You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by sonxurxo <so...@gmail.com> on 2010/10/19 10:15:25 UTC
SSL Links and buttons
Hi all,
This question applies to Wicket 1.4.9.
I have an app where I have a Sign-in component (Panel) that is shown in
(almost) every page of the site. I'd like all the app to work over http, and
that form to work over https. Since the @RequireHttps annotation only works
on pages and not Components, how can I achieve that?
I have some other pages (e.g. registration page) that is fully working over
https with the mentioned annotation, everything is OK. But I can not get the
sign-in form (included in quite some http-pages) work over https.
Any ideas?
If there's a core developer reading this, is there any plan of "extending"
the @RequireHttps annotation to other Components rather than just pages?
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3001634.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by Ernesto Reinaldo Barreiro <re...@gmail.com>.
Hi,
I just added
https://issues.apache.org/jira/browse/WICKET-3133
Other answers inline:
> I tried your code and it's working for me, just with one issue I mention at
> the end of this post. I had to make just 3 modifications: the method
> resolve() stays like this:
>
> public IRequestTarget resolve(RequestCycle rc, RequestParameters rp)
> {
>
> // if (portConfig.isPreferStateful()) {
> Session.get().bind();
> // }
>
> IRequestTarget target = super.resolve(rc, rp);
> return checkSecure(target);
> }
>
> because I can not find the isPreferStateful() method, and the SecureForm
> onComponentTag() is like this:
>
This method may have been added after 1.4.9: I'm using 1.4.12.
> @Override
> protected void onComponentTag(ComponentTag tag) {
> super.onComponentTag(tag);
> String action = tag.getAttribute("action");
> action = RequestUtils.toAbsolutePath(action);
> if(!action.startsWith("https")) {
> action = "https" + action.substring(4);
> action =
> action.replace(String.valueOf(MeteosixApplication.get().getHttpPort()),
> String.valueOf(MeteosixApplication.get().getHttpsPort()));
> }
> tag.put("action", action);
> }
>
> to also substitute the port numbers in the action (I get them from my
> Application class with custom methods).
Ok. That might be a good addition if we want to have some generic solution.
>
> and the annotation @SemiSecurePage is not needed at all, since it will enter
> the ifs the same, so you can freely remove it.
I just added it as an extra check so that we don't have to inspect all
IListenerInterfaceRequestTarget.
>
> The issue is that when validation fails, it does not find the CSS because my
> browser is requesting it without the context (e.g.
> http://localhost:9090/styles/main/layout.css instead of
> http://localhost:9090/myapplication/styles/main/layout.css). Does not it
> happen to you? How can I fix that? When does Wicket establish the URL for
> static resources like that this? I'm adding it this way:
>
> add(CSSPackageResource.getHeaderContribution("styles/main/layout.css"));
>
No this do happens to me: I will try to do some experiments to see
what is missing....
Can you try to replace method SecureBufferedWebResponse.getUrl with
protected String getUrl(String protocol, Integer port,
HttpServletRequest request, String queryString)
{
if(queryString.startsWith("http") || queryString.startsWith("https"))
return queryString;
StringBuilder result = new StringBuilder();
result.append(protocol);
result.append("://");
result.append(request.getServerName());
if (port != null)
{
result.append(":");
result.append(port);
}
String path = request.getContextPath();
if(path != null && path.length()>0) {
result.append(path);
}
result.append(request.getRequestURI());
if (queryString != null)
{
if(queryString.startsWith("..") ) {
} else if(!queryString.startsWith("?"))
result.append("?");
result.append(queryString);
}
return result.toString();
}
and see if it works now?
> The rest of the solution works great, I didn't have much time to inspect it
> (I can see the tricky parts :) ) and to check how much
> wicket-version-dependent it can be, but I think it's OK (since it's
> working!).
IMHO: It will be very nice if this "corner" use case is included on
default HttpsRequestCycleProcessor. Will try to produce a patch and
attach it issue mentioned before.
No thanks needed: we all benefit from this discussion;-)
Regards,
Ernesto
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by Ernesto Reinaldo Barreiro <re...@gmail.com>.
Ok. I just saw your last post and remembered this thread:-)
Cheers,
Ernesto
On Wed, Nov 17, 2010 at 1:42 PM, sonxurxo <so...@gmail.com> wrote:
>
> Hi Ernesto,
>
> I got stuck with the bad resource URL's rewriting, so, due to hurries in my
> job, now we have a standalone page with @RequireHttps annotation. I'll try
> it again and get deeper in the problem, I don't give up at all ;), but I
> need a time for it that I didn't have. Thank you very much for your
> interest, I'll keep this thread up-to-date until I get it!!
> --
> View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3046640.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by sonxurxo <so...@gmail.com>.
Hi Ernesto,
I got stuck with the bad resource URL's rewriting, so, due to hurries in my
job, now we have a standalone page with @RequireHttps annotation. I'll try
it again and get deeper in the problem, I don't give up at all ;), but I
need a time for it that I didn't have. Thank you very much for your
interest, I'll keep this thread up-to-date until I get it!!
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3046640.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by Ernesto Reinaldo Barreiro <re...@gmail.com>.
Hi,
Did you get this working at the end? The fix we provided is working
fine for us:-)
Cheers,
Ernesto
On Wed, Oct 27, 2010 at 3:53 PM, sonxurxo <so...@gmail.com> wrote:
>
> I'm using:
>
> add(CSSPackageResource.getHeaderContribution("styles/main/layout.css"));
>
> literally as I have just written.
> --
> View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3015516.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by sonxurxo <so...@gmail.com>.
I'm using:
add(CSSPackageResource.getHeaderContribution("styles/main/layout.css"));
literally as I have just written.
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3015516.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by Ernesto Reinaldo Barreiro <re...@gmail.com>.
It works fine for me for CSS, images, JavaScript and so on: it must be
something we are missing on getUrl() method:-(
What's the url you are getting for layout.css? I'm including CSS using
resource references
add(CSSPackageResource.getHeaderContribution(Styles.ESTILOS));
and
public class Styles {
public static final ResourceReference ESTILOS = new
ResourceReference(Styles.class,"estilos.css");
..............
