You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tapestry.apache.org by Dave Greggory <da...@yahoo.com> on 2009/05/18 15:15:50 UTC

[t5.0.18] Secure Annotation / BaseURLSource

I've been using BaseURLSource(since behind a firewall/load balancer) fine all this time, and recently I needed a secure page, so I added the @Secure annotation on that page. But that page is no longer working because @Secure annotation ends up sending continuous redirects. What am I doing wrong?

My BaseURLSource implementation:

BaseURLSource source = new BaseURLSource()
{
  public String getBaseURL(boolean secure)
  {
     return (secure) ? baseURL : baseSecureURL;
  }
}

Thanks,
Dave



      


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

@Secure solution (was Re: [t5.0.18] Secure Annotation / BaseURLSource)

Posted by Geoff Callender <ge...@gmail.com>.

I've found a solution - use AJP (instead of HTTP) from Apache to Jetty/Tomcat. Apache handles the SSL and AJP preserves the security info, so Tapestry knows a secure channel was used and the @Secure annotation just works. Perfect.

For the record, the key lines for httpd-ssl.conf are like this:

	SSLOptions +ExportCertData
 
        ProxyRequests Off
        ProxyPreserveHost On

        <Proxy *>
                AddDefaultCharset Off
                Order deny,allow
                Allow from all
        </Proxy>

        ProxyPass       /myapp ajp://gc1.local:18080/myapp retry=5
        ProxyPassReverse        /myapp ajp://gc1.local:18080/myapp

The full config info is in these articles:

	http://www.zeitoun.net/articles/client-certificate-x509-authentication-behind-reverse-proxy/start (see "Between Apache and Tomcat")
	http://docs.codehaus.org/display/JETTY/Configuring+mod_proxy (alternative 1 causes the problem, whereas alternative 2 works!)

HTH someone else,

Geoff

On 09/02/2010, at 12:23 AM, Geoff Callender wrote:

> Hi Dave et al,
> 
> Did you find an OK solution to this? I too am hoping to have Apache look after https and feed only http to the web server, but any page marked @Secure will reject http and redirect to https, so you end in a loop bouncing between browser and webserver via Apache.
> 
> Cheers,
> 
> Geoff
> 
> On 20/05/2009, at 1:02 AM, Dave Greggory wrote:
> 
>> 
>> I'm attempting to contribute my own RequestSecurityManager, but if anybody else has a better idea where I don't have to touch internal stuff let me know.
>> 
>> 
>> 
>> ----- Original Message ----
>> From: Dave Greggory <da...@yahoo.com>
>> To: Tapestry users <us...@tapestry.apache.org>
>> Sent: Tuesday, May 19, 2009 10:51:41 AM
>> Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource
>> 
>> 
>> Well looks like our internal network structure is pretty set and can't be changed. 
>> 
>> Users <-- internet (http / https connections ) --> load balancer/firewall <-- internal network (http) --> tomcat
>> 
>> We have a way of determining from within a tomcat application whether internet connection to firewall is secure. This can be done because the firewall adds a request header indicating SSL status. This is how we usually determine this. Can I get tapestry use my helper method that does this check to determine whether the connection was secure? How can I get secure connections working in this situation? 
>> 
>> Thanks so much.
>> Dave
>> 
>> 
>> 
>> 
>> ----- Original Message ----
>> From: Dave Greggory <da...@yahoo.com>
>> To: Tapestry users <us...@tapestry.apache.org>
>> Sent: Monday, May 18, 2009 12:16:36 PM
>> Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource
>> 
>> 
>> Don't worry about it, turns out our internal network is screwed up... connections between users and the load balancer is secure, but not between load balancer and app server.
>> 
>> 
>> 
>> ----- Original Message ----
>> From: Dave Greggory <da...@yahoo.com>
>> To: Tapestry users <us...@tapestry.apache.org>
>> Sent: Monday, May 18, 2009 11:56:56 AM
>> Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource
>> 
>> 
>> obviously, it is.
>> 
>> 
>> 
>> ----- Original Message ----
>> From: Martin Strand <do...@gmail.com>
>> To: Tapestry users <us...@tapestry.apache.org>
>> Sent: Monday, May 18, 2009 11:40:40 AM
>> Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource
>> 
>> Just a guess... perhaps baseSecureURL is not an https url?
>> 
>> 
>> On Mon, 18 May 2009 15:15:50 +0200, Dave Greggory <da...@yahoo.com> wrote:
>> 
>>> 
>>> I've been using BaseURLSource(since behind a firewall/load balancer) fine all this time, and recently I needed a secure page, so I added the @Secure annotation on that page. But that page is no longer working because @Secure annotation ends up sending continuous redirects. What am I doing wrong?
>>> 
>>> My BaseURLSource implementation:
>>> 
>>> BaseURLSource source = new BaseURLSource()
>>> {
>>> public String getBaseURL(boolean secure)
>>> {
>>>    return (secure) ? baseURL : baseSecureURL;
>>> }
>>> }
>>> 
>>> Thanks,
>>> Dave
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>> 
>> 
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>> 
>> 
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>> 
>> 
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>> 
>> 
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: [t5.0.18] Secure Annotation / BaseURLSource

