Force all console pages to SSL.

currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/AuthenticatedConsoleServlet.java

@@ -0,0 +1,56 @@
+package com.lanternsoftware.currentmonitor.servlet.console;
+
+import com.lanternsoftware.currentmonitor.context.Globals;
+import com.lanternsoftware.util.CollectionUtils;
+import com.lanternsoftware.util.NullUtils;
+import com.lanternsoftware.util.dao.DaoSerializer;
+import com.lanternsoftware.util.dao.auth.AuthCode;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public abstract class AuthenticatedConsoleServlet extends SecureConsoleServlet {
+	@Override
+	protected void get(HttpServletRequest _req, HttpServletResponse _rep) {
+		AuthCode code = getAuthCode(_req, _rep);
+		if (code != null)
+			get(code, _req, _rep);
+	}
+
+	protected void get(AuthCode _authCode, HttpServletRequest _req, HttpServletResponse _rep) {
+	}
+
+	@Override
+	protected void post(HttpServletRequest _req, HttpServletResponse _rep) {
+		AuthCode code = getAuthCode(_req, _rep);
+		if (code != null)
+			post(code, _req, _rep);
+	}
+
+	private AuthCode getAuthCode(HttpServletRequest _req, HttpServletResponse _rep) {
+		String sRequestURL = _req.getRequestURL().toString();
+		String sURL = sRequestURL.replaceFirst("http://", "https://");
+		if (!sURL.equals(sRequestURL)) {
+			String sQuery = _req.getQueryString();
+			if (NullUtils.isNotEmpty(sQuery))
+				sURL += "?" + sQuery;
+			redirect(_rep, sURL);
+			return null;
+		}
+		AuthCode authCode = Globals.dao.decryptAuthCode(DaoSerializer.toString(_req.getSession().getAttribute("auth_code")));
+		if (authCode == null) {
+			Cookie authCookie = CollectionUtils.filterOne(CollectionUtils.asArrayList(_req.getCookies()), _c-> NullUtils.isEqual(_c.getName(), "auth_code"));
+			if (authCookie != null)
+				authCode = Globals.dao.decryptAuthCode(authCookie.getValue());
+		}
+		if (authCode == null) {
+			redirect(_rep, _req.getContextPath() + "/login");
+			return null;
+		}
+		return authCode;
+	}
+
+	protected void post(AuthCode _authCode, HttpServletRequest _req, HttpServletResponse _rep) {
+	}
+}

currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/ConsoleServlet.java

@@ -9,7 +9,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 @WebServlet("")
-public class ConsoleServlet extends SecureConsoleServlet {
+public class ConsoleServlet extends AuthenticatedConsoleServlet {
 	private static final Logger logger = LoggerFactory.getLogger(ConsoleServlet.class);
 
 	@Override

currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/ExportServlet.java

@@ -40,7 +40,7 @@ import java.util.zip.ZipInputStream;
 import java.util.zip.ZipOutputStream;
 
 @WebServlet("/export/*")
-public class ExportServlet extends SecureConsoleServlet {
+public class ExportServlet extends AuthenticatedConsoleServlet {
 	private static final Logger logger = LoggerFactory.getLogger(ExportServlet.class);
 
 	@Override

currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/GsoServlet.java

@@ -1,6 +1,5 @@
 package com.lanternsoftware.currentmonitor.servlet.console;
 
-import com.lanternsoftware.currentmonitor.servlet.FreemarkerCMServlet;
 import com.lanternsoftware.currentmonitor.util.GoogleAuthHelper;
 import com.lanternsoftware.util.NullUtils;
 
@@ -10,14 +9,14 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 @WebServlet("/gso")
-public class GsoServlet extends FreemarkerCMServlet {
+public class GsoServlet extends SecureConsoleServlet {
 	@Override
-	protected void doGet(HttpServletRequest _req, HttpServletResponse _rep) {
+	protected void get(HttpServletRequest _req, HttpServletResponse _rep) {
 		render(_rep, "login.ftl", model(_req));
 	}
 
 	@Override
-	protected void doPost(HttpServletRequest _req, HttpServletResponse _rep) {
+	protected void post(HttpServletRequest _req, HttpServletResponse _rep) {
 		String code = getRequestPayloadAsString(_req);
 		if (NullUtils.isNotEmpty(code)) {
 			String authCode = GoogleAuthHelper.signin(code, null);

currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/LoginServlet.java

@@ -1,31 +1,22 @@
 package com.lanternsoftware.currentmonitor.servlet.console;
 
 import com.lanternsoftware.currentmonitor.context.Globals;
-import com.lanternsoftware.currentmonitor.servlet.FreemarkerCMServlet;
-import com.lanternsoftware.currentmonitor.util.GoogleAuthHelper;
-import com.lanternsoftware.util.DateUtils;
 import com.lanternsoftware.util.NullUtils;
-import com.lanternsoftware.util.dao.DaoEntity;
-import com.lanternsoftware.util.dao.DaoSerializer;
-import com.lanternsoftware.util.dao.auth.AuthCode;
-import com.lanternsoftware.util.servlet.LanternServlet;
 
