HTTPS on not @Secure page

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

HTTPS on not @Secure page

Carlos Montero Canabal
I have configured my webapp with @Secure on pages who need it. But I have a problem when I write manually the URL on browser. If I write https on not @Secure page, the links  (actionLinks with t:zone or t:async for ajax support)  created by tapestry starts with http and browsers blocked the content when I click on them. Any solution? (Yes, I would host all my webapp on https). I think that it is a bug, and Tapestry would see that the request is secure and generate the ajax links secured too.

Regards

Carlos Montero

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS on not @Secure page

Thiago H. de Paula Figueiredo
On Tue, 30 Aug 2016 20:04:58 -0300, Carlos Montero Canabal <[hidden email]> wrote:

I have configured my webapp with @Secure on pages who need it. But I have a problem when I write manually the URL on browser. If I write https on not @Secure page, the links  (actionLinks with t:zone or t:async for ajax support)  created by tapestry starts with http and browsers blocked the content when I click on them. Any solution? (Yes, I would host all my webapp on https). I think that it is a bug, and Tapestry would see that the request is secure and generate the ajax links secured too.

Olá, Carlos!

Yeah, this is indeed a bug. Could you please create a small project which demonstrates this bug and attach it to a new Jira ticket? Thanks in advance. :)


Regards

Carlos Montero



--
Thiago H. de Paula Figueiredo
Tapestry