}
Ernesto
On Wed, Oct 27, 2010 at 3:03 PM, sonxurxo <so...@gmail.com> wrote:
>
> Hi,
>
> It does not work for me. For correctly replace the ports I had to modify a
> bit the SecureForm code, leaving it as follows:
>
> @Override
> protected void onComponentTag(ComponentTag tag) {
> super.onComponentTag(tag);
> String action = tag.getAttribute("action");
> if (!action.startsWith("http"))
> action = RequestUtils.toAbsolutePath(action);
> // rewrite action to use HTTPs
> if (!action.startsWith("https")) {
> action = replacePort("https" + action.substring(4));
> }
> else {
> action = replacePort(action);
> }
> tag.put("action", action);
>
> }
>
> private String replacePort(String action) {
> RequestCycle requestCycle = RequestCycle.get();
> SecureHttpsRequestCycleProcessor processor =
> (SecureHttpsRequestCycleProcessor) requestCycle
> .getProcessor();
> Integer port = processor.getConfig().getHttpPort();
> Integer httpsPort = processor.getConfig().getHttpsPort();
> action = action.replace(":" + Integer.toString(port) + "/",
> ":" + Integer.toString(httpsPort) + "/");
> return action;
> }
>
> but the modification of the getUrl() method of SecureBufferedWebResponse
> doesn't seem to affect the request for the CSS file, but only for the URLs
> of links and buttons in the page (the debugger never entered that point in
> that request). I'll continue trying it and modifications and keep this
> thread informed up-to-date.
> --
> View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3015404.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by sonxurxo <so...@gmail.com>.
Hi,
It does not work for me. For correctly replace the ports I had to modify a
bit the SecureForm code, leaving it as follows:
@Override
protected void onComponentTag(ComponentTag tag) {
super.onComponentTag(tag);
String action = tag.getAttribute("action");
if (!action.startsWith("http"))
action = RequestUtils.toAbsolutePath(action);
// rewrite action to use HTTPs
if (!action.startsWith("https")) {
action = replacePort("https" + action.substring(4));
}
else {
action = replacePort(action);
}
tag.put("action", action);
}
private String replacePort(String action) {
RequestCycle requestCycle = RequestCycle.get();
SecureHttpsRequestCycleProcessor processor =
(SecureHttpsRequestCycleProcessor) requestCycle
.getProcessor();
Integer port = processor.getConfig().getHttpPort();
Integer httpsPort = processor.getConfig().getHttpsPort();
action = action.replace(":" + Integer.toString(port) + "/",
":" + Integer.toString(httpsPort) + "/");
return action;
}
but the modification of the getUrl() method of SecureBufferedWebResponse
doesn't seem to affect the request for the CSS file, but only for the URLs
of links and buttons in the page (the debugger never entered that point in
that request). I'll continue trying it and modifications and keep this
thread informed up-to-date.
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3015404.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by Ernesto Reinaldo Barreiro <re...@gmail.com>.
Hi,
I also have the problem with resources if I mount the application on
anything else but "/". Following changes seem to fix it either form
"/" and "/xxx":
1-SecureForm
public class SecureForm<T> extends Form<T>
{
private static final long serialVersionUID = 1L;
/**
* Constructor.
*
* @param id See Component
*/
public SecureForm(String id)
{
super(id);
}
/**
* @param id See Component
* @param model See Component
*
* @see org.apache.wicket.Component#Component(String, IModel)
*/
public SecureForm(String id, IModel<T> model)
{
super(id, model);
}
/*
* (non-Javadoc)
* @see org.apache.wicket.markup.html.form.Form#onComponentTag(org.apache.wicket.markup.ComponentTag)
*/
@Override
protected void onComponentTag(ComponentTag tag)
{
super.onComponentTag(tag);
String action = tag.getAttribute("action");
if(!action.startsWith("http"))
action = RequestUtils.toAbsolutePath(action);
// rewrite action to use HTTPs
if(!action.startsWith("https"))
action = replacePort("https"+action.substring(4));
tag.put("action", action);
}
private String replacePort(String action) {
RequestCycle requestCycle = RequestCycle.get();
SecureHttpsRequestCycleProcessor processor =
(SecureHttpsRequestCycleProcessor)requestCycle.getProcessor();
Integer port = processor.getConfig().getHttpPort();
Integer httpsPort = processor.getConfig().getHttpsPort();
action.replace(":"+Integer.toString(port)+"/",
":"+Integer.toString(httpsPort)+"/");
return action;
}
}
2-SecureBufferedWebResponse.getUrl
protected String getUrl(String protocol, Integer port,
HttpServletRequest request, String queryString)
{
if(queryString.startsWith("http") || queryString.startsWith("https"))
return queryString;
StringBuilder result = new StringBuilder();
result.append(protocol);
result.append("://");
result.append(request.getServerName());
if (port != null)
{
result.append(":");
result.append(port);
}
result.append(request.getRequestURI());
if (queryString != null)
{
if(queryString.indexOf("../")>=0)
{
queryString = Strings.replaceAll(queryString, "../", "").toString();
} else if(!queryString.startsWith("?"))
result.append("?");
result.append(queryString);
}
return result.toString();
}
Can you try the above and see if it works for you?
Ernesto
On Wed, Oct 27, 2010 at 9:29 AM, sonxurxo <so...@gmail.com> wrote:
>
> Hi Ernesto,
>
> I tried your code and it's working for me, just with one issue I mention at
> the end of this post. I had to make just 3 modifications: the method
> resolve() stays like this:
>
> public IRequestTarget resolve(RequestCycle rc, RequestParameters rp)
> {
>
> // if (portConfig.isPreferStateful()) {
> Session.get().bind();
> // }
>
> IRequestTarget target = super.resolve(rc, rp);
> return checkSecure(target);
> }
>
> because I can not find the isPreferStateful() method, and the SecureForm
> onComponentTag() is like this:
>
> @Override
> protected void onComponentTag(ComponentTag tag) {
> super.onComponentTag(tag);
> String action = tag.getAttribute("action");
> action = RequestUtils.toAbsolutePath(action);
> if(!action.startsWith("https")) {
> action = "https" + action.substring(4);
> action =
> action.replace(String.valueOf(MeteosixApplication.get().getHttpPort()),
> String.valueOf(MeteosixApplication.get().getHttpsPort()));
> }
> tag.put("action", action);
> }
>
> to also substitute the port numbers in the action (I get them from my
> Application class with custom methods).
