using plugin ssl_requirement: generate SSL link

fxn · March 13, 2020, 10:36pm

Yes, use the secure_actions plugin, which based on ssl_requirement:

http://agilewebdevelopment.com/plugins/secure_actions

With that plugin you can configure SSL per action, and is integrated with URL generation.

There's a couple of things to note about it. There's no API to configure an entire controller as secure. I solved that with this class method:

   # A controller makes this call to declare all their actions run behind SSL.
   # The call must be put at the bottom of the code, so that the public methods
   # are known and returned by public_instance_methods.
   def self.this_controller_only_responds_to_https
     include SecureActions
     require_ssl *self.public_instance_methods(false).map(&:to_sym)
   end

The other thing is that the plugin as of revision 14 expects explicit controllers and actions in your calls to url_for (via link_to or whatever). It looks up the pair in a table to figure out whether it needs to select "https" as protocol. The attached patch fixes that.

-- fxn

secure_actions.patch (948 Bytes)

fxn · March 14, 2020, 12:15am

I forgot a third detail.

Secure actions are declared with the class method require_ssl in controllers, so you need to load a controller to let the plugin know his secure actions, if any.

OK, you know automatic class loading is triggered by const_missing in Rails. Now let's suppose /public/index has a link to /account/login, when you start the server even in production mode the link in the home won't be secure until someone hits AccountController. And that argument extends to all the links in the site. The protocol in their generation needs to have the corresponding controller class loaded.

That's why I force class preloading in environment.rb (or production.rb if you prefer that file), like this towards the bottom of the file:

   if RAILS_ENV == 'production'
     USE_SSL = true
     # Trigger controller class loading to execute SSL-related
     # declarations, this way we have the correct links right away.
     require 'application'
     ActionController::Routing.possible_controllers.each do |c|
       # known to work without directories
       "#{c.camelize}Controller".constantize
     end
   end

-- fxn

11175 · March 14, 2020, 12:26am

I tried to force class loading at the end of my environemnt.rb file.

I got a nasty error: “A copy of AuthenticatedSystem has been removed
from the module tree but is still active!” whenever I try to access a
2nd page after I boot up webrick.

AuthenticatedSystem is from plugin acts_as_authenticated

Here's a blog post on the same error:
http://blog.railsconsulting.com/2007/2/25/streamlined-plugin-argumenterror

If I remove the class loading part from my env.rb file, things are fine.

Is there another way to force the class loading?

Thanks.
Yaxm.

Xavier Noria wrote:

fxn · March 14, 2020, 12:29am

That's strange, what happended if you used "require"? Where do you have that code? Which version of Rails is that?

-- fxn

11175 · March 14, 2020, 12:29am

I use rails 1.2.6.

I am using acts_as_authenticated plugin.

I place the constanize codes at the bottom of my environment.rb file.

this error only happens when I use 'require' instead of
'require_dependency'

ArgumentError (A copy of AuthenticatedSystem has been removed from the
module tree but is still active!):
/usr/lib/ruby/gems/1.8/gems/activesupport-1.4.4/lib/active_support/dependencies.rb:237:in
`load_missing_constant'
/usr/lib/ruby/gems/1.8/gems/activesupport-1.4.4/lib/active_support/dependencies.rb:452:in
`const_missing'

Xavier Noria wrote: