You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lenya.apache.org by Andreas Hartmann <an...@apache.org> on 2007/05/07 15:03:24 UTC
SSL handling
Hi Lenya devs,
our SSL handling is a bit undetermined ATM (please correct me
if I'm wrong). We support to set and detect if a page should use
an SSL connection, and select the proxy based on this setting.
Some questions:
- If a page is requested using SSL, should all links from this
page to other internal pages also use an https:// URL? IMO yes.
- Should we support to configure SSL for usecases?
-- Andreas
--
Andreas Hartmann, CTO
BeCompany GmbH
http://www.becompany.ch
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: SSL handling
Posted by Markus Angst <ma...@inventec.ch>.
>>> - If a page is requested using SSL, should all links from this
>>> page to other internal pages also use an https:// URL? IMO yes.
>>
>> I note that you write "requested using" and not "configured for" SSL.
>
> Yes - I once had a discussion with a customer, and he stated that
> it doesn't make sense to configure SSL per page. Once a user
> requests a page using SSL, she expects that the subsequent pages
> are served using SSL as well. Not sure if this is principle is
> universally valid, though.
Sounds kind of special, at least to me.
>> ...
>>
>> After
>> a few clicks ("from https to https"), you might end up with an URL that
>> cannot be served.
>
> Why would that be the case?
If you have a link pointing to a resource that is only served without SSL and
the user has "switched to SSL" and then klicks on this link, he will either be
switched back to http:// or get a 404 (or other) error message, depending on any
proxying/rewriting that maybe in effect outside of Lenya.
>> Not sure about this, but I guess that most of the times internal links
>> are absolute only when Lenya proxying is in effect??
>
> AFAIK most links are resolved to absolute URLs ATM.
Not in my installation (last SVN update 2 days ago; no Lenya proxying enabled).
If I search the html source of a page served by Lenya (authoring or live), I
don't see any absolute links at all (except the ones to external sites, of
course). Maybe there is a misunderstanding? Are you talking about a different
kind of link?
Thanks!
Markus Angst
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: SSL handling
Posted by Andreas Hartmann <an...@apache.org>.
Michael Wechner schrieb:
> Andreas Hartmann wrote:
[...]
>> Sorry, my wording was not correct. It has to be possible to switch
>> to SSL for certain pages, but according to him the subsequent pages
>> should be served using SSL too.
>>
>>
>
> what do you mean with subsequent? Subsequent clicks?
Yes.
> (I guess when using relative paths then these will also be SSL)
>
> When one is using absolute paths then I guess SSL should only be used
> when the flag is set to true.
Why should the behaviour differ between relative and absolute paths?
> Also one needs to be aware of the difficulty of absolute paths behind a
> proxy.
Yes, I guess that's why Jörn proposed to use relative paths whenever
possible.
-- Andreas
--
Andreas Hartmann, CTO
BeCompany GmbH
http://www.becompany.ch
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: SSL handling
Posted by Michael Wechner <mi...@wyona.com>.
Andreas Hartmann wrote:
>Michael Wechner schrieb:
>
>
>>Andreas Hartmann wrote:
>>
>>
>>
>>>Markus Angst schrieb:
>>>
>>>
>>>
>>>
>>>>Hi,
>>>>
>>>>
>>>>
>>>>
>>>>>our SSL handling is a bit undetermined ATM (please correct me
>>>>>if I'm wrong). We support to set and detect if a page should use
>>>>>an SSL connection, and select the proxy based on this setting.
>>>>>
>>>>>Some questions:
>>>>>
>>>>>- If a page is requested using SSL, should all links from this
>>>>>page to other internal pages also use an https:// URL? IMO yes.
>>>>>
>>>>>
>>>>>
>>>>I note that you write "requested using" and not "configured for" SSL.
>>>>
>>>>
>>>>
>>>Yes - I once had a discussion with a customer, and he stated that
>>>it doesn't make sense to configure SSL per page.
