You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tapestry.apache.org by Carlos Montero Canabal <ca...@gmail.com> on 2016/08/30 23:04:58 UTC

HTTPS on not @Secure page

I have configured my webapp with @Secure on pages who need it. But I have a problem when I write manually the URL on browser. If I write https on not @Secure page, the links  (actionLinks with t:zone or t:async for ajax support)  created by tapestry starts with http and browsers blocked the content when I click on them. Any solution? (Yes, I would host all my webapp on https). I think that it is a bug, and Tapestry would see that the request is secure and generate the ajax links secured too.

Regards

Carlos Montero

Re: HTTPS on not @Secure page

Posted by Carlos Montero Canabal <ca...@gmail.com>.

Hi Thiago,

I could create a simple project with the problem, but I only know to reproduce it on production mode with my valid https certificate, in localhost I don’t know how to configure jetty to try it.

However I have fixed the problem. I only use event links to AJAX interactions, so in my AppModule I decorate ComponentEventLinkEncoder as below:

	public ComponentEventLinkEncoder decorateComponentEventLinkEncoder(
	        final Request request,
	        final ComponentEventLinkEncoder oldHandler) {

		return new ComponentEventLinkEncoder() {

			@Override
			public Link createPageRenderLink(final PageRenderRequestParameters parameters) {
				return oldHandler.createPageRenderLink(parameters);
			}

			@Override
			public Link createComponentEventLink(final ComponentEventRequestParameters parameters, final boolean forForm) {

				final Link link = oldHandler.createComponentEventLink(parameters, forForm);
				if (request.isSecure()) {
					link.setSecurity(LinkSecurity.FORCE_SECURE);
				}

				return link;
			}

			@Override
			public ComponentEventRequestParameters decodeComponentEventRequest(final Request request) {
				return oldHandler.decodeComponentEventRequest(request);
			}

			@Override
			public PageRenderRequestParameters decodePageRenderRequest(final Request request) {
				return oldHandler.decodePageRenderRequest(request);
			}

		};
	}

And everything works fine for me. This solution is valid but it isn´t the best (I think that if a Evenlink is not AJAX and the page is not @Secure, you will generate an https request that it isn´t necessary).

I think the solution is modify the Components because they know when they are async or with Zone param. For example, for EventLink would be fixed as below:

"EventLink extends AbstractComponentEventLink so we have to modify AbstractComponentEventLink”

public abstract class AbstractComponentEventLink extends AbstractLink{

...

void beginRender(MarkupWriter writer)
    {
        if (isDisabled()) return;

        Link link = createLink(context);
        if (request.isSecure() && (async || zone != null)){
             link.setSecurity(LinkSecurity.FORCE_SECURE);
        }

        writeLink(writer, link);

        writer.attributes("data-update-zone", zone);

        if (async)
        {
            javaScriptSupport.require("t5/core/zone");
            writer.attributes("data-async-trigger", true);
        }
    }

I’m busy with a deadline now, but in some weeks I can create the sample project if you want Thiago. 

Regards

Carlos Montero

http://dev.carlosmontero.es <http://dev.carlosmontero.es/>


> El 2/9/2016, a las 14:13, Thiago H de Paula Figueiredo <th...@gmail.com> escribió:
> 
> On Tue, 30 Aug 2016 20:04:58 -0300, Carlos Montero Canabal <carlosmonterocanabal@gmail.com <ma...@gmail.com>> wrote:
> 
> I have configured my webapp with @Secure on pages who need it. But I have a problem when I write manually the URL on browser. If I write https on not @Secure page, the links  (actionLinks with t:zone or t:async for ajax support)  created by tapestry starts with http and browsers blocked the content when I click on them. Any solution? (Yes, I would host all my webapp on https). I think that it is a bug, and Tapestry would see that the request is secure and generate the ajax links secured too.
> 
> Olá, Carlos!
> 
> Yeah, this is indeed a bug. Could you please create a small project which demonstrates this bug and attach it to a new Jira ticket? Thanks in advance. :)
> 
> 
> Regards
> 
> Carlos Montero
> 
> 
> 
> -- 
> Thiago H. de Paula Figueiredo
> Tapestry, Java and Hibernate consultant and developer
> http://machina.com.br <http://machina.com.br/>

Re: HTTPS on not @Secure page

Posted by Thiago H de Paula Figueiredo <th...@gmail.com>.

On Tue, 30 Aug 2016 20:04:58 -0300, Carlos Montero Canabal  
<ca...@gmail.com> wrote:

> I have configured my webapp with @Secure on pages who need it. But I  
> have a problem when I write manually the URL on browser. If >I write  
> https on not @Secure page, the links  (actionLinks with t:zone or  
> t:async for ajax support)  created by tapestry starts >with http and  
> browsers blocked the content when I click on them. Any solution? (Yes, I  
> would host all my webapp on https). I >think that it is a bug, and  
> Tapestry would see that the request is secure and generate the ajax  
> links secured too.

Olá, Carlos!

Yeah, this is indeed a bug. Could you please create a small project which  
demonstrates this bug and attach it to a new Jira ticket? Thanks in  
advance. :)

>
> Regards
>
> Carlos Montero



-- 
Thiago H. de Paula Figueiredo
Tapestry, Java and Hibernate consultant and developer
http://machina.com.br