = String.Format("{0}", String.Join("|", replacements.Keys));
|
||||||
return Regex.Replace(original, pattern, match => replacements[match.Value]);
|
return Regex.Replace(original, pattern, match => replacements[match.Value]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static string ToBase64(this string value) {
|
||||||
|
return Convert.ToBase64String(Encoding.UTF8.GetBytes(value));
|
||||||
|
}
|
||||||
|
|
||||||
|
public static string FromBase64(this string value) {
|
||||||
|
return Encoding.UTF8.GetString(Convert.FromBase64String(value));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Reference in New Issue
Block a user