>>>
>>>
>>>
>>just think about data sheets of employees with salaries included, etc.
>>
>>
>
>Sorry, my wording was not correct. It has to be possible to switch
>to SSL for certain pages, but according to him the subsequent pages
>should be served using SSL too.
>
>
what do you mean with subsequent? Subsequent clicks? (I guess when using
relative paths then these will also be SSL)
When one is using absolute paths then I guess SSL should only be used
when the flag is set to true.
Also one needs to be aware of the difficulty of absolute paths behind a
proxy.
Cheers
Michael
>
>
>
>>>Once a user
>>>requests a page using SSL, she expects that the subsequent pages
>>>are served using SSL as well. Not sure if this is principle is
>>>universally valid, though.
>>>
>>>
>>>
>>>
>>I don't think that really makes (whereas it also doesn't hurt probably),
>>whereas I think it makes sense if the SSL could be inherited, such that
>>whole areas can be flagged as SSL, but I don't know if Lenya does
>>support this functionality.
>>
>>
>
>AFAIK the setting of the SSL checkbox is inherited, you can't disable
>SSL on a descendant of an SSL-encrypted page.
>
>-- Andreas
>
>
>
>
--
Michael Wechner
Wyona - Open Source Content Management - Apache Lenya
http://www.wyona.com http://lenya.apache.org
michael.wechner@wyona.com michi@apache.org
+41 44 272 91 61
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: SSL handling
Posted by Andreas Hartmann <an...@apache.org>.
Michael Wechner schrieb:
> Andreas Hartmann wrote:
>
>> Markus Angst schrieb:
>>
>>
>>> Hi,
>>>
>>>
>>>> our SSL handling is a bit undetermined ATM (please correct me
>>>> if I'm wrong). We support to set and detect if a page should use
>>>> an SSL connection, and select the proxy based on this setting.
>>>>
>>>> Some questions:
>>>>
>>>> - If a page is requested using SSL, should all links from this
>>>> page to other internal pages also use an https:// URL? IMO yes.
>>>>
>>> I note that you write "requested using" and not "configured for" SSL.
>>>
>>
>> Yes - I once had a discussion with a customer, and he stated that
>> it doesn't make sense to configure SSL per page.
>>
>
> just think about data sheets of employees with salaries included, etc.
Sorry, my wording was not correct. It has to be possible to switch
to SSL for certain pages, but according to him the subsequent pages
should be served using SSL too.
>> Once a user
>> requests a page using SSL, she expects that the subsequent pages
>> are served using SSL as well. Not sure if this is principle is
>> universally valid, though.
>>
>>
>
> I don't think that really makes (whereas it also doesn't hurt probably),
> whereas I think it makes sense if the SSL could be inherited, such that
> whole areas can be flagged as SSL, but I don't know if Lenya does
> support this functionality.
AFAIK the setting of the SSL checkbox is inherited, you can't disable
SSL on a descendant of an SSL-encrypted page.
-- Andreas
--
Andreas Hartmann, CTO
BeCompany GmbH
http://www.becompany.ch
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: SSL handling
Posted by Michael Wechner <mi...@wyona.com>.
Andreas Hartmann wrote:
>Markus Angst schrieb:
>
>
>>Hi,
>>
>>
>>
>>>our SSL handling is a bit undetermined ATM (please correct me
>>>if I'm wrong). We support to set and detect if a page should use
>>>an SSL connection, and select the proxy based on this setting.
>>>
>>>Some questions:
>>>
>>>- If a page is requested using SSL, should all links from this
>>>page to other internal pages also use an https:// URL? IMO yes.
>>>
>>>
>>I note that you write "requested using" and not "configured for" SSL.
>>
>>
>
>Yes - I once had a discussion with a customer, and he stated that
>it doesn't make sense to configure SSL per page.
>
just think about data sheets of employees with salaries included, etc.
> Once a user
>requests a page using SSL, she expects that the subsequent pages
>are served using SSL as well. Not sure if this is principle is
>universally valid, though.