>
> and the annotation @SemiSecurePage is not needed at all, since it will enter
> the ifs the same, so you can freely remove it.
>
> The issue is that when validation fails, it does not find the CSS because my
> browser is requesting it without the context (e.g.
> http://localhost:9090/styles/main/layout.css instead of
> http://localhost:9090/myapplication/styles/main/layout.css). Does not it
> happen to you? How can I fix that? When does Wicket establish the URL for
> static resources like that this? I'm adding it this way:
>
> add(CSSPackageResource.getHeaderContribution("styles/main/layout.css"));
>
> The rest of the solution works great, I didn't have much time to inspect it
> (I can see the tricky parts :) ) and to check how much
> wicket-version-dependent it can be, but I think it's OK (since it's
> working!).
>
> So the only thing is to fix the CSS issue, do you have any idea of how...?
> Thank you
> --
> View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3014970.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by sonxurxo <so...@gmail.com>.
Hi Ernesto,
I tried your code and it's working for me, just with one issue I mention at
the end of this post. I had to make just 3 modifications: the method
resolve() stays like this:
public IRequestTarget resolve(RequestCycle rc, RequestParameters rp)
{
// if (portConfig.isPreferStateful()) {
Session.get().bind();
// }
IRequestTarget target = super.resolve(rc, rp);
return checkSecure(target);
}
because I can not find the isPreferStateful() method, and the SecureForm
onComponentTag() is like this:
@Override
protected void onComponentTag(ComponentTag tag) {
super.onComponentTag(tag);
String action = tag.getAttribute("action");
action = RequestUtils.toAbsolutePath(action);
if(!action.startsWith("https")) {
action = "https" + action.substring(4);
action =
action.replace(String.valueOf(MeteosixApplication.get().getHttpPort()),
String.valueOf(MeteosixApplication.get().getHttpsPort()));
}
tag.put("action", action);
}
to also substitute the port numbers in the action (I get them from my
Application class with custom methods).
and the annotation @SemiSecurePage is not needed at all, since it will enter
the ifs the same, so you can freely remove it.
The issue is that when validation fails, it does not find the CSS because my
browser is requesting it without the context (e.g.
http://localhost:9090/styles/main/layout.css instead of
http://localhost:9090/myapplication/styles/main/layout.css). Does not it
happen to you? How can I fix that? When does Wicket establish the URL for
static resources like that this? I'm adding it this way:
add(CSSPackageResource.getHeaderContribution("styles/main/layout.css"));
The rest of the solution works great, I didn't have much time to inspect it
(I can see the tricky parts :) ) and to check how much
wicket-version-dependent it can be, but I think it's OK (since it's
working!).
So the only thing is to fix the CSS issue, do you have any idea of how...?
Thank you
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3014970.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by Ernesto Reinaldo Barreiro <re...@gmail.com>.
Hi,
I think I managed to solve it: at least after an hour of testing it
haven't found a "leak" on my solution. The solution is as follows:
1-Create a secure form class as follows:
import org.apache.wicket.markup.ComponentTag;
import org.apache.wicket.markup.html.form.Form;
import org.apache.wicket.model.IModel;
import org.apache.wicket.protocol.http.RequestUtils;
/**
*
* Form that does submit via HTTPs.
*
* @author Igor Vaynberg (ivaynberg)
*
*/
public class SecureForm<T> extends Form<T>
{
private static final long serialVersionUID = 1L;
/**
* Constructor.
*
* @param id See Component
*/
public SecureForm(String id)
{
super(id);
}
/**
* @param id See Component
* @param model See Component
*
* @see org.apache.wicket.Component#Component(String, IModel)
*/
public SecureForm(String id, IModel<T> model)
{
super(id, model);
}
/*
* (non-Javadoc)
* @see org.apache.wicket.markup.html.form.Form#onComponentTag(org.apache.wicket.markup.ComponentTag)
*/
@Override
protected void onComponentTag(ComponentTag tag)
{
super.onComponentTag(tag);
String action = tag.getAttribute("action");
action = RequestUtils.toAbsolutePath(action);
// rewrite action to use HTTPs
if(!action.startsWith("https"))
action = "https"+action.substring(4);
tag.put("action", action);
}
}
2-Make a local copy of SwitchProtocolRequestTarget (this class is only
package visible)
3-Copy SecureHttpsRequestCycleProcessor and modify it as follows:
import javax.servlet.http.HttpServletRequest;
import org.apache.wicket.Component;
import org.apache.wicket.IRequestTarget;
import org.apache.wicket.RequestCycle;
import org.apache.wicket.Session;
import org.apache.wicket.protocol.http.WebRequest;
import org.apache.wicket.protocol.http.WebRequestCycleProcessor;
import org.apache.wicket.protocol.https.HttpsConfig;
import org.apache.wicket.protocol.https.RequireHttps;
import org.apache.wicket.request.RequestParameters;
import org.apache.wicket.request.target.component.IBookmarkablePageRequestTarget;
import org.apache.wicket.request.target.component.IPageRequestTarget;
import org.apache.wicket.request.target.component.listener.IListenerInterfaceRequestTarget;
import *your package*.SemiSecurePage;
import *your package*.SwitchProtocolRequestTarget.Protocol;
/**
* Request cycle processor that can switch between http and https
protocols based on the
* {@link RequireHttps} annotation.
*
* Once this processor is installed, any page annotated with the
{@link RequireHttps} annotation
* will be served over https, while any page lacking the annotation
will be served over http. The
* annotation can be placed on a super class or an interface that a
page implements.
*
* To install this processor:
*
* <pre>
* class MyApplication extends WebApplication
* {
* @Override
* protected IRequestCycleProcessor newRequestCycleProcessor()
* {
* return new HttpsRequestCycleProcessor(config);
* }
* }
* </pre>
*
* <b>Notes</b>: According to servlet spec a cookie created on an
https request is marked as secure,
* such cookies are not available for http requests. What this means
is that a session started over
* https will not be propagated to further http calls because
JSESSIONID cookie will be marked as
* secure and not available to http requests. This entails that unless
a session is created and
* bound on http prior to using an https request any wicket pages or
session values stored in the
* https session will not be available to further http requests. If
your application requires a
* http->https->http interactions (such as the case where only a
login page and my account
* pages are secure) you must make sure a session is created and
stored in the http request prior to
* the first http->https redirect.
