You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Martin Nagl <mn...@mtbiker.sk> on 2015/02/05 10:16:08 UTC
Access a T5 app through both http (Tomcat) and https (Apache httpd +
AJP + Tomcat)
Hi all,
we have a Tapesty5 application deployed on Tomcat + Apache httpd. In
production environment at our customer, the application should be deployed
/ accessed like this:
- Tomcat is running on a server in internal network on port 8080.
- There is an Apache HTTP server with reverse proxy to Tomcat (AJP)
accessible from the internet on port 80.
- Internal users should access the application on Tomcat directly without
https on http://servername.intranet.customer.sk:8080/appname/login
- External users should access the application through Apache httpd, with
https, on https://apps.customer.sk/appname/login
1. Initiallly, I had no @Secure annotations on my pages. The application
worked correctly from internal network, but not from internet. From
internet, I could access the login page through https, but after submit, I
get somehow redirected to http which ends with server error: Your browser
sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
2. I have annotated all my pages with @Secure. The aplication now works
correctly from internet, but not from internal network. From internal
network, I can access
http://servername.intranet.customer.sk:8080/appname/login but I get
redirected to https at
https://servername.intranet.customer.sk:8080/appname/login. - This is not
desired, I would like the application to continue in http mode.
Is this setup possible with a Tapestry5 application (a single deployed
instance)?
Is there some way to tell Tapestry "If you're accessed through https, then
serve all pages through https, else if you're accessed through http, then
serve all pages through http"?
Thanks
Regards
Martin
Re: Access a T5 app through both http (Tomcat) and https (Apache
httpd + AJP + Tomcat)
Posted by Bob Harner <bo...@gmail.com>.
Martin,
Have you tried setting the tapestry.secure-enabled symbol to "false" in
your AppModule.java? That prevents Tapestry from redirecting to https (and
you won't have to have @Secure annotations on your pages).
On Feb 5, 2015 11:30 AM, "Norman Franke" <no...@myasd.com> wrote:
> While not addressing your problem exactly, I have found issues with
> cookies doing things like this. You try to login via HTTPS. Your session is
> created as a secure cookie, and when you go back to regular HTTP after
> login, you have no session cookie. I created a new, non-secure cookie, but
> that’s definitely a hack and has some issues. I don’t use @Secure since I
> could never get anything working correctly, and so redirect myself.
>
> You could try using something like nginx to do SSL to plan old tomcat
> running in HTTP mode. Using the @Secure annotation will still cause
> problems, since it will want to use HTTPS to / from tomcat. This would
> likely work, but local users won’t benefit from HTTPS for login. However,
> you could potentially us nginx to handle that as well, forcing HTTPS for a
> specific URL.
>
> You may be able to use your own MetaDataLocator service to determine that
> client IP address and decide there. Obviously if you are doing a reverse
> proxy, the Http Request IP address won’t necessarily be the client’s IP
> address, but most proxies add a header you could use.
>
> Norman Franke
> Answering Service for Directors, Inc.
> www.myasd.com
>
>
>
> On Feb 5, 2015, at 4:16 AM, Martin Nagl <mn...@mtbiker.sk> wrote:
>
> > Hi all,
> >
> > we have a Tapesty5 application deployed on Tomcat + Apache httpd. In
> > production environment at our customer, the application should be
> deployed
> > / accessed like this:
> > - Tomcat is running on a server in internal network on port 8080.
> > - There is an Apache HTTP server with reverse proxy to Tomcat (AJP)
> > accessible from the internet on port 80.
> > - Internal users should access the application on Tomcat directly
> without
> > https on http://servername.intranet.customer.sk:8080/appname/login
> > - External users should access the application through Apache httpd,
> with
> > https, on https://apps.customer.sk/appname/login
> >
> > 1. Initiallly, I had no @Secure annotations on my pages. The application
> > worked correctly from internal network, but not from internet. From
> > internet, I could access the login page through https, but after submit,
> I
> > get somehow redirected to http which ends with server error: Your browser
> > sent a request that this server could not understand.
> > Reason: You're speaking plain HTTP to an SSL-enabled server port.
> > Instead use the HTTPS scheme to access this URL, please.
> >
> > 2. I have annotated all my pages with @Secure. The aplication now works
> > correctly from internet, but not from internal network. From internal
> > network, I can access
> > http://servername.intranet.customer.sk:8080/appname/login but I get
> > redirected to https at
> > https://servername.intranet.customer.sk:8080/appname/login. - This is
> not
> > desired, I would like the application to continue in http mode.
> >
> > Is this setup possible with a Tapestry5 application (a single deployed
> > instance)?
> > Is there some way to tell Tapestry "If you're accessed through https,
> then
> > serve all pages through https, else if you're accessed through http, then
> > serve all pages through http"?
> >
> > Thanks
> > Regards
> > Martin
>
>
Re: Access a T5 app through both http (Tomcat) and https (Apache httpd + AJP + Tomcat)
Posted by Norman Franke <no...@myasd.com>.