>
>
I don't think that really makes (whereas it also doesn't hurt probably),
whereas I think it makes sense if the SSL could be inherited, such that
whole areas can be flagged as SSL, but I don't know if Lenya does
support this functionality.
Cheers
Michael
>
>
>>What do you mean by "internal"? Internal to Lenya, the publication or to
>>a usecase?
>>
>>
>
>I meant internal to Lenya, but this is subject to discussion.
>
>
>
>>This means that a user can switch to https whenever he/she wants.
>>
>>
>
>Yes, at least this is what my customer required.
>
>
>
>>After
>>a few clicks ("from https to https"), you might end up with an URL that
>>cannot be served.
>>
>>
>
>Why would that be the case?
>
>
>
>>Not sure about this, but I guess that most of the times internal links
>>are absolute only when Lenya proxying is in effect??
>>
>>
>
>AFAIK most links are resolved to absolute URLs ATM.
>
>
>
>>>- Should we support to configure SSL for usecases?
>>>
>>>
>>At least for the login usecase (and probably some more; e.g. custom made
>>ones) this would make sense.
>>
>>
>
>OK.
>
>Thanks for your comments!
>
>-- Andreas
>
>
>
>
--
Michael Wechner
Wyona - Open Source Content Management - Apache Lenya
http://www.wyona.com http://lenya.apache.org
michael.wechner@wyona.com michi@apache.org
+41 44 272 91 61
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: SSL handling
Posted by Andreas Hartmann <an...@apache.org>.
Markus Angst schrieb:
> Hi,
>
>> our SSL handling is a bit undetermined ATM (please correct me
>> if I'm wrong). We support to set and detect if a page should use
>> an SSL connection, and select the proxy based on this setting.
>>
>> Some questions:
>>
>> - If a page is requested using SSL, should all links from this
>> page to other internal pages also use an https:// URL? IMO yes.
>
> I note that you write "requested using" and not "configured for" SSL.
Yes - I once had a discussion with a customer, and he stated that
it doesn't make sense to configure SSL per page. Once a user
requests a page using SSL, she expects that the subsequent pages
are served using SSL as well. Not sure if this is principle is
universally valid, though.
> What do you mean by "internal"? Internal to Lenya, the publication or to
> a usecase?
I meant internal to Lenya, but this is subject to discussion.
> This means that a user can switch to https whenever he/she wants.
Yes, at least this is what my customer required.
> After
> a few clicks ("from https to https"), you might end up with an URL that
> cannot be served.
Why would that be the case?
> Not sure about this, but I guess that most of the times internal links
> are absolute only when Lenya proxying is in effect??
AFAIK most links are resolved to absolute URLs ATM.
>> - Should we support to configure SSL for usecases?
>
> At least for the login usecase (and probably some more; e.g. custom made
> ones) this would make sense.
OK.
Thanks for your comments!
-- Andreas
--
Andreas Hartmann, CTO
BeCompany GmbH
http://www.becompany.ch
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: SSL handling
Posted by Markus Angst <ma...@inventec.ch>.
Hi,
> our SSL handling is a bit undetermined ATM (please correct me
> if I'm wrong). We support to set and detect if a page should use
> an SSL connection, and select the proxy based on this setting.
>
> Some questions:
>
> - If a page is requested using SSL, should all links from this
> page to other internal pages also use an https:// URL? IMO yes.
I note that you write "requested using" and not "configured for" SSL. What do
you mean by "internal"? Internal to Lenya, the publication or to a usecase?
This means that a user can switch to https whenever he/she wants. After a few
clicks ("from https to https"), you might end up with an URL that cannot be served.
Not sure about this, but I guess that most of the times internal links are
absolute only when Lenya proxying is in effect??
> - Should we support to configure SSL for usecases?
At least for the login usecase (and probably some more; e.g. custom made ones)
this would make sense.
Thanks!
Markus Angst
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org