*/
public class SecureHttpsRequestCycleProcessor extends WebRequestCycleProcessor
{
private final HttpsConfig portConfig;
/**
* Constructor
*
* @param httpsConfig
* configuration
*/
public SecureHttpsRequestCycleProcessor(HttpsConfig httpsConfig)
{
portConfig = httpsConfig;
}
/**
* @return configuration
*/
public HttpsConfig getConfig()
{
return portConfig;
}
/**
* Checks if the class has a {@link RequireHttps} annotation
*
* @param klass
* @return true if klass has the annotation
*/
private boolean hasSecureAnnotation(Class<?> klass)
{
for (Class<?> c : klass.getInterfaces())
{
if (hasSecureAnnotation(c))
{
return true;
}
}
if (klass.getAnnotation(RequireHttps.class) != null)
{
return true;
}
if (klass.getSuperclass() != null)
{
return hasSecureAnnotation(klass.getSuperclass());
}
else
{
return false;
}
}
/**
* Gets page class from a request target
*
* @param target
* @return page class if there is one, null otherwise
*/
private Class<?> getPageClass(IRequestTarget target)
{
if (target instanceof IPageRequestTarget)
{
return ((IPageRequestTarget)target).getPage().getClass();
}
else if (target instanceof IBookmarkablePageRequestTarget)
{
return ((IBookmarkablePageRequestTarget)target).getPageClass();
}
else
{
return null;
}
}
/** @deprecated use checkSecureIncoming */
@Deprecated
protected IRequestTarget checkSecure(IRequestTarget target)
{
return checkSecureIncoming(target);
}
/**
* Checks if the class has a {@link RequireHttps} annotation
*
* @param klass
* @return true if klass has the annotation
*/
private boolean hasSecureSemiSecureAnnotation(Class<?> klass)
{
if(klass == null)
return false;
for (Class<?> c : klass.getInterfaces())
{
if (hasSecureAnnotation(c))
{
return true;
}
}
if (klass.getAnnotation(SemiSecurePage.class) != null)
{
return true;
}
if (klass.getSuperclass() != null)
{
return hasSecureSemiSecureAnnotation(klass.getSuperclass());
}
else
{
return false;
}
}
protected IRequestTarget checkSecureIncoming(IRequestTarget target)
{
if (target != null && target instanceof SwitchProtocolRequestTarget)
{
return target;
}
if (portConfig == null)
{
return target;
}
Class<?> pageClass = getPageClass(target);
if (pageClass != null)
{
if(hasSecureSemiSecureAnnotation(pageClass)) {
if (target instanceof IListenerInterfaceRequestTarget) {
Component c = ((IListenerInterfaceRequestTarget) target).getTarget();
if(SecureForm.class.isAssignableFrom(c.getClass())) {
return target;
}
}
}
IRequestTarget redirect = null;
if (hasSecureAnnotation(pageClass))
{
redirect = SwitchProtocolRequestTarget.requireProtocol(Protocol.HTTPS);
}
else
{
redirect = SwitchProtocolRequestTarget.requireProtocol(Protocol.HTTP);
}
if (redirect != null)
{
return redirect;
}
}
return target;
}
protected IRequestTarget checkSecureOutgoing(IRequestTarget target)
{
if (target != null && target instanceof SwitchProtocolRequestTarget)
{
return target;
}
if (portConfig == null)
{
return target;
}
Class<?> pageClass = getPageClass(target);
if (pageClass != null)
{
if(hasSecureSemiSecureAnnotation(pageClass)) {
if (target instanceof IListenerInterfaceRequestTarget) {
IListenerInterfaceRequestTarget interfaceRequestTarget =
(IListenerInterfaceRequestTarget) target;
Component c = interfaceRequestTarget.getTarget();
if(SecureForm.class.isAssignableFrom(c.getClass())) {
RequestCycle requestCycle = RequestCycle.get();
WebRequest webRequest = (WebRequest)requestCycle.getRequest();
HttpServletRequest request = webRequest.getHttpServletRequest();
boolean isHTTPS
=request.getScheme().equals(Protocol.HTTPS.name().toLowerCase());
if(isHTTPS) {
if(webRequest instanceof SecureServletWebRequest) {
((SecureServletWebRequest)webRequest).setUseAbsoluteURL(true);
}
return target;
} else {
return target;
}
}
}
}
IRequestTarget redirect = null;
if (hasSecureAnnotation(pageClass))
{
redirect = SwitchProtocolRequestTarget.requireProtocol(Protocol.HTTPS,
target);
}
else
{
redirect = SwitchProtocolRequestTarget.requireProtocol(Protocol.HTTP,
target);
}
if (redirect != null)
{
return redirect;
}
}
return target;
}
/** {@inheritDoc} */
@Override
public IRequestTarget resolve(RequestCycle rc, RequestParameters rp)
{
if (portConfig.isPreferStateful())
{
// we need to persist the session before a redirect to https so the
session lasts across
// both http and https calls.
Session.get().bind();
}
IRequestTarget target = super.resolve(rc, rp);
return checkSecure(target);
}
/** {@inheritDoc} */
@Override
public void respond(RequestCycle requestCycle)
{
IRequestTarget requestTarget = requestCycle.getRequestTarget();
if (requestTarget != null)
{
IRequestTarget secured = checkSecureOutgoing(requestTarget);
if (secured != requestTarget)
{
requestCycle.setRequestTarget(secured);
// respond will be called again because we called
setrequesttarget(), so we do not
// process it this time
return;
}
}
super.respond(requestCycle);
}
}
-Created an annotation
import java.lang.annotation.ElementType;
import java.lang.annotation.Inherited;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
/**
* Marks a page as requiring contating a form submitted over HTTPs.
*
* NOTES: Adding {@link Inherited} annotation to this annotation will
not work because we also want
* it to work for interfaces
*
* @see HttpsRequestCycleProcessor
*
*/
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.TYPE)
public @interface SemiSecurePage {
}
and use to mark "SemiSecure pages". This part might be superfluous...
but I added it as an extra check.
