SnipSnap Hack: Secure Login

SnipSnap Hack: Secure Login

HTTPS

First you have to setup the virtual host with SSL within apache - or any other webserver you're using. To see how setup a virtual host with SSL within apache you can check Email: Going from your localmail box to a distributed mailbox where I explain how to setup your webmail solution which includes setting up an SSL virtual host.
Now that you have setup an SSL virtual host that then proxies to your local jetty. You have two different ways of getting your snipsnap secured.

• The easy way
• The hackish way

The easy way

On the easy you only need to login into snipsnap using your administrator account and edit the config snip. You'll have a variable called app.real.protocol which is probably setted to http you then edit it to https. Also remember to check your app.real.host which migth be setted to http:// your_host, if so, remove the http:// part.

Now save the snip and your done. Currently all your snipsnap will run under https. Being each page secure, including the login. The problem with this is that the web engine spiders don't like to crawl https, they crawl http. If you want your snipsnap content to be crawled then, this is not your solution. Check the hackish below.

The hackish way

I've called this the hackish way although this hasn't much about hacking, just a few simple modifications. What we are going to do is find the login links and make them use https. How can we do this? Well it's easy.

You go into the JSP directory of snipsnap source, this is at src/apps/default. There you'll find another directory called util. In that directory there will be a JSP called mainbuttons.jsp. Now this JSP is the one responsible for the start, index, login/logout, etc links that show up on the top of snipsnap. Besides this login link, you have login link when you are trying to commenting a blog post although you aren't logged. We'll get there later.
First open the mainbuttons.jsp file with your favourite editor, and look up for a link to exec/login.jsp. Now that's something like:

<a href="exec/login.jsp"><fmt:message key="menu.login"/></a>

Now we want it to change to https, although we also have to provide the host and real path to your blog. So you edit that line for the following:

<a href="
<c:out value='https://${app.configuration.realHost}/${app.configuration.path}/exec/login.jsp'/>">
<fmt:message key="menu.login"/>
</a>

The c:out tag is JSTL core tag and mainly writes things. The app.configuration.realHost and the app.configuration.path are the values hold in the app.real.host and app.real.path on your config snip. Once again strip out any http:// that might show up in your app.real.host variable (don't worry it won't break anything).

Now there's another change you have to do, that's on the link found in the sentence "Please login to post a comment" when you access a blog post without being logged on.
So we open the comment.jsp file and find the following code:

Now this tells you that the link is within the localisation file - which in my opinion might have not been the best choice, but that I'll leave up to the developers. So you go into the locatisation directory, which is under src/apps/default/WEB-INF/classes/i18n and at least you edit the localisation file your using. If it's the english one you edit the messages_en.properties and you find the label login.please and change it to following value:

Please <a href="https://{0}/{1}/exec/login.jsp">login</a> to {2}

Now since we are sending two more values to this label we have to change the JSP source. so the source of comment.jsp I just showed becomes the following:

Now you just need to compile snipsnap again and deploy it. Your login links will now be under https and your snipsnap will now provide secure login.

If you have any problems setting up the secure login on your snipsnap you can always find my email in my profile, pabrantes.