<% include("/scripting/common.js"); /* check if a uri is one of the 'always allowed' pages, even when not logged in This allows the login page to use the same style sheets and images */ function always_allowed(uri) { var str = string_init(); /* allow the primary web application to do its own authentication */ var s = str.split('/', uri); if (s[0] == "" && (s.length == 1 || /* no path provided */ s[1] == 'index.html' || s[1] == "script" || s[1] == "resource")) { return true; } var s = str.split('.', uri); if (s.length < 2) { return false; } var ext = s[s.length-1]; var allowed = new Array("ico", "gif", "png","css", "js"); for (i in allowed) { if (allowed[i] == ext) { return true; } } return false; } /* this script is called on every web request. If it produces any output at all then that output is returned and the requested page is not given or processed. */ if (server['SERVER_PROTOCOL'] == "http" && server['TLS_SUPPORT'] == "True") { write("redirect to https"); redirect("https://" + headers['HOST'] + request['REQUEST_URI']); } else if (always_allowed(request['REQUEST_URI']) != true && session['AUTHENTICATED'] == undefined) { /* present the login page */ include("/login.esp"); } %>