-Create a SecureServletWebRequest
import javax.servlet.http.HttpServletRequest;
import org.apache.wicket.protocol.http.servlet.ServletWebRequest;
/**
* @author Ernesto Reinaldo Barreiro
*
*/
public class SecureServletWebRequest extends ServletWebRequest {
private boolean useAbsoluteURL = false;
/**
* @param httpServletRequest
*/
public SecureServletWebRequest(HttpServletRequest httpServletRequest) {
super(httpServletRequest);
}
public boolean isUseAbsoluteURL() {
return useAbsoluteURL;
}
public void setUseAbsoluteURL(boolean useAbsoluteURL) {
this.useAbsoluteURL = useAbsoluteURL;
}
}
- Created SecureBufferedWebResponse
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.wicket.RequestCycle;
import org.apache.wicket.protocol.http.BufferedWebResponse;
import org.apache.wicket.protocol.http.WebRequest;
import "your package".SwitchProtocolRequestTarget.Protocol;
/**
* @author Ernesto Reinaldo Barreiro
*
*/
public class SecureBufferedWebResponse extends BufferedWebResponse {
/**
* @param httpServletResponse
*/
public SecureBufferedWebResponse(HttpServletResponse httpServletResponse)
{
super(httpServletResponse);
}
@Override
public CharSequence encodeURL(CharSequence url) {
RequestCycle requestCycle = RequestCycle.get();
WebRequest webRequest = (WebRequest)requestCycle.getRequest();
if((webRequest instanceof SecureServletWebRequest)
&& ((SecureServletWebRequest)webRequest).isUseAbsoluteURL())
{
HttpServletRequest request = webRequest.getHttpServletRequest();
boolean isHTTPS
=request.getScheme().equals(Protocol.HTTPS.name().toLowerCase());
if(isHTTPS) {
SecureHttpsRequestCycleProcessor processor =
(SecureHttpsRequestCycleProcessor)requestCycle.getProcessor();
Integer port = null;
if (processor.getConfig().getHttpPort() != 80)
{
port = processor.getConfig().getHttpPort();
}
String absUrl = getUrl("http", port, request, url.toString());
return super.encodeURL(absUrl);
}
}
return super.encodeURL(url);
}
/**
* Rewrite the url using the specified protocol
*
* @param protocol
* @param port
* @param request
* @return url
*/
protected String getUrl(String protocol, Integer port,
HttpServletRequest request, String queryString)
{
if(queryString.startsWith("http") || queryString.startsWith("https"))
return queryString;
StringBuilder result = new StringBuilder();
result.append(protocol);
result.append("://");
result.append(request.getServerName());
if (port != null)
{
result.append(":");
result.append(port);
}
result.append(request.getRequestURI());
if (queryString != null)
{
if(queryString.startsWith("..") ) {
} else if(!queryString.startsWith("?"))
result.append("?");
result.append(queryString);
}
return result.toString();
}
}
-On your WebApplication class override
@Override
protected WebResponse newWebResponse(HttpServletResponse servletResponse) {
return (getRequestCycleSettings().getBufferResponse() ? new
SecureBufferedWebResponse(
servletResponse) : new WebResponse(servletResponse));
}
@Override
protected WebRequest newWebRequest(HttpServletRequest servletRequest) {
return new SecureServletWebRequest(servletRequest);
}
The above seems to be working for me but the solution is "hacky" and
depends on frameworks "internals". The problem seem to be generation
of relative URLs and this is what class SecureBufferedWebResponse is
trying to "fix". Can you try it and tell me if it works for you?
Regards,
Ernesto
On Tue, Oct 19, 2010 at 10:15 AM, sonxurxo <so...@gmail.com> wrote:
>
> Hi all,
> This question applies to Wicket 1.4.9.
> I have an app where I have a Sign-in component (Panel) that is shown in
> (almost) every page of the site. I'd like all the app to work over http, and
> that form to work over https. Since the @RequireHttps annotation only works
> on pages and not Components, how can I achieve that?
> I have some other pages (e.g. registration page) that is fully working over
> https with the mentioned annotation, everything is OK. But I can not get the
> sign-in form (included in quite some http-pages) work over https.
> Any ideas?
> If there's a core developer reading this, is there any plan of "extending"
> the @RequireHttps annotation to other Components rather than just pages?
> --
> View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3001634.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by Ernesto Reinaldo Barreiro <re...@gmail.com>.
Hi,
What I'm trying to do is:
1-Override
protected IRequestTarget checkSecureIncoming(IRequestTarget target)
{
if (target != null && target instanceof SwitchProtocolRequestTarget)
{
return target;
}
if (portConfig == null)
{
return target;
}
Class<?> pageClass = getPageClass(target);
if (pageClass != null)
{
if(hasSecureSemiSecureAnnotation(pageClass)) {
if (target instanceof IListenerInterfaceRequestTarget) {
Component c = ((IListenerInterfaceRequestTarget) target).getTarget();
if(SecureForm.class.isAssignableFrom(c.getClass())) {
return target;
}
}
}
IRequestTarget redirect = null;
if (hasSecureAnnotation(pageClass))
{
redirect = SwitchProtocolRequestTarget.requireProtocol(Protocol.HTTPS);
}
else
{
redirect = SwitchProtocolRequestTarget.requireProtocol(Protocol.HTTP);
}
if (redirect != null)
{
return redirect;
}
}
return target;
}
I have created a SemiSecure annotation to mark pages where I use
SecureForm so that I do not have to check for every
IListenerInterfaceRequestTarget on my application. I return the same
target as this request already comes via HTTPs (so no redirects are
needed).
My problem (and your problems I guess) are on
protected IRequestTarget checkSecureOutgoing(IRequestTarget target)
{
............
if(hasSecureSemiSecureAnnotation(pageClass)) {
if (target instanceof IListenerInterfaceRequestTarget) {
IListenerInterfaceRequestTarget interfaceRequestTarget =
(IListenerInterfaceRequestTarget) target;
Component c = interfaceRequestTarget.getTarget();
if(SecureForm.class.isAssignableFrom(c.getClass())) {
// WHAT DO HERE
}
}
}
}
Here the page has been processed and the form actually has errors
(secureForm.hasError() returns true) if there are any... But the
request is over HTTPS and
1- We can cannot redirect to HTTP because this will generate a GET
request and you will loose POST parameters and will process page
again.
