You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Carlos Montero Canabal <ca...@gmail.com> on 2016/08/30 23:04:58 UTC
HTTPS on not @Secure page
I have configured my webapp with @Secure on pages who need it. But I have a problem when I write manually the URL on browser. If I write https on not @Secure page, the links (actionLinks with t:zone or t:async for ajax support) created by tapestry starts with http and browsers blocked the content when I click on them. Any solution? (Yes, I would host all my webapp on https). I think that it is a bug, and Tapestry would see that the request is secure and generate the ajax links secured too.
Regards
Carlos Montero
Re: HTTPS on not @Secure page
Posted by Carlos Montero Canabal <ca...@gmail.com>.
Hi Thiago,
I could create a simple project with the problem, but I only know to reproduce it on production mode with my valid https certificate, in localhost I don’t know how to configure jetty to try it.
However I have fixed the problem. I only use event links to AJAX interactions, so in my AppModule I decorate ComponentEventLinkEncoder as below:
public ComponentEventLinkEncoder decorateComponentEventLinkEncoder(
final Request request,
final ComponentEventLinkEncoder oldHandler) {
return new ComponentEventLinkEncoder() {
@Override
public Link createPageRenderLink(final PageRenderRequestParameters parameters) {
return oldHandler.createPageRenderLink(parameters);
}
@Override
public Link createComponentEventLink(final ComponentEventRequestParameters parameters, final boolean forForm) {
final Link link = oldHandler.createComponentEventLink(parameters, forForm);
if (request.isSecure()) {
link.setSecurity(LinkSecurity.FORCE_SECURE);
}
return link;
}
@Override
public ComponentEventRequestParameters decodeComponentEventRequest(final Request request) {
return oldHandler.decodeComponentEventRequest(request);
}
@Override
public PageRenderRequestParameters decodePageRenderRequest(final Request request) {
return oldHandler.decodePageRenderRequest(request);
}
};
}
And everything works fine for me. This solution is valid but it isn´t the best (I think that if a Evenlink is not AJAX and the page is not @Secure, you will generate an https request that it isn´t necessary).
I think the solution is modify the Components because they know when they are async or with Zone param. For example, for EventLink would be fixed as below:
"EventLink extends AbstractComponentEventLink so we have to modify AbstractComponentEventLink”
public abstract class AbstractComponentEventLink extends AbstractLink{
...
void beginRender(MarkupWriter writer)
{
if (isDisabled()) return;
Link link = createLink(context);
if (request.isSecure() && (async || zone != null)){
link.setSecurity(LinkSecurity.FORCE_SECURE);
}
writeLink(writer, link);
writer.attributes("data-update-zone", zone);
if (async)
{
javaScriptSupport.require("t5/core/zone");
writer.attributes("data-async-trigger", true);
}
}
I’m busy with a deadline now, but in some weeks I can create the sample project if you want Thiago.
Regards
Carlos Montero
http://dev.carlosmontero.es <http://dev.carlosmontero.es/>
> El 2/9/2016, a las 14:13, Thiago H de Paula Figueiredo <th...@gmail.com> escribió:
>
> On Tue, 30 Aug 2016 20:04:58 -0300, Carlos Montero Canabal <carlosmonterocanabal@gmail.com <ma...@gmail.com>> wrote:
>
> I have configured my webapp with @Secure on pages who need it. But I have a problem when I write manually the URL on browser. If I write https on not @Secure page, the links (actionLinks with t:zone or t:async for ajax support) created by tapestry starts with http and browsers blocked the content when I click on them. Any solution? (Yes, I would host all my webapp on https). I think that it is a bug, and Tapestry would see that the request is secure and generate the ajax links secured too.
>
> Olá, Carlos!
>
> Yeah, this is indeed a bug. Could you please create a small project which demonstrates this bug and attach it to a new Jira ticket? Thanks in advance. :)
>
>
> Regards
>
> Carlos Montero
>
>
>
> --
> Thiago H. de Paula Figueiredo
> Tapestry, Java and Hibernate consultant and developer
> http://machina.com.br <http://machina.com.br/>
Re: HTTPS on not @Secure page
Posted by Thiago H de Paula Figueiredo <th...@gmail.com>.
On Tue, 30 Aug 2016 20:04:58 -0300, Carlos Montero Canabal
<ca...@gmail.com> wrote:
> I have configured my webapp with @Secure on pages who need it. But I
> have a problem when I write manually the URL on browser. If >I write
> https on not @Secure page, the links (actionLinks with t:zone or
> t:async for ajax support) created by tapestry starts >with http and
> browsers blocked the content when I click on them. Any solution? (Yes, I
> would host all my webapp on https). I >think that it is a bug, and
> Tapestry would see that the request is secure and generate the ajax
> links secured too.
Olá, Carlos!
Yeah, this is indeed a bug. Could you please create a small project which
demonstrates this bug and attach it to a new Jira ticket? Thanks in
advance. :)
>
> Regards
>
> Carlos Montero
--
Thiago H. de Paula Figueiredo
Tapestry, Java and Hibernate consultant and developer
http://machina.com.br