While not addressing your problem exactly, I have found issues with cookies doing things like this. You try to login via HTTPS. Your session is created as a secure cookie, and when you go back to regular HTTP after login, you have no session cookie. I created a new, non-secure cookie, but that’s definitely a hack and has some issues. I don’t use @Secure since I could never get anything working correctly, and so redirect myself.
You could try using something like nginx to do SSL to plan old tomcat running in HTTP mode. Using the @Secure annotation will still cause problems, since it will want to use HTTPS to / from tomcat. This would likely work, but local users won’t benefit from HTTPS for login. However, you could potentially us nginx to handle that as well, forcing HTTPS for a specific URL.
You may be able to use your own MetaDataLocator service to determine that client IP address and decide there. Obviously if you are doing a reverse proxy, the Http Request IP address won’t necessarily be the client’s IP address, but most proxies add a header you could use.
Norman Franke
Answering Service for Directors, Inc.
www.myasd.com
On Feb 5, 2015, at 4:16 AM, Martin Nagl <mn...@mtbiker.sk> wrote:
> Hi all,
>
> we have a Tapesty5 application deployed on Tomcat + Apache httpd. In
> production environment at our customer, the application should be deployed
> / accessed like this:
> - Tomcat is running on a server in internal network on port 8080.
> - There is an Apache HTTP server with reverse proxy to Tomcat (AJP)
> accessible from the internet on port 80.
> - Internal users should access the application on Tomcat directly without
> https on http://servername.intranet.customer.sk:8080/appname/login
> - External users should access the application through Apache httpd, with
> https, on https://apps.customer.sk/appname/login
>
> 1. Initiallly, I had no @Secure annotations on my pages. The application
> worked correctly from internal network, but not from internet. From
> internet, I could access the login page through https, but after submit, I
> get somehow redirected to http which ends with server error: Your browser
> sent a request that this server could not understand.
> Reason: You're speaking plain HTTP to an SSL-enabled server port.
> Instead use the HTTPS scheme to access this URL, please.
>
> 2. I have annotated all my pages with @Secure. The aplication now works
> correctly from internet, but not from internal network. From internal
> network, I can access
> http://servername.intranet.customer.sk:8080/appname/login but I get
> redirected to https at
> https://servername.intranet.customer.sk:8080/appname/login. - This is not
> desired, I would like the application to continue in http mode.
>
> Is this setup possible with a Tapestry5 application (a single deployed
> instance)?
> Is there some way to tell Tapestry "If you're accessed through https, then
> serve all pages through https, else if you're accessed through http, then
> serve all pages through http"?
>
> Thanks
> Regards
> Martin
Re: Access a T5 app through both http (Tomcat) and https (Apache
httpd + AJP + Tomcat)
Posted by Jonathan Barker <jo...@gmail.com>.
I've faced similar issues in the past (see TAP5-167), but these days I
just access everything through https.
It does sound like you were using @Secure on your login page, but
nowhere else. I seem to recall that if you use @Secure on one page,
then it will try to use http on pages NOT marked with @Secure. To get
around that, you end up skipping the @Secure and sending passwords
plaintext over your internal network - not a great practice.
I am curious if anyone ever came up with a good way of doing what you
are trying to do.
A few questions that come to mind are:
Which version of T5?
Have you overridden anything like BaseURLSource?
Have you provided any parameters like HOSTPORT or HOSTPORT_SECURE?
On Thu, Feb 5, 2015 at 4:16 AM, Martin Nagl <mn...@mtbiker.sk> wrote:
> Hi all,
>
> we have a Tapesty5 application deployed on Tomcat + Apache httpd. In
> production environment at our customer, the application should be deployed
> / accessed like this:
> - Tomcat is running on a server in internal network on port 8080.
> - There is an Apache HTTP server with reverse proxy to Tomcat (AJP)
> accessible from the internet on port 80.
> - Internal users should access the application on Tomcat directly without
> https on http://servername.intranet.customer.sk:8080/appname/login
> - External users should access the application through Apache httpd, with
> https, on https://apps.customer.sk/appname/login
>
> 1. Initiallly, I had no @Secure annotations on my pages. The application
> worked correctly from internal network, but not from internet. From
> internet, I could access the login page through https, but after submit, I
> get somehow redirected to http which ends with server error: Your browser
> sent a request that this server could not understand.
> Reason: You're speaking plain HTTP to an SSL-enabled server port.
> Instead use the HTTPS scheme to access this URL, please.
>
> 2. I have annotated all my pages with @Secure. The aplication now works
> correctly from internet, but not from internal network. From internal
> network, I can access
> http://servername.intranet.customer.sk:8080/appname/login but I get
> redirected to https at
> https://servername.intranet.customer.sk:8080/appname/login. - This is not
> desired, I would like the application to continue in http mode.
>
> Is this setup possible with a Tapestry5 application (a single deployed
> instance)?
> Is there some way to tell Tapestry "If you're accessed through https, then
> serve all pages through https, else if you're accessed through http, then
> serve all pages through http"?
>
> Thanks
> Regards
> Martin
--
Jonathan Barker
ITStrategic
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org