You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shale.apache.org by JS Portal Support <su...@jsportal.com> on 2007/05/01 02:27:00 UTC
navigate between http and https
Hi,
Does shale dialog, any of the other shale components or maybe myfaces have
the ability to define if the requests should go over http or https. Up to
now the only control over this I found was with the tomahawk sanbox form
(scheme).
I'm looking for a way to get a request from http, handle it and redirect to
the new page over https or the other way around. What would be the best way
to handle this?
Joost Schouten
PS: Those of you in Amsterdam, I hope the conference will be a good. By the
looks of it Queensday must have been great. If I wouldn't be living in New
Zealand for the year I would have loved to come and meet some of the people
who have been so helpful over the last couple of months.
Re: navigate between http and https
Posted by Craig McClanahan <cr...@apache.org>.
On 4/30/07, JS Portal Support <su...@jsportal.com> wrote:
> Hi,
>
> Does shale dialog, any of the other shale components or maybe myfaces have
> the ability to define if the requests should go over http or https. Up to
> now the only control over this I found was with the tomahawk sanbox form
> (scheme).
>
> I'm looking for a way to get a request from http, handle it and redirect to
> the new page over https or the other way around. What would be the best way
> to handle this?
>
For JSF in general, there is no mechanism built in to the JSF
navigation scheme to do this. You will need to generate an absolute
URL for the switchover, and then use either:
* <h:outputLink> or equivalent that lets you use an absolute URL
* Programmatically redirect via ExternalContext.redirect() followed by
a call to FacesContext.responseComplete().
The tricky part of this, which you implied you need but did not
mention specifically but it sounds like you want, is that the old and
new pages share an HTTP session (in other words, they are part of the
same application). The classic scenarios for this:
* Login page submits via HTTPS, but the rest of the
app runs under HTTP.
* Shopping application runs mostly under HTTP, but
the checkout process is under HTTPS.
I haven't tried any of these solutions personally, but techniques used
by packages like SSLExt and Acegi security should apply in a JSF world
as well. I also understand that the newest versions of Seam have
support for this sort of thing more integrated with JSF (we might need
to go steal^h^h^h^h^hevaluate some of these ideas for Shale :-).
That all being said, I need to throw open a disclaimer here ... I have
never been able to convince myself that switching back and forth,
while maintaining session affinity, is safe from session spoofing
attacks (since the session ID itself has to be sent in the clear on an
http link). I would love to be convinced otherwise, but this is the
primary reason I have avoided building apps that behave in this
manner.
Craig
> Joost Schouten
>
> PS: Those of you in Amsterdam, I hope the conference will be a good. By the
> looks of it Queensday must have been great. If I wouldn't be living in New
> Zealand for the year I would have loved to come and meet some of the people
> who have been so helpful over the last couple of months.
>
>