Https使用Play Framework在Heroku上重定向和登录Cookie [英] Https redirect and login cookies on Heroku with Play Framework
问题描述
我有一个Play!框架Heroku项目有三个部署。一个用于运行我的开发机器,一个用于测试Heroku,另一个用于Heroku的制作。他们的http和https地址如下所示:
开发测试版生产
HTTP URL | http:// localhost:9000 http://domain-beta.herokuapps.com http://www.domain.com
HTTPS URL | https:// localhost:9443 https://domain-beta.herokuapps.com https://secure.domain.com
HTTPS类型|我的证书Piggyback(使用Heroku的证书)基于主机名的SSL(使用我的证书)
我也有class HttpsRequired ,它具有需要HTTPS和重定向回HTTP的方法(感谢
的帮助)公共类HttpsRequired extends Controller {对于https-play-support-on-heroku-failing>这篇文章
/ **在每个请求之前调用以确保使用HTTPS。 * /
@Before
public static void redirectToHttps(){
//如果它不安全,但Heroku已经完成了SSL处理,那么在所有
之后它实际上可能是安全的if(!request.secure&&request.headers.get(x-forwarded-proto)!= null){
request.secure = request.headers.get(x-forwarded-proto ).values.contains( HTTPS);
//如果不安全则重定向
if(!request.secure){
String url = redirectHostHttps()+ request.url;
System.out.println(重定向到安全:+ url);
重定向(url);
}
}
/ **将主机重命名为https://,同时处理Heroku和本地测试。 * /
@Util
public static String redirectHostHttps(){
if(Play.id.equals(dev)){
String [] pieces = request.host。分裂(:);
String httpsPort =(String)Play.configuration.get(https.port);
返回https://+ pieces [0] +:+ httpsPort;
} else {
if(request.host.endsWith(domain.com)){
returnhttps://secure.domain.com;
} else {
returnhttps://+ request.host;
}
}
}
/ **将主机重命名为https://,同时处理Heroku和本地测试。 * /
@Util
public static String redirectHostNotHttps(){
if(Play.id.equals(dev)){
String [] pieces = request.host。分裂(:);
String httpPort =(String)Play.configuration.get(http.port);
返回http://+ pieces [0] +:+ httpPort;
} else {
if(request.host.endsWith(domain.com)){
returnhttp://www.domain.com;
} else {
returnhttp://+ request.host;
}
}
}
}
I在运行之前修改 Secure.login()以调用 HttpsRequired.redirectToHttps(),以确保提交所有密码加密。然后,在我的 Security.onAuthenticated()中,我重定向到标准HTTP的主页。
在我的开发和测试版部署中,但在生产中,我的所有HTTP请求都被重定向到HTTPS登录页面。我仍然可以在HTTPS中使用整个网站,但我也希望使用普通HTTP。
我的所有网页都受到会员限制,并要求用户登录,使用 @With(Secure.class)注释。我认为它必须与登录发生在 secure.domain.com 而不是 www.domain.com ,并且它们以某种方式生成不同的cookie。
有没有办法改变在 secure.domain中创建的登录cookie。 com 使它在 www.domain.com ?
它解释了如何设置cookie以跨所有子域使用。
application.defaultCookieDomain
启用子域之间的会话/ cookie共享。例如,对于
,Cookie将对以.example.com结尾的所有域名有效,例如
foo.example.com和bar.example.com:
application.defaultCookieDomain = .example.com
I have a Play! framework Heroku project that has three deployments. One for running my dev machine, one for beta on Heroku, and one for production on Heroku. Their http and https urls are as follows:
DEV BETA PRODUCTION
HTTP URL | http://localhost:9000 http://domain-beta.herokuapps.com http://www.domain.com
HTTPS URL | https://localhost:9443 https://domain-beta.herokuapps.com https://secure.domain.com
HTTPS Type | My cert Piggyback (using Heroku's cert) Hostname-based SSL (using my cert)
I also have a class HttpsRequired that has methods for requiring HTTPS, and for redirecting back to HTTP (thanks to this post for the help).
public class HttpsRequired extends Controller {
/** Called before every request to ensure that HTTPS is used. */
@Before
public static void redirectToHttps() {
//if it's not secure, but Heroku has already done the SSL processing then it might actually be secure after all
if (!request.secure && request.headers.get("x-forwarded-proto") != null) {
request.secure = request.headers.get("x-forwarded-proto").values.contains("https");
}
//redirect if it's not secure
if (!request.secure) {
String url = redirectHostHttps() + request.url;
System.out.println("Redirecting to secure: " + url);
redirect(url);
}
}
/** Renames the host to be https://, handles both Heroku and local testing. */
@Util
public static String redirectHostHttps() {
if (Play.id.equals("dev")) {
String[] pieces = request.host.split(":");
String httpsPort = (String) Play.configuration.get("https.port");
return "https://" + pieces[0] + ":" + httpsPort;
} else {
if (request.host.endsWith("domain.com")) {
return "https://secure.domain.com";
} else {
return "https://" + request.host;
}
}
}
/** Renames the host to be https://, handles both Heroku and local testing. */
@Util
public static String redirectHostNotHttps() {
if (Play.id.equals("dev")) {
String[] pieces = request.host.split(":");
String httpPort = (String) Play.configuration.get("http.port");
return "http://" + pieces[0] + ":" + httpPort;
} else {
if (request.host.endsWith("domain.com")) {
return "http://www.domain.com";
} else {
return "http://" + request.host;
}
}
}
}
I modified Secure.login() to call HttpsRequired.redirectToHttps() before it runs, to ensure that all passwords are submitted encrypted. Then, in my Security.onAuthenticated(), I redirect to the homepage on standard HTTP.
This works great on my dev and beta deployments, but in production all of my HTTP requests are redirected to the HTTPS login page. I can still use the whole site in HTTPS, but I want regular HTTP to work too.
All of my pages are protected as members-only and require users to login, using the @With(Secure.class) annotation. I'm thinking that it must be related to the fact that the login happens at secure.domain.com instead of www.domain.com, and that they somehow generate different cookies.
Is there a way to change the login cookie created at secure.domain.com to make it work at www.domain.com?
Check out the documentation for the setting for default cookie domain.
http://www.playframework.org/documentation/1.2.4/configuration#application.defaultCookieDomain
It explains how you can set a cookie to work across all subdomains.
application.defaultCookieDomain
Enables session/cookie sharing between subdomains. For example, to make cookies valid for all domains ending with ‘.example.com’, e.g. foo.example.com and bar.example.com:
application.defaultCookieDomain=.example.com
这篇关于Https使用Play Framework在Heroku上重定向和登录Cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
