Add assertSecureRequest() call which checks for POST and SSL at once, since they should always be used together.

planetlevel · planetlevel · commit df4a4bb5f6e2 · 2008-05-10T02:53:24.000Z
diff --git a/src/org/owasp/esapi/Authenticator.java b/src/org/owasp/esapi/Authenticator.java
@@ -34,6 +34,7 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.owasp.esapi.errors.AccessControlException;
 import org.owasp.esapi.errors.AuthenticationAccountsException;
 import org.owasp.esapi.errors.AuthenticationCredentialsException;
 import org.owasp.esapi.errors.AuthenticationException;
@@ -631,9 +632,11 @@ public IUser login(HttpServletRequest request, HttpServletResponse response) thr
         // set last host address
         user.setLastHostAddress( request.getRemoteHost() );
         
-        // warn if this authentication request came over a non-SSL connection, exposing credentials or session id
-        if ( !ESAPI.httpUtilities().isSecureChannel() ) {
-            new AuthenticationCredentialsException( "Session or credentials exposed", "Authentication attempt made over non-SSL connection. Check web.xml and server configuration. User: " + user.getAccountName() );
+        // warn if this authentication request was not POST or non-SSL connection, exposing credentials or session id
+        try {
+        	ESAPI.httpUtilities().assertSecureRequest();
+        } catch( AccessControlException e ) {
+        	throw new AuthenticationException( "Attempt to login with an insecure request", e.getLogMessage(), e );
         }
                 
         // don't let anonymous user log in
diff --git a/src/org/owasp/esapi/interfaces/IHTTPUtilities.java b/src/org/owasp/esapi/interfaces/IHTTPUtilities.java
@@ -44,6 +44,17 @@
  */
 public interface IHTTPUtilities {
 
+	
+	/**
+	 * Ensures that the current request uses SSL and POST to protect any sensitive parameters
+	 * in the querystring from being sniffed or logged. For example, this method should
+	 * be called from any method that uses sensitive data from a web form.
+	 * @param requiredMethod
+	 * @throws AccessControlException
+	 */
+	void assertSecureRequest() throws AccessControlException;
+
+    
     /**
      * Adds the current user's CSRF token (see User.getCSRFToken()) to the URL for purposes of preventing CSRF attacks.
      * This method should be used on all URLs to be put into all links and forms the application generates.
@@ -174,18 +185,6 @@ public interface IHTTPUtilities {
      */
     Map decryptStateFromCookie() throws EncryptionException ;
 
-    /**
-     * Returns true if the request and response are using an SSL-enabled connection. This check should be made on
-     * every request from the login page through the logout confirmation page. Essentially, any page that uses the
-     * Authenticator.login() call should call this. Implementers should consider calling this method directly in
-     * their Authenticator.login() method. If this method returns true for a page that requires SSL, there must be a
-     * misconfiguration, an AuthenticationException is warranted. 
-     * 
-     * @param request
-     * @return
-     */
-    boolean isSecureChannel();
-
     /**
      * Kill all cookies received in the last request from the browser. Note that new cookies set by the application in
      * this response may not be killed by this method.
diff --git a/test/testresources/multipart.txt b/test/testresources/multipart.txt
