You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Sven Meier (JIRA)" <ji...@apache.org> on 2013/04/04 00:13:16 UTC

[jira] [Commented] (WICKET-5129) HttpsMapper Does Not Switch to SSL when there is no JSESSIONID Cookie

    [ https://issues.apache.org/jira/browse/WICKET-5129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13621405#comment-13621405 ] 

Sven Meier commented on WICKET-5129:
------------------------------------

Problem is that WebPageRenderer renders the login page into a buffer and then redirects to it. HttpsMapper does not react on BufferedResponseRequestHandlers :(.

If you restart with a page class instead of a page instance:

   throw new RestartResponseAtInterceptPageException(LoginPage.class);

... then RedirectPolicy.ALWAYS_REDIRECT is used, thus the redirect comes first and HttpsMapper is able to react on the RenderPageRequestHandler.
                
> HttpsMapper Does Not Switch to SSL when there is no JSESSIONID Cookie
> ---------------------------------------------------------------------
>
>                 Key: WICKET-5129
>                 URL: https://issues.apache.org/jira/browse/WICKET-5129
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket, wicket-auth-roles
>    Affects Versions: 6.6.0
>            Reporter: Tim Urberg
>              Labels: HttpsMapper
>         Attachments: httpsMapperError.zip
>
>
> I'm having an issue with HttpsMapper not switching to SSL when there is no JSESSIONID cookie.  It's happening with wicket-auth-roles when the user goes to the home page, which need authentication.  I have this code in my init method in my WebApplication class.
> getSecuritySettings().setAuthorizationStrategy(new IAuthorizationStrategy()
> {
>    @Override
>    public <T extends IRequestableComponent> boolean isInstantiationAuthorized(Class<T> componentClass)
>    {
>       if (AuthenticatedWebPage.class.isAssignableFrom(componentClass))
>       {
>          if (MyAuthenticatedWebSession.get().isSignedIn())
>             return true;
>          throw new RestartResponseAtInterceptPageException(new LoginPage());
>       }
>       return true;
>    }
>    @Override
>    public boolean isActionAuthorized(Component component, Action action)
>    {
>       return true;
>    }
> });
> HomePage implements AuthenticatedWebPage and LoginPage has the @RequireHttps annotation.  This only seems to happen when there is no JSESSIONID cookie.  The URL looks like this:
> http://localhost:8080/login;jsessionid=1c9nRTpWGWynRXdX1WKC5ZnSfTNKCydGTdHH83mvfXQZQcQ8fLpx!-1875818450?0
> when it should be https://localhost:8443/login.  If I try it a second time after the cookie has been created it works fine.  This is not a problem when I go straight to http://localhost:8080/login (works fine then).  

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira