Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Enforce SSL on Play! Framework

Tags:

I'm currently using Play! 1.2.2 and its new Netty client framework.

I haven't found a straightforward method to enforce SSL, although can get HTTP and HTTPS to serve asynchronously. Does anyone that's worked with Play! have a straightforward method of enforcing SSL? Not sure if I need to create redirects or if this can be solved quickly in a conf file.

like image 851
crockpotveggies Avatar asked Aug 17 '11 20:08

crockpotveggies


People also ask

Is Play framework asynchronous?

Internally, Play Framework is asynchronous from the bottom up. Play handles every request in an asynchronous, non-blocking way. The default configuration is tuned for asynchronous controllers.

How do I run in production mode?

The easiest way to start an application in production mode is to use the start command from the Play console. This requires a Play installation on the server. When you run the start command, Play forks a new JVM and runs the default Netty HTTP server.

Why play framework is used?

Play Framework makes it easy to build web applications with Java & Scala. Play is based on a lightweight, stateless, web-friendly architecture. Built on Akka, Play provides predictable and minimal resource consumption (CPU, memory, threads) for highly-scalable applications.


2 Answers

There are a couple of ways to enforce SSL.

Firstly, you can set all your actions to use the .secure() method, for example

<a href="@{Application.index.secure()}">index page</a> 

Alternatively, and probably the best way, is to do this via a frontend HTTP server, such as Apache, Nginx or Lighttpd.

The idea of the frontend http server, is that your application runs on port 9000, but is not accessible from the outside network. HTTP is responsible for all incoming requests, and is configured to only accept HTTPS. The HTTPS is handled by the HTTP server, and the request is then forwarded on to Play.

This leaves your entire Play application to work as normal, and the SSL is offloaded to another application.

This same method can be applied to a load balancer, rather than HTTP server, but I am guessing the majority of people will go with the far cheaper alternative of a HTTP server, unless running in a corporate environment.

like image 145
Codemwnci Avatar answered Oct 04 '22 02:10

Codemwnci


In the controller you can check against request.secure and either do a redirect or return 403/access denied.

You can force SSL for a whole controller doing this:

public static class ForceSSL extends Controller {     @Before     static void verifySSL()     {         if (request.secure == false)             redirect("https://" + request.host + request.url);      } } 

... and annotate another controller:

@With(ForceSSL.class) public class Foo extends Controller { .... } 

See also http://groups.google.com/group/play-framework/browse_thread/thread/7b9aa36be85d0f7b

like image 37
nylund Avatar answered Oct 04 '22 03:10

nylund