ColdBox SSL Interceptor 2 - SSL for specific events only!

Luis Majano blogged about my SSL interceptor today (thanks Luis for keep on building ColdBox!). Rob Gonda wrote a comment: How does it know which event has to be secured? Thanks Rob, you're right, didn't think about that. My webapp (OrgChartLive on always uses SSL. Incase you need SSL for specific's the code:

STEP 1 ColdBox.xml.cfm

SSL for SPECIFIC events:

        <Interceptor class="{YOUR APP NAME HERE}.interceptors.ssl">
            <Property name="isSSLCheck">true</Property>
            <Property name="sslEventList">user.dspUser,user.dspEditUser,general.*</Property>


SSL for ALL events:

        <Interceptor class="{YOUR APP NAME HERE}.interceptors.ssl">
            <Property name="isSSLCheck">true</Property>
            <Property name="sslEventList">*</Property>

STEP 2 ssl.cfc

<cfcomponent name="ssl" output="false" extends="coldbox.system.interceptor">

    <cffunction name="preEvent" access="public" returntype="void" output="false" >
        <cfargument name="event" required="true" type="coldbox.system.beans.requestContext">
        <!--- SSL check? --->
        <cfif getProperty('isSSLCheck')>
            <cfset sslCheck(arguments.event)>

    <cffunction name="sslCheck" access="public" returntype="void" output="false" >
        <cfargument name="event" required="true" type="coldbox.system.beans.requestContext">
         <!--- http or https? --->
        <cfif not isSSL() and isSSLRequired(arguments.event)>
            <!--- redirect with SSL (any post data is lost) --->
            <cflocation url="https://#cgi.server_name##cgi.script_name#?#cgi.query_string#" addtoken="no">
        <cfelseif isSSL() and not isSSLRequired(arguments.event)>
            <!--- redirect without SSL (any post data is lost) --->
            <cflocation url="http://#cgi.server_name##cgi.script_name#?#cgi.query_string#" addtoken="no">

    <cffunction name="isSSL" access="public" returntype="boolean">
        <cfset var isSSL = false>
        <!--- SSL Connection? --->
        <cfif isBoolean(cgi.server_port_secure) and cgi.server_port_secure>
            <cfset isSSL = true>
        <cfreturn isSSL>
    <cffunction name="isSSLRequired" access="public" returntype="boolean" output="false">
        <cfargument name="event" required="true" type="coldbox.system.beans.requestContext">
        <cfset var isSSLRequired = false>
         <cfset var currentEvent = LCASE( arguments.event.getCurrentEvent() )>
         <cfset var currentHandler = LCASE( arguments.event.getCurrentHandler() )>
        <cfset var sslEventList = LCASE( getProperty('sslEventList') )>
        <!--- SSL Required for current event? --->
        <cfif sslEventList eq "*" or ListFind(sslEventList,currentEvent) or ListFind(sslEventList,"#currentHandler#.*")>
            <cfset isSSLRequired = true>
        <cfreturn isSSLRequired>

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
Sana's Gravatar ohhhhh man you are really rocking.... just as ColdBox rocks.

I was looking pretty fast reponse. I would suggest to use SES interceptor to improve your search engine friendly urls.
# Posted By Sana | 2/1/08 9:43 PM
Ernst van der Linden's Gravatar Sana, yip you're right, the SES interceptors rocks!
# Posted By Ernst van der Linden | 2/1/08 10:49 PM
Gabriel's Gravatar This doesn't work if you're using SES urls. I'm still playing around with it but it seems that on "preprocess", the SES interceptor has not yet done it's thing and so the "getCurrentEvent()" method is not returning the right event.

If I change "preProcess" to "preRender", the url redirected. Again, I'm still playing around with it but I wanted to bring it up.
# Posted By Gabriel | 3/6/09 3:05 AM
James Buckingham's Gravatar Thanks very much for this Ernst. This has been perfect for our current project :-)

I've added one thing to it though that I thought I'd share. If there is a way of doing this already then please let me know and I'll take my code out :-)

Basically its a whitelist property. So I can exclude specific events but have this run on all others. If I'm reading your article right, for me to do this right now I'd have to keep my SSLEventList updated with every event I need but not include the ones I don't. Is that right?

In my case I just wanted to exclude one - a Scribble handler so I could play with code outside of the main project.

The changes I've made to your code can be found here, with my example :-

Hope its of some help :-)

# Posted By James Buckingham | 11/3/10 3:01 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.004.