diff options
Diffstat (limited to 'webapps/scripting/preauth.esp')
-rw-r--r-- | webapps/scripting/preauth.esp | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/webapps/scripting/preauth.esp b/webapps/scripting/preauth.esp new file mode 100644 index 0000000000..84534cacef --- /dev/null +++ b/webapps/scripting/preauth.esp @@ -0,0 +1,49 @@ +<% +include("/scripting/common.js"); + +/* + check if a uri is one of the 'always allowed' pages, even when not logged in + This allows the login page to use the same style sheets and images +*/ +function always_allowed(uri) { + var str = string_init(); + + /* allow the primary web application to do its own authentication */ + var s = str.split('/', uri); + if (s[0] == "" && (s.length == 1 || /* no path provided */ + s[1] == 'index.html' || + s[1] == "script" || + s[1] == "resource")) { + return true; + } + + var s = str.split('.', uri); + if (s.length < 2) { + return false; + } + + var ext = s[s.length-1]; + var allowed = new Array("ico", "gif", "png","css", "js"); + for (i in allowed) { + if (allowed[i] == ext) { + return true; + } + } + return false; +} + + +/* this script is called on every web request. If it produces any + output at all then that output is returned and the requested page + is not given or processed. +*/ +if (server['SERVER_PROTOCOL'] == "http" && + server['TLS_SUPPORT'] == "True") { + write("redirect to https"); + redirect("https://" + headers['HOST'] + request['REQUEST_URI']); +} else if (always_allowed(request['REQUEST_URI']) != true && + session['AUTHENTICATED'] == undefined) { + /* present the login page */ + include("/login.esp"); +} +%> |