-import javax.servlet.ServletException;
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
 
 @WebServlet("/login")
-public class LoginServlet extends FreemarkerCMServlet {
+public class LoginServlet extends SecureConsoleServlet {
 	@Override
-	protected void doGet(HttpServletRequest _req, HttpServletResponse _rep) {
+	protected void get(HttpServletRequest _req, HttpServletResponse _rep) {
 		render(_rep, "login.ftl", model(_req));
 	}
 
 	@Override
-	protected void doPost(HttpServletRequest _req, HttpServletResponse _rep) {
+	protected void post(HttpServletRequest _req, HttpServletResponse _rep) {
 		String username = _req.getParameter("username");
 		String password = _req.getParameter("password");
 		String authCode = Globals.dao.authenticateAccount(username, password);

currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/LogoutServlet.java

@@ -1,18 +1,14 @@
 package com.lanternsoftware.currentmonitor.servlet.console;
 
-import com.lanternsoftware.currentmonitor.servlet.FreemarkerCMServlet;
-import com.lanternsoftware.currentmonitor.util.GoogleAuthHelper;
-import com.lanternsoftware.util.NullUtils;
-
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 @WebServlet("/logout")
-public class LogoutServlet extends FreemarkerCMServlet {
+public class LogoutServlet extends AuthenticatedConsoleServlet {
 	@Override
-	protected void doGet(HttpServletRequest _req, HttpServletResponse _rep) {
+	protected void get(HttpServletRequest _req, HttpServletResponse _rep) {
 		_req.getSession().removeAttribute("auth_code");
 		Cookie authCookie = new Cookie("auth_code", "");
 		authCookie.setMaxAge(0);
@@ -22,6 +18,6 @@ public class LogoutServlet extends FreemarkerCMServlet {
 	}
 
 	@Override
-	protected void doPost(HttpServletRequest _req, HttpServletResponse _rep) {
+	protected void post(HttpServletRequest _req, HttpServletResponse _rep) {
 	}
 }

currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/SecureConsoleServlet.java

@@ -1,48 +1,40 @@
 package com.lanternsoftware.currentmonitor.servlet.console;
 
-import com.lanternsoftware.currentmonitor.context.Globals;
 import com.lanternsoftware.currentmonitor.servlet.FreemarkerCMServlet;
-import com.lanternsoftware.util.CollectionUtils;
 import com.lanternsoftware.util.NullUtils;
-import com.lanternsoftware.util.dao.DaoSerializer;
-import com.lanternsoftware.util.dao.auth.AuthCode;
 
-import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 public abstract class SecureConsoleServlet extends FreemarkerCMServlet {
 	@Override
 	protected void doGet(HttpServletRequest _req, HttpServletResponse _rep) {
-		AuthCode code = getAuthCode(_req, _rep);
-		if (code != null)
-			get(code, _req, _rep);
+		if (isSecure(_req, _rep))
+			get(_req, _rep);
 	}
 
-	protected void get(AuthCode _authCode, HttpServletRequest _req, HttpServletResponse _rep) {
+	protected void get(HttpServletRequest _req, HttpServletResponse _rep) {
 	}
 
 	@Override
 	protected void doPost(HttpServletRequest _req, HttpServletResponse _rep) {
-		AuthCode code = getAuthCode(_req, _rep);
-		if (code != null)
-			post(code, _req, _rep);
+		if (isSecure(_req, _rep))
+			post(_req, _rep);
 	}
 
-	private AuthCode getAuthCode(HttpServletRequest _req, HttpServletResponse _rep) {
-		AuthCode authCode = Globals.dao.decryptAuthCode(DaoSerializer.toString(_req.getSession().getAttribute("auth_code")));
-		if (authCode == null) {
-			Cookie authCookie = CollectionUtils.filterOne(CollectionUtils.asArrayList(_req.getCookies()), _c-> NullUtils.isEqual(_c.getName(), "auth_code"));
-			if (authCookie != null)
-				authCode = Globals.dao.decryptAuthCode(authCookie.getValue());
-		}
-		if (authCode == null) {
-			redirect(_rep, _req.getContextPath() + "/login");
-			return null;
-		}
-		return authCode;
+	protected void post(HttpServletRequest _req, HttpServletResponse _rep) {
 	}
 
-	protected void post(AuthCode _authCode, HttpServletRequest _req, HttpServletResponse _rep) {
+	private boolean isSecure(HttpServletRequest _req, HttpServletResponse _rep) {
+		String sRequestURL = _req.getRequestURL().toString();
+		String sURL = sRequestURL.replaceFirst("http://", "https://");
+		if (!sURL.equals(sRequestURL)) {
+			String sQuery = _req.getQueryString();
+			if (NullUtils.isNotEmpty(sQuery))
+				sURL += "?" + sQuery;
+			redirect(_rep, sURL);
+			return false;
+		}
+		return true;
 	}
 }