Posted by Geoff Callender <ge...@gmail.com>.

Hi Dave et al,

Did you find an OK solution to this? I too am hoping to have Apache look after https and feed only http to the web server, but any page marked @Secure will reject http and redirect to https, so you end in a loop bouncing between browser and webserver via Apache.

Cheers,

Geoff

On 20/05/2009, at 1:02 AM, Dave Greggory wrote:

> 
> I'm attempting to contribute my own RequestSecurityManager, but if anybody else has a better idea where I don't have to touch internal stuff let me know.
> 
> 
> 
> ----- Original Message ----
> From: Dave Greggory <da...@yahoo.com>
> To: Tapestry users <us...@tapestry.apache.org>
> Sent: Tuesday, May 19, 2009 10:51:41 AM
> Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource
> 
> 
> Well looks like our internal network structure is pretty set and can't be changed. 
> 
> Users <-- internet (http / https connections ) --> load balancer/firewall <-- internal network (http) --> tomcat
> 
> We have a way of determining from within a tomcat application whether internet connection to firewall is secure. This can be done because the firewall adds a request header indicating SSL status. This is how we usually determine this. Can I get tapestry use my helper method that does this check to determine whether the connection was secure? How can I get secure connections working in this situation? 
> 
> Thanks so much.
> Dave
> 
> 
> 
> 
> ----- Original Message ----
> From: Dave Greggory <da...@yahoo.com>
> To: Tapestry users <us...@tapestry.apache.org>
> Sent: Monday, May 18, 2009 12:16:36 PM
> Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource
> 
> 
> Don't worry about it, turns out our internal network is screwed up... connections between users and the load balancer is secure, but not between load balancer and app server.
> 
> 
> 
> ----- Original Message ----
> From: Dave Greggory <da...@yahoo.com>
> To: Tapestry users <us...@tapestry.apache.org>
> Sent: Monday, May 18, 2009 11:56:56 AM
> Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource
> 
> 
> obviously, it is.
> 
> 
> 
> ----- Original Message ----
> From: Martin Strand <do...@gmail.com>
> To: Tapestry users <us...@tapestry.apache.org>
> Sent: Monday, May 18, 2009 11:40:40 AM
> Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource
> 
> Just a guess... perhaps baseSecureURL is not an https url?
> 
> 
> On Mon, 18 May 2009 15:15:50 +0200, Dave Greggory <da...@yahoo.com> wrote:
> 
>> 
>> I've been using BaseURLSource(since behind a firewall/load balancer) fine all this time, and recently I needed a secure page, so I added the @Secure annotation on that page. But that page is no longer working because @Secure annotation ends up sending continuous redirects. What am I doing wrong?
>> 
>> My BaseURLSource implementation:
>> 
>> BaseURLSource source = new BaseURLSource()
>> {
>>  public String getBaseURL(boolean secure)
>>  {
>>     return (secure) ? baseURL : baseSecureURL;
>>  }
>> }
>> 
>> Thanks,
>> Dave
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: [t5.0.18] Secure Annotation / BaseURLSource

Posted by Dave Greggory <da...@yahoo.com>.

