You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by shumbola <sh...@yahoo.com> on 2007/07/30 13:23:07 UTC
Switching to SSL for SignIn page
I want to be able to switch to SSL when SignIn page showed to a user and if
successful, then switch back to normal HTTP protocol. I'm using wicket-1.3.
In my Application class I've come up with the following:
protected IRequestCycleProcessor newRequestCycleProcessor() {
return new WebRequestCycleProcessor() {
public void respond(RequestCycle requestCycle) {
IRequestTarget target = requestCycle.getRequestTarget();
WebResponse response = (WebResponse)
requestCycle.getResponse();
WebRequest request = (WebRequest) requestCycle.getRequest();
HttpServletRequest httpServletRequest =
request.getHttpServletRequest();
if(target instanceof BookmarkablePageRequestTarget) {
if(((BookmarkablePageRequestTarget)target).getPage()
instanceof SignIn &&
!httpServletRequest.isSecure())
{
StringBuffer url = new StringBuffer("https://");
url.append(httpServletRequest.getServerName());
url.append(":").append(HTTPS_PORT);
String s =
RequestCycle.get().urlFor(target).toString();
url.append("/app/").append(s);
response.redirect(url.toString());
}
else if
(((BookmarkablePageRequestTarget)target).getPage() instanceof Home &&
httpServletRequest.isSecure()) {
StringBuffer url = new StringBuffer("http://");
url.append(httpServletRequest.getServerName());
url.append(":").append(HTTP_PORT);
String s =
RequestCycle.get().urlFor(target).toString();
url.append("/app/").append(s);
response.redirect(url.toString());
} else
target.respond(requestCycle);
}
else
target.respond(requestCycle);
}
};
}
It kinda works but I'm not sure if I'm doing it right way. And I'm not sure
if it is bug free. I dont fully understand how wicket requestcycle works, so
I need your help there.
Thanks.
shumbola
--
View this message in context: http://www.nabble.com/Switching-to-SSL-for-SignIn-page-tf4169495.html#a11861892
Sent from the Wicket Users New mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Switching to SSL for SignIn page
Posted by Martijn Dashorst <ma...@gmail.com>.
This message is sent across https from gmail :)
It only works however when you use https: in the first place to
connect to gmail. The default (http:) is less straining on the server
resources I suppose (though Google should have enough of that)
Martijn
On 7/30/07, shumbola <sh...@yahoo.com> wrote:
>
>
>
> Upayavira-2 wrote:
> >
> > shumbola wrote:
> >> I want to be able to switch to SSL when SignIn page showed to a user and
> >> if
> >> successful, then switch back to normal HTTP protocol. I'm using
> >> wicket-1.3.
> >
> > We recently had a security firm audit our application. They pointed out
> > that such an approach is flawed.
> >
> > Basically, you secure the transfer of username/passwords, but from then
> > on, you pass a session cookie unprotected. For the lifespan of that
> > cookie, gaining access to the cookie would grant the same access to the
> > application as would the username/password.
> >
> > Therefore, by rights, if you wish to protect the transfer of
> > username/password, the entire application should use SSL.
> >
> > Hope I'm not missing something.
> >
> > Regards, Upayavira
> >
> >> In my Application class I've come up with the following:
> >>
> >> protected IRequestCycleProcessor newRequestCycleProcessor() {
> >> return new WebRequestCycleProcessor() {
> >> public void respond(RequestCycle requestCycle) {
> >> IRequestTarget target = requestCycle.getRequestTarget();
> >> WebResponse response = (WebResponse)
> >> requestCycle.getResponse();
> >> WebRequest request = (WebRequest)
> >> requestCycle.getRequest();
> >> HttpServletRequest httpServletRequest =
> >> request.getHttpServletRequest();
> >> if(target instanceof BookmarkablePageRequestTarget) {
> >> if(((BookmarkablePageRequestTarget)target).getPage()
> >> instanceof SignIn &&
> >> !httpServletRequest.isSecure())
> >> {
> >> StringBuffer url = new StringBuffer("https://");
> >> url.append(httpServletRequest.getServerName());
> >> url.append(":").append(HTTPS_PORT);
> >> String s =
> >> RequestCycle.get().urlFor(target).toString();
> >> url.append("/app/").append(s);
> >> response.redirect(url.toString());
> >> }
> >> else if
> >> (((BookmarkablePageRequestTarget)target).getPage() instanceof Home &&
> >> httpServletRequest.isSecure()) {
> >> StringBuffer url = new StringBuffer("http://");
> >> url.append(httpServletRequest.getServerName());
> >> url.append(":").append(HTTP_PORT);
> >> String s =
> >> RequestCycle.get().urlFor(target).toString();
> >> url.append("/app/").append(s);
> >> response.redirect(url.toString());
> >> } else
> >> target.respond(requestCycle);
> >> }
> >> else
> >> target.respond(requestCycle);
> >> }
> >> };
> >>
> >> }
> >>
> >> It kinda works but I'm not sure if I'm doing it right way. And I'm not
> >> sure
> >> if it is bug free. I dont fully understand how wicket requestcycle works,
> >> so
> >> I need your help there.
