See docstrings for details. To use, add to MIDDLEWARE_CLASSES in settings.py, and in your views.py:
-
from path.to.this.middleware import secure -
Decorate SSL views with
@secure
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 | from django.core.urlresolvers import resolve
from django.conf import settings
from django.http import HttpResponsePermanentRedirect
from django.contrib.sites.models import Site
import re
CURRENT_DOMAIN = Site.objects.get(id=settings.SITE_ID).domain
HREF_PATTERN = re.compile(r"""href\s*=\s*["']([^"']+)["']""", re.IGNORECASE)
def secure(func):
""" Decorator for secure views. """
def _secure(*args, **kwargs):
return func(*args, **kwargs)
_secure.is_secure = True
_secure.__name__ = func.__name__
return _secure
class SSLMiddleware(object):
""" Redirects requests and rewrites URLs to correct HTTP/HTTPS protocol.
Based on use of @secure decorator above to specify HTTPS views.
The process_request method also intercepts insecure requests for secure
methods and vice-versa and returns a permanent HTTP redirect to the
correct URL.
The process_response method prepends the correct protocol and domain as
required to href attributes within HTML responses:
- If request is secure, all absolute URLs which resolve to non-@secure
views (or begin with MEDIA_URL) will be prepended with
http://<CURRENT_DOMAIN>
- If request is not secure, all URLs which resolve to @secure views will
be prepended with https://<CURRENT_DOMAIN>
- Relative URLs and fully-qualified URLs (anything that doesn't begin with
a forward slash) is left untouched.
"""
def _add_protocol(self, protocol, url):
return '%s://%s%s' % (protocol, CURRENT_DOMAIN, url)
def _resolves_to_secure_view(self, url):
try:
view_func, args, kwargs = resolve(url)
except:
return None
else:
return getattr(view_func, 'is_secure', False)
def _correct_protocol(self, request, url):
if request.is_secure():
if url.startswith(settings.MEDIA_URL):
if url.startswith('/'):
url = self._add_protocol('http', url)
elif url.startswith('/'):
if not self._resolves_to_secure_view(url):
url = self._add_protocol('http', url)
else:
if url.startswith('/'):
if self._resolves_to_secure_view(url):
url = self._add_protocol('https', url)
return url
def process_request(self, request):
""" Redirect request if protocol incorrect """
url = self._correct_protocol(request, request.path)
if url != request.path:
if request.method == 'GET':
return HttpResponsePermanentRedirect(url)
elif settings.DEBUG:
raise RuntimeError, 'Cannot redirect with POSTed data'
def process_response(self, request, response):
""" Correct protocols for all href attributes within HTML responses """
if response['Content-Type'].find('html') >= 0:
def rewrite_url(match):
url = match.groups()[0]
return 'href="%s"' % self._correct_protocol(request, url)
try:
decoded_content = response.content.decode('utf-8')
except UnicodeDecodeError:
decoded_content = response.content
response.content = \
HREF_PATTERN.sub(rewrite_url, decoded_content).encode('utf-8')
return response
|
More like this
- Add Toggle Switch Widget to Django Forms by OgliariNatan 1 month, 4 weeks ago
- get_object_or_none by azwdevops 5 months, 2 weeks ago
- Mask sensitive data from logger by agusmakmun 7 months, 2 weeks ago
- Template tag - list punctuation for a list of items by shapiromatron 1 year, 9 months ago
- JSONRequestMiddleware adds a .json() method to your HttpRequests by cdcarter 1 year, 9 months ago
Comments
Very nice, but I had a problem where the /admin/ application was being forced to (insecure) http: even where I entered https:
My solution was to revise the _ _correct__protocol routine:
#
Please login first before commenting.