I'm attempting to contribute my own RequestSecurityManager, but if anybody else has a better idea where I don't have to touch internal stuff let me know.



----- Original Message ----
From: Dave Greggory <da...@yahoo.com>
To: Tapestry users <us...@tapestry.apache.org>
Sent: Tuesday, May 19, 2009 10:51:41 AM
Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource


Well looks like our internal network structure is pretty set and can't be changed. 

Users <-- internet (http / https connections ) --> load balancer/firewall <-- internal network (http) --> tomcat

We have a way of determining from within a tomcat application whether internet connection to firewall is secure. This can be done because the firewall adds a request header indicating SSL status. This is how we usually determine this. Can I get tapestry use my helper method that does this check to determine whether the connection was secure? How can I get secure connections working in this situation? 

Thanks so much.
Dave




----- Original Message ----
From: Dave Greggory <da...@yahoo.com>
To: Tapestry users <us...@tapestry.apache.org>
Sent: Monday, May 18, 2009 12:16:36 PM
Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource


Don't worry about it, turns out our internal network is screwed up... connections between users and the load balancer is secure, but not between load balancer and app server.



----- Original Message ----
From: Dave Greggory <da...@yahoo.com>
To: Tapestry users <us...@tapestry.apache.org>
Sent: Monday, May 18, 2009 11:56:56 AM
Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource


obviously, it is.



----- Original Message ----
From: Martin Strand <do...@gmail.com>
To: Tapestry users <us...@tapestry.apache.org>
Sent: Monday, May 18, 2009 11:40:40 AM
Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource

Just a guess... perhaps baseSecureURL is not an https url?


On Mon, 18 May 2009 15:15:50 +0200, Dave Greggory <da...@yahoo.com> wrote:

>
> I've been using BaseURLSource(since behind a firewall/load balancer) fine all this time, and recently I needed a secure page, so I added the @Secure annotation on that page. But that page is no longer working because @Secure annotation ends up sending continuous redirects. What am I doing wrong?
>
> My BaseURLSource implementation:
>
> BaseURLSource source = new BaseURLSource()
> {
>   public String getBaseURL(boolean secure)
>   {
>      return (secure) ? baseURL : baseSecureURL;
>   }
> }
>
> Thanks,
> Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org


      


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org


      


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org


      


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org


      


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: [t5.0.18] Secure Annotation / BaseURLSource

Posted by Dave Greggory <da...@yahoo.com>.

Well looks like our internal network structure is pretty set and can't be changed. 

Users <-- internet (http / https connections ) --> load balancer/firewall <-- internal network (http) --> tomcat

We have a way of determining from within a tomcat application whether internet connection to firewall is secure. This can be done because the firewall adds a request header indicating SSL status. This is how we usually determine this. Can I get tapestry use my helper method that does this check to determine whether the connection was secure? How can I get secure connections working in this situation? 

Thanks so much.
Dave




----- Original Message ----
From: Dave Greggory <da...@yahoo.com>
To: Tapestry users <us...@tapestry.apache.org>
Sent: Monday, May 18, 2009 12:16:36 PM
Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource


Don't worry about it, turns out our internal network is screwed up... connections between users and the load balancer is secure, but not between load balancer and app server.



----- Original Message ----
From: Dave Greggory <da...@yahoo.com>
To: Tapestry users <us...@tapestry.apache.org>
Sent: Monday, May 18, 2009 11:56:56 AM
Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource


obviously, it is.



----- Original Message ----
From: Martin Strand <do...@gmail.com>
To: Tapestry users <us...@tapestry.apache.org>
Sent: Monday, May 18, 2009 11:40:40 AM
Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource

Just a guess... perhaps baseSecureURL is not an https url?