> >>
> >> Thanks.
> >> shumbola
> >>
> >>
> >
> >
>
> Doesn't yahoo mail, gmail, etc work that way?
> When I go to my yahoo mail it switches to the SSL signin page and after
> switches back to the http. Or is there additional protection then?
>
> shumbola
> --
> View this message in context: http://www.nabble.com/Switching-to-SSL-for-SignIn-page-tf4169495.html#a11862436
> Sent from the Wicket Users New mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
--
Wicket joins the Apache Software Foundation as Apache Wicket
Apache Wicket 1.3.0-beta2 is released
Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3.0-beta2/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Switching to SSL for SignIn page
Posted by Upayavira <uv...@odoko.co.uk>.
shumbola wrote:
>
>
> Upayavira-2 wrote:
>> shumbola wrote:
>>> I want to be able to switch to SSL when SignIn page showed to a user and
>>> if
>>> successful, then switch back to normal HTTP protocol. I'm using
>>> wicket-1.3.
>> We recently had a security firm audit our application. They pointed out
>> that such an approach is flawed.
>>
>> Basically, you secure the transfer of username/passwords, but from then
>> on, you pass a session cookie unprotected. For the lifespan of that
>> cookie, gaining access to the cookie would grant the same access to the
>> application as would the username/password.
>>
>> Therefore, by rights, if you wish to protect the transfer of
>> username/password, the entire application should use SSL.
>>
>> Hope I'm not missing something.
>>
>> Regards, Upayavira
>>
>>> In my Application class I've come up with the following:
>>>
>>> protected IRequestCycleProcessor newRequestCycleProcessor() {
>>> return new WebRequestCycleProcessor() {
>>> public void respond(RequestCycle requestCycle) {
>>> IRequestTarget target = requestCycle.getRequestTarget();
>>> WebResponse response = (WebResponse)
>>> requestCycle.getResponse();
>>> WebRequest request = (WebRequest)
>>> requestCycle.getRequest();
>>> HttpServletRequest httpServletRequest =
>>> request.getHttpServletRequest();
>>> if(target instanceof BookmarkablePageRequestTarget) {
>>> if(((BookmarkablePageRequestTarget)target).getPage()
>>> instanceof SignIn &&
>>> !httpServletRequest.isSecure())
>>> {
>>> StringBuffer url = new StringBuffer("https://");
>>> url.append(httpServletRequest.getServerName());
>>> url.append(":").append(HTTPS_PORT);
>>> String s =
>>> RequestCycle.get().urlFor(target).toString();
>>> url.append("/app/").append(s);
>>> response.redirect(url.toString());
>>> }
>>> else if
>>> (((BookmarkablePageRequestTarget)target).getPage() instanceof Home &&
>>> httpServletRequest.isSecure()) {
>>> StringBuffer url = new StringBuffer("http://");
>>> url.append(httpServletRequest.getServerName());
>>> url.append(":").append(HTTP_PORT);
>>> String s =
>>> RequestCycle.get().urlFor(target).toString();
>>> url.append("/app/").append(s);
>>> response.redirect(url.toString());
>>> } else
>>> target.respond(requestCycle);
>>> }
>>> else
>>> target.respond(requestCycle);
>>> }
>>> };
>>>
>>> }
>>>
>>> It kinda works but I'm not sure if I'm doing it right way. And I'm not
>>> sure
>>> if it is bug free. I dont fully understand how wicket requestcycle works,
>>> so
>>> I need your help there.
>>>
>>> Thanks.
>>> shumbola
>>>
>>>
>>
>
> Doesn't yahoo mail, gmail, etc work that way?
> When I go to my yahoo mail it switches to the SSL signin page and after
> switches back to the http. Or is there additional protection then?
Not aware of any additional protection. If they are using a session key,
that could be hijacked. Use the firefox webdeveloper plugin to view
request headers and see what a snooper could find. Then make your own
decision. It is your site and you need to decide upon the level of
security required.
Regards, Upayavira
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Switching to SSL for SignIn page
Posted by shumbola <sh...@yahoo.com>.
Upayavira-2 wrote:
>
> shumbola wrote:
>> I want to be able to switch to SSL when SignIn page showed to a user and
>> if
>> successful, then switch back to normal HTTP protocol. I'm using
>> wicket-1.3.
>
> We recently had a security firm audit our application. They pointed out
> that such an approach is flawed.
>
> Basically, you secure the transfer of username/passwords, but from then
> on, you pass a session cookie unprotected. For the lifespan of that
> cookie, gaining access to the cookie would grant the same access to the
> application as would the username/password.