2- If we return the target then "normal" request processing will
continue and a redirect will be generated the the new version of the
page, but this will be done using a relative URL so the page will
switch to HTTPs (and you want it to stay on HTTP) . This is done on
PageRequestTarget,
/**
* @see org.apache.wicket.IRequestTarget#respond(org.apache.wicket.RequestCycle)
*/
public void respond(RequestCycle requestCycle)
{
// Should page be redirected to?
if (requestCycle.isRedirect())
{
// Redirect to the page
requestCycle.redirectTo(page);
}
else
{
// Let page render itself
page.renderPage();
}
}
which delegates on the final method WebRequestCycle.redirectTo(page)
which generates a redirect to a relative URL (over HTTPs).
Regards,
Ernesto
On Tue, Oct 26, 2010 at 8:52 AM, sonxurxo <so...@gmail.com> wrote:
>
> Hi Ernesto and others,
>
> Yes that's what I mentioned before, I'm able to do what you say, or to
> redirect to the HTTP page but not showing the validation errors, but not
> both HTTP and show errors.
> By the way, if you check for secureForm.hasError(), will it catch a
> situation where there's not literally a validation error but a
> business-logic error? (e.g. when, in the onSubmit() method of your login
> form, you check that the password is incorrect, it's not a wicket-validation
> error, and then you invoke "manually" the error() method of the panel
> containing the form to show the message but not the error() method of the
> form itself). Will it detect those situations? I'm trying and
> secureForm.hasError() always return false, no matter there are even
> wicket-validation errors or not.
> --
> View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3013201.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by sonxurxo <so...@gmail.com>.
Hi Ernesto and others,
Yes that's what I mentioned before, I'm able to do what you say, or to
redirect to the HTTP page but not showing the validation errors, but not
both HTTP and show errors.
By the way, if you check for secureForm.hasError(), will it catch a
situation where there's not literally a validation error but a
business-logic error? (e.g. when, in the onSubmit() method of your login
form, you check that the password is incorrect, it's not a wicket-validation
error, and then you invoke "manually" the error() method of the panel
containing the form to show the message but not the error() method of the
form itself). Will it detect those situations? I'm trying and
secureForm.hasError() always return false, no matter there are even
wicket-validation errors or not.
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3013201.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by Ernesto Reinaldo Barreiro <re...@gmail.com>.
Hi,
I'm also interested on solving this as I will need to implement a
similar use case in a coming application. The main problem I see in
solving it is that on
protected IRequestTarget checkSecureOutgoing(IRequestTarget target) {
....
}
even if you check for ListenerInterfaceRequestTarget and your Secure form e.g.
if (target instanceof IListenerInterfaceRequestTarget) {
IListenerInterfaceRequestTarget interfaceRequestTarget =
(IListenerInterfaceRequestTarget) target;
Component c = interfaceRequestTarget.getTarget();
if(SecureForm.class.isAssignableFrom(c.getClass())) {
SecureForm<?> secureForm = (SecureForm<?>)c;
if(secureForm.hasError()) {
return target;
}
}
}
, to return the same target when you have validation errors,
ListenerInterfaceRequestTarget seem to be using logic from
PageRequestTarget
public void respond(RequestCycle requestCycle)
{
// Should page be redirected to?
if (requestCycle.isRedirect())
{
// Redirect to the page
requestCycle.redirectTo(page);
}
else
{
// Let page render itself
page.renderPage();
}
}
to redirect to a "new" version of the page and as the request arrives
over HTTPS then you get redirected to the page, showing validation
errors, but over "https". I don't see yet how to switch it to HTTP.
Regards,
Ernesto
On Mon, Oct 25, 2010 at 8:58 AM, sonxurxo <so...@gmail.com> wrote:
>
> Hi all.
> I've been dealing with this and I don't have a working solution yet. The
> problem that my previously posted solution had is that when the form
> validation fails, it falls into an infinite redirect loop.
> Playing with my custom HttpsRequestCycleProcessor all I have achieved is to
> make it redirect to the right page, but "in its HTTPS version", when it
> should be HTTP (remember, HTTPS form embedded in a HTTP page). Or if I point
> my custom HttpsRequestCycleProcessor to redirect it to the HTTP version, it
> falls in that infinite redirect cycle or it loose the form data.
> Any hint? Any idea? How could I override checkSecureIncoming and
> checkSecureOutgoing methods to be aware of those situations? Thank you in
> advance
> --
> View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3009814.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by sonxurxo <so...@gmail.com>.
Hi all.
I've been dealing with this and I don't have a working solution yet. The
problem that my previously posted solution had is that when the form
validation fails, it falls into an infinite redirect loop.
Playing with my custom HttpsRequestCycleProcessor all I have achieved is to
make it redirect to the right page, but "in its HTTPS version", when it
should be HTTP (remember, HTTPS form embedded in a HTTP page). Or if I point
my custom HttpsRequestCycleProcessor to redirect it to the HTTP version, it
falls in that infinite redirect cycle or it loose the form data.
Any hint? Any idea? How could I override checkSecureIncoming and
checkSecureOutgoing methods to be aware of those situations? Thank you in
advance
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3009814.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by sonxurxo <so...@gmail.com>.
I localized an error in my solution: when validation fails, it enters an
infinite loop of redirects through:
[...]
if (this.isSecureFormRequest(target)) {
redirect = SwitchProtocolRequestTarget.requireProtocol(Protocol.HTTPS);
}
[...]
I don't know how to make it stop when validation fails on that form. If you
have any hints, thank you in advance. If I find a solution I'll also post it
here, of course. Thanks
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005514.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by sonxurxo <so...@gmail.com>.
By the way, now that it's done and supposing it's OK, wouldn't be a good idea
to include something like that in the trunk? Or maybe in an extension? Maybe
do the same with some links? It's just an idea, I'm surprised not a lot of
people had to lead with this.
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005352.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by sonxurxo <so...@gmail.com>.
Hi all,
I think I finally have the solution, thanks everyone who guide me. Please
correct me if I'm missing something, I tested it quite well and everything
is OK. What I do is the following:
- I have my custom SecureForm class (inherits from Form), as I mentioned
before. It overrides the onComponentTag(ComponentTag tag) method to force it
to use HTTPS. The forms I want to use HTTPS inherit from that class.