On Mon, 18 May 2009 15:15:50 +0200, Dave Greggory <da...@yahoo.com> wrote:

>
> I've been using BaseURLSource(since behind a firewall/load balancer) fine all this time, and recently I needed a secure page, so I added the @Secure annotation on that page. But that page is no longer working because @Secure annotation ends up sending continuous redirects. What am I doing wrong?
>
> My BaseURLSource implementation:
>
> BaseURLSource source = new BaseURLSource()
> {
>   public String getBaseURL(boolean secure)
>   {
>      return (secure) ? baseURL : baseSecureURL;
>   }
> }
>
> Thanks,
> Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org


      


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org


      


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org


      


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: [t5.0.18] Secure Annotation / BaseURLSource

Posted by Dave Greggory <da...@yahoo.com>.

Don't worry about it, turns out our internal network is screwed up... connections between users and the load balancer is secure, but not between load balancer and app server.



----- Original Message ----
From: Dave Greggory <da...@yahoo.com>
To: Tapestry users <us...@tapestry.apache.org>
Sent: Monday, May 18, 2009 11:56:56 AM
Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource


obviously, it is.



----- Original Message ----
From: Martin Strand <do...@gmail.com>
To: Tapestry users <us...@tapestry.apache.org>
Sent: Monday, May 18, 2009 11:40:40 AM
Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource

Just a guess... perhaps baseSecureURL is not an https url?


On Mon, 18 May 2009 15:15:50 +0200, Dave Greggory <da...@yahoo.com> wrote:

>
> I've been using BaseURLSource(since behind a firewall/load balancer) fine all this time, and recently I needed a secure page, so I added the @Secure annotation on that page. But that page is no longer working because @Secure annotation ends up sending continuous redirects. What am I doing wrong?
>
> My BaseURLSource implementation:
>
> BaseURLSource source = new BaseURLSource()
> {
>   public String getBaseURL(boolean secure)
>   {
>      return (secure) ? baseURL : baseSecureURL;
>   }
> }
>
> Thanks,
> Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org


      


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org


      


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: [t5.0.18] Secure Annotation / BaseURLSource

Posted by Dave Greggory <da...@yahoo.com>.

obviously, it is.



----- Original Message ----
From: Martin Strand <do...@gmail.com>
To: Tapestry users <us...@tapestry.apache.org>
Sent: Monday, May 18, 2009 11:40:40 AM
Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource

Just a guess... perhaps baseSecureURL is not an https url?


On Mon, 18 May 2009 15:15:50 +0200, Dave Greggory <da...@yahoo.com> wrote:

>
> I've been using BaseURLSource(since behind a firewall/load balancer) fine all this time, and recently I needed a secure page, so I added the @Secure annotation on that page. But that page is no longer working because @Secure annotation ends up sending continuous redirects. What am I doing wrong?
>
> My BaseURLSource implementation:
>
> BaseURLSource source = new BaseURLSource()
> {
>   public String getBaseURL(boolean secure)
>   {
>      return (secure) ? baseURL : baseSecureURL;
>   }
> }
>
> Thanks,
> Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org


      


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: [t5.0.18] Secure Annotation / BaseURLSource

Posted by Martin Strand <do...@gmail.com>.

Just a guess... perhaps baseSecureURL is not an https url?


On Mon, 18 May 2009 15:15:50 +0200, Dave Greggory <da...@yahoo.com> wrote:

>
> I've been using BaseURLSource(since behind a firewall/load balancer) fine all this time, and recently I needed a secure page, so I added the @Secure annotation on that page. But that page is no longer working because @Secure annotation ends up sending continuous redirects. What am I doing wrong?
>
> My BaseURLSource implementation:
>
> BaseURLSource source = new BaseURLSource()
> {
>   public String getBaseURL(boolean secure)
>   {
>      return (secure) ? baseURL : baseSecureURL;
>   }
> }
>
> Thanks,
> Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org