>
> Therefore, by rights, if you wish to protect the transfer of
> username/password, the entire application should use SSL.
>
> Hope I'm not missing something.
>
> Regards, Upayavira
>
>> In my Application class I've come up with the following:
>>
>> protected IRequestCycleProcessor newRequestCycleProcessor() {
>> return new WebRequestCycleProcessor() {
>> public void respond(RequestCycle requestCycle) {
>> IRequestTarget target = requestCycle.getRequestTarget();
>> WebResponse response = (WebResponse)
>> requestCycle.getResponse();
>> WebRequest request = (WebRequest)
>> requestCycle.getRequest();
>> HttpServletRequest httpServletRequest =
>> request.getHttpServletRequest();
>> if(target instanceof BookmarkablePageRequestTarget) {
>> if(((BookmarkablePageRequestTarget)target).getPage()
>> instanceof SignIn &&
>> !httpServletRequest.isSecure())
>> {
>> StringBuffer url = new StringBuffer("https://");
>> url.append(httpServletRequest.getServerName());
>> url.append(":").append(HTTPS_PORT);
>> String s =
>> RequestCycle.get().urlFor(target).toString();
>> url.append("/app/").append(s);
>> response.redirect(url.toString());
>> }
>> else if
>> (((BookmarkablePageRequestTarget)target).getPage() instanceof Home &&
>> httpServletRequest.isSecure()) {
>> StringBuffer url = new StringBuffer("http://");
>> url.append(httpServletRequest.getServerName());
>> url.append(":").append(HTTP_PORT);
>> String s =
>> RequestCycle.get().urlFor(target).toString();
>> url.append("/app/").append(s);
>> response.redirect(url.toString());
>> } else
>> target.respond(requestCycle);
>> }
>> else
>> target.respond(requestCycle);
>> }
>> };
>>
>> }
>>
>> It kinda works but I'm not sure if I'm doing it right way. And I'm not
>> sure
>> if it is bug free. I dont fully understand how wicket requestcycle works,
>> so
>> I need your help there.
>>
>> Thanks.
>> shumbola
>>
>>
>
>
Doesn't yahoo mail, gmail, etc work that way?
When I go to my yahoo mail it switches to the SSL signin page and after
switches back to the http. Or is there additional protection then?
shumbola
--
View this message in context: http://www.nabble.com/Switching-to-SSL-for-SignIn-page-tf4169495.html#a11862436
Sent from the Wicket Users New mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Switching to SSL for SignIn page
Posted by Upayavira <uv...@odoko.co.uk>.
shumbola wrote:
> I want to be able to switch to SSL when SignIn page showed to a user and if
> successful, then switch back to normal HTTP protocol. I'm using wicket-1.3.
We recently had a security firm audit our application. They pointed out
that such an approach is flawed.
Basically, you secure the transfer of username/passwords, but from then
on, you pass a session cookie unprotected. For the lifespan of that
cookie, gaining access to the cookie would grant the same access to the
application as would the username/password.
Therefore, by rights, if you wish to protect the transfer of
username/password, the entire application should use SSL.
Hope I'm not missing something.
Regards, Upayavira
> In my Application class I've come up with the following:
>
> protected IRequestCycleProcessor newRequestCycleProcessor() {
> return new WebRequestCycleProcessor() {
> public void respond(RequestCycle requestCycle) {
> IRequestTarget target = requestCycle.getRequestTarget();
> WebResponse response = (WebResponse)
> requestCycle.getResponse();
> WebRequest request = (WebRequest) requestCycle.getRequest();
> HttpServletRequest httpServletRequest =
> request.getHttpServletRequest();
> if(target instanceof BookmarkablePageRequestTarget) {
> if(((BookmarkablePageRequestTarget)target).getPage()
> instanceof SignIn &&
> !httpServletRequest.isSecure())
> {
> StringBuffer url = new StringBuffer("https://");
> url.append(httpServletRequest.getServerName());
> url.append(":").append(HTTPS_PORT);
> String s =
> RequestCycle.get().urlFor(target).toString();
> url.append("/app/").append(s);
> response.redirect(url.toString());
> }
> else if
> (((BookmarkablePageRequestTarget)target).getPage() instanceof Home &&
> httpServletRequest.isSecure()) {
> StringBuffer url = new StringBuffer("http://");
> url.append(httpServletRequest.getServerName());
> url.append(":").append(HTTP_PORT);
> String s =
> RequestCycle.get().urlFor(target).toString();
> url.append("/app/").append(s);
> response.redirect(url.toString());
> } else
> target.respond(requestCycle);
> }
> else
> target.respond(requestCycle);
> }
> };
>
> }
>
> It kinda works but I'm not sure if I'm doing it right way. And I'm not sure
> if it is bug free. I dont fully understand how wicket requestcycle works, so
> I need your help there.
>
> Thanks.
> shumbola
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org