You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Claudio Miranda <cl...@claudius.com.br> on 2008/02/21 21:08:51 UTC

Re: Redirect to HTTPS?


    Resurrecting this thread from the dead :D

    disclaimer: I am very new to wicket and its philosophy, so I am making
some points related to secure pages.
    I read about securing pages though ssl and made a comment there

http://cwiki.apache.org/confluence/display/WICKET/How+to+switch+to+SSL+mode

    But I saw it too much unneeded coding, as servlet spec allows us to
declare at web.xml the URLs to secure.

At my application I can configure secure mount points, like "/admin"

mountBookmarkablePage("/cad", Inicial.class);
mountBookmarkablePage("/res", Resultado.class);
mountBookmarkablePage("/admin/results", AdminResults.class);
mountBookmarkablePage("/admin/users", AdminUsers.class);

And declare the "/admin" as to be secured through SSL

<security-constraint>
    <display-name>ssl-test</display-name>
    <web-resource-collection>
        <web-resource-name>resultado</web-resource-name>
        <description/>
        <url-pattern>/admin/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>HEAD</http-method>
        <http-method>PUT</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
        <http-method>DELETE</http-method>
    </web-resource-collection>
    <user-data-constraint>
        <description>ssl mode</description>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

I think its easier than doing all the code displayed before. And dismiss the
application developer to know about server infrastructure (port and
hostname)



Eelco Hillenius wrote:
> 
>> All the other encode methods get the proper wicket URL but doesn't
>> prepend
>> the webapp URI which this final encode method does.  Beyond filing a RFE
>> to
>> either make this method non-final or provide a postEncode(RequestCycle,
>> IRequestTarget) method before URL encoding, we will have to copy the
>> entire
>> class and provide this behavior.
>>
>> Thoughts?
> 
> I stand by my suggestion that you could just try to redirect to a
> secure page. After that, the relative URLs stay secure no?
> 
> If I'm missing something, please tell.
> 

-----
Claudio Miranda
http://weblogs.java.net/blog/claudio
http://www.claudius.com.br/blog
-- 
View this message in context: http://www.nabble.com/Redirect-to-HTTPS--tp12861028p15618826.html
Sent from the Wicket - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org