Safe Haskell | Trustworthy |
---|
This module exports the core of the Hails HTTP server. Specifically it
defines basic types, such as HTTP Request
and Response
, used by
the Hails web server and untrusted Hails Application
s.
At a high level, a Hails Application
, is a function from Request
to Response
in the DC
monad. Every application response is
sanitized and sanity checked with the secureApplication
Middleware
.
Hails uses Wai, and as such we provide two functions for converting
Hails Application
s to Wai Applicatoin
s: '
devHailsApplication
used to execute Hails apps in development
mode, and hailsApplicationToWai
that should be used in production
with an authentication service from Hails.HttpServer.Auth.
Documentation
module Hails.HttpServer.Types
Execute Hails application in development mode
devHailsApplication :: Application -> ApplicationSource
A default Hails handler for development environments. Safely runs
a Hails Application
, using basic HTTP authentication for
authenticating users. Note: authentication will accept any
username/password pair, it is solely used to set the user-name.
Execute Hails application
hailsApplicationToWai :: Application -> ApplicationSource
Safely wraps a Hails Application
in a Wai Application
that can
be run by an application server. The application is executed with the
secureApplication
Middleware
. The function returns status 500 if
the Hails application throws an exception and the label of the
exception flows to the browser label (see browserLabelGuard
); if the
label does not flow, it responds with a 403.
All applications serve static content from a "static"
directory.
Middleware used by Hails
browserLabelGuard :: MiddlewareSource
Hails Middleware
that ensures the Response
from the
application is readable by the client's browser (as determined by the
result label of the app computation and the label of the browser). If
the response is not readable by the browser, the middleware sends a
403 (unauthorized) response instead.
guardSensitiveResp :: MiddlewareSource
Adds the header X-Hails-Label
to the response. If the
label of the computation does not flow to the public label,
dcPub
, the JSON field isPublic
is set to true
, otherwise
it is set to true
and the JSON label
is set to the secrecy
component of the response label (if it is a disjunction
of principals is added). An example may be:
X-Hails-Label = { isPublic: true }
or
X-Hails-Label = { isPublic: false, label : ["http://google.com:80", "alice"] }
sanitizeResp :: MiddlewareSource
Remove anything from the response that could cause inadvertant
declasification. Currently this only removes the Set-Cookie
header.
catchAllExceptions :: MiddlewareSource
Catch all exceptions thrown by middleware and return 500.
Network types
module Network.HTTP.Types