- I wrote a custom MyHttpsRequestCycleProcessor, which extends
HttpsRequestCycleProcessor, and rewrites hasSecureAnnotation() and
getPageClass() (leaving them exactly as in HttpsRequestCycleProcessor class,
it's just because they are private and I need them). I create this utility
method:
private boolean isSecureFormRequest(IRequestTarget target) {
if (target instanceof ListenerInterfaceRequestTarget) {
Component c = ((ListenerInterfaceRequestTarget) target).getTarget();
return SecureForm.class.isAssignableFrom(c.getClass());
}
return false;
}
and override (now actually modifying) the checkSecureIncoming() method. It
now looks like as follows:
protected IRequestTarget checkSecureIncoming(IRequestTarget target) {
if (target != null && target instanceof SwitchProtocolRequestTarget) {
return target;
}
if (getConfig() == null) {
return target;
}
Class<?> pageClass = getPageClass(target);
if (pageClass != null) {
IRequestTarget redirect = null;
if (hasSecureAnnotation(pageClass) || this.isSecureFormRequest(target)) {
redirect = SwitchProtocolRequestTarget.requireProtocol(Protocol.HTTPS);
} else {
redirect = SwitchProtocolRequestTarget.requireProtocol(Protocol.HTTP);
}
if (redirect != null) {
return redirect;
}
}
return target;
}
What I do is force HTTPS redirect not only when I find the @HttpsRequired
annotation in the Page, but also when a request is made trough an instance
of SecureForm or any of its possible subclasses.
What's your opinion? Am I missing something? Did I break something that I'll
realize in some weeks? Thank you very much for your very useful help, I just
had to put pieces together!!
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005339.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by Martin Grigorov <mg...@apache.org>.
On Thu, Oct 21, 2010 at 11:30 AM, sonxurxo <so...@gmail.com> wrote:
>
> Thank you all for your responses.
> Yes, I was thinking about that. How could I achieve that?
> I'd like to be able to access the form that generated the request through
> the target parameter, but it's not visible. If I could, I'd determine if
> it's an instance of my custom SecureForm class and process the request
> properly.
> Also, I see that when the form is sent using POST, the target argument
> received in the checkSecureIncoming(IRequestTarget target) method is an
> instance of BookmarkablePageRequestTarget, and I can access there to the
> POST parameters which get lost after the redirect, but I don't know what
> can
> I do with them to keep them, and even more, I don't know if the things I do
> there may interfer with other normal request processing. Any hints to do
> that? Thanks
>
>From the current request you can check the protocol (https), the parameters
(their names are specific for that form, I guess) and if you recognize that
this is the special case then just suppress the normal checkSecureIncoming()
(it is protected, so you can provide your own impl).
So the POST request will not be immediately redirected to GET, but it will
be processed.
--
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005272.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: SSL Links and buttons
Posted by sonxurxo <so...@gmail.com>.
Thank you all for your responses.
Yes, I was thinking about that. How could I achieve that?
I'd like to be able to access the form that generated the request through
the target parameter, but it's not visible. If I could, I'd determine if
it's an instance of my custom SecureForm class and process the request
properly.
Also, I see that when the form is sent using POST, the target argument
received in the checkSecureIncoming(IRequestTarget target) method is an
instance of BookmarkablePageRequestTarget, and I can access there to the
POST parameters which get lost after the redirect, but I don't know what can
I do with them to keep them, and even more, I don't know if the things I do
there may interfer with other normal request processing. Any hints to do
that? Thanks
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005272.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by Martin Grigorov <mg...@apache.org>.
Then maybe you'll need to
modify org.apache.wicket.protocol.https.HttpsRequestCycleProcessor.checkSecureIncoming(IRequestTarget)
to your needs.
On Thu, Oct 21, 2010 at 9:56 AM, sonxurxo <so...@gmail.com> wrote:
>
> I use some secure pages annotated with @RequireHttps, but not all the pages
> where the login panel will be. For example, the main page or the "general
> info page" will be no secured, but the login panel will be there in both
> pages. There are also other "profile-dependent" pages that are of course
> full secured, and others -as I mentioned in an older post, the registration
> page is an example-.
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005153.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: SSL Links and buttons
Posted by sonxurxo <so...@gmail.com>.
I use some secure pages annotated with @RequireHttps, but not all the pages
where the login panel will be. For example, the main page or the "general
info page" will be no secured, but the login panel will be there in both
pages. There are also other "profile-dependent" pages that are of course
full secured, and others -as I mentioned in an older post, the registration
page is an example-.
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005153.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by Martin Grigorov <mg...@apache.org>.
Since you don't use secure Pages (pages with @RequireHttps) then I see no
reason to register HttpsRequestCycleProcessor.
On Thu, Oct 21, 2010 at 9:24 AM, sonxurxo <so...@gmail.com> wrote:
>
> Yes, the HttpsRequestCycleProcessor is doing a redirect from HTTPS to HTTP,
> both using "POST" and "GET" methods (btw Melinda, as you pointed, this last
> ones preserves the values as it was expected but I can not use this
> way...).
> Is there anything I can do to avoid that? The
> checkSecureIncoming(IRequestTarget target) method of that class checks only
> that the class (or its superinterfaces) are annotated with RequireHttps,
> and
> if not, redirects to HTTP. Is there something I can do to sent the form
> with
> POST? Thank you again in advance
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005126.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: SSL Links and buttons
Posted by sonxurxo <so...@gmail.com>.
Yes, the HttpsRequestCycleProcessor is doing a redirect from HTTPS to HTTP,
both using "POST" and "GET" methods (btw Melinda, as you pointed, this last
ones preserves the values as it was expected but I can not use this way...).
Is there anything I can do to avoid that? The
checkSecureIncoming(IRequestTarget target) method of that class checks only
that the class (or its superinterfaces) are annotated with RequireHttps, and
if not, redirects to HTTP. Is there something I can do to sent the form with
POST? Thank you again in advance
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005126.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by Igor Vaynberg <ig...@gmail.com>.
look at the requests and make sure that the httpsrequestcycleprocessor
is not doing a secure->unsecure redirect which would lose the form
values.
-igor
On Wed, Oct 20, 2010 at 12:05 AM, sonxurxo <so...@gmail.com> wrote:
>
> Hi Igor, thank you for your response.
>
> I tried what you pointed. The action URL in the form is correctly replaced,
> since I can see it with Firebug. And even Wicket receives the request when
> pressing the submit button, but it fails on validating required fields: it
> does not receive the values, neither with theFormField.getInput() (returns
> "") nor theFormField.getDefaultModelObjectAsString() (returns null).
> Just in case it matters, I'm trying it both with Jetty (http port:9090,
> https port:8443) and with Tomcat (http port:80 -with mod_jk, https
> port:443), so I modified the onComponentTag method you post and my
> SecureForm class now looks like:
>
>
> public class SecureForm<T> extends Form<T> {
>
> public SecureForm(String id) {
> super(id);
> }
>
> @Override
> protected void onComponentTag(ComponentTag tag) {
> super.onComponentTag(tag);
> String action = tag.getAttribute("action");
> action = RequestUtils.toAbsolutePath(action);
> action = "https" + action.substring(4);
> action = action.replace(MyApplication.get().getHttpPort(),
> MyApplication.get().getHttpsPort());
> tag.put("action", action);
> }
> }
>
>
> but that modification doesn't seem to be a problem since the action URL
> looks OK in both cases (the port number is well replaced). Debugging with
> Firebug I can see that the field values are correctly sent by POST.
> More possible important info: the form is included in a Page that is NOT
> annotated with @RequireHttps.
>
> Am I missing something? Any ideas? Thank you in advance.
> --
> View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3003364.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by sonxurxo <so...@gmail.com>.
Thank you Melinda for your response,
I didn't try that because, even when querystring (and therefore GET
parameters are too) is secured with SSL, there are some reasons that point
that it's a bad idea (look at the first answer at
http://stackoverflow.com/questions/323200/is-a-https-query-string-secure).
Thank you anyway :)
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3003805.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by Melinda Dweer <me...@gmail.com>.
Can you try using
<form wicket:id="form" method="get">
</form>
E.M.D
On Wed, Oct 20, 2010 at 9:05 AM, sonxurxo <so...@gmail.com> wrote:
>
> Hi Igor, thank you for your response.
>
> I tried what you pointed. The action URL in the form is correctly replaced,
> since I can see it with Firebug. And even Wicket receives the request when
> pressing the submit button, but it fails on validating required fields: it
> does not receive the values, neither with theFormField.getInput() (returns
> "") nor theFormField.getDefaultModelObjectAsString() (returns null).
> Just in case it matters, I'm trying it both with Jetty (http port:9090,
> https port:8443) and with Tomcat (http port:80 -with mod_jk, https
> port:443), so I modified the onComponentTag method you post and my
> SecureForm class now looks like:
>
>
> public class SecureForm<T> extends Form<T> {
>
> public SecureForm(String id) {
> super(id);
> }
>
> @Override
> protected void onComponentTag(ComponentTag tag) {
> super.onComponentTag(tag);
> String action = tag.getAttribute("action");
> action = RequestUtils.toAbsolutePath(action);
> action = "https" + action.substring(4);
> action = action.replace(MyApplication.get().getHttpPort(),
> MyApplication.get().getHttpsPort());
> tag.put("action", action);
> }
> }
>
>
> but that modification doesn't seem to be a problem since the action URL
> looks OK in both cases (the port number is well replaced). Debugging with
> Firebug I can see that the field values are correctly sent by POST.
> More possible important info: the form is included in a Page that is NOT
> annotated with @RequireHttps.
>
> Am I missing something? Any ideas? Thank you in advance.
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3003364.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: SSL Links and buttons
Posted by sonxurxo <so...@gmail.com>.
Hi Igor, thank you for your response.
I tried what you pointed. The action URL in the form is correctly replaced,
since I can see it with Firebug. And even Wicket receives the request when
pressing the submit button, but it fails on validating required fields: it
does not receive the values, neither with theFormField.getInput() (returns
"") nor theFormField.getDefaultModelObjectAsString() (returns null).
Just in case it matters, I'm trying it both with Jetty (http port:9090,
https port:8443) and with Tomcat (http port:80 -with mod_jk, https
port:443), so I modified the onComponentTag method you post and my
SecureForm class now looks like:
public class SecureForm<T> extends Form<T> {
public SecureForm(String id) {
super(id);
}
@Override
protected void onComponentTag(ComponentTag tag) {
super.onComponentTag(tag);
String action = tag.getAttribute("action");
action = RequestUtils.toAbsolutePath(action);
action = "https" + action.substring(4);
action = action.replace(MyApplication.get().getHttpPort(),
MyApplication.get().getHttpsPort());
tag.put("action", action);
}
}
but that modification doesn't seem to be a problem since the action URL
looks OK in both cases (the port number is well replaced). Debugging with
Firebug I can see that the field values are correctly sent by POST.
More possible important info: the form is included in a Page that is NOT
annotated with @RequireHttps.
Am I missing something? Any ideas? Thank you in advance.
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3003364.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: SSL Links and buttons
Posted by Igor Vaynberg <ig...@gmail.com>.
so far i dont think there are any plans to support ssl forms outside
of @RequireHttps
here is something that might work for you though:
class secureform extends form {
oncomponenttag(tag) {
super.oncomponenttag(tag);
string act=tag.get('action");
act=rqeuestutils.toabsoluteurl(act);
act="https"+act.substring(4);
tag.put("action", act);
}
}
-igor
On Tue, Oct 19, 2010 at 1:15 AM, sonxurxo <so...@gmail.com> wrote:
>
> Hi all,
> This question applies to Wicket 1.4.9.
> I have an app where I have a Sign-in component (Panel) that is shown in
> (almost) every page of the site. I'd like all the app to work over http, and
> that form to work over https. Since the @RequireHttps annotation only works
> on pages and not Components, how can I achieve that?
> I have some other pages (e.g. registration page) that is fully working over
> https with the mentioned annotation, everything is OK. But I can not get the
> sign-in form (included in quite some http-pages) work over https.
> Any ideas?
> If there's a core developer reading this, is there any plan of "extending"
> the @RequireHttps annotation to other Components rather than just pages?
> --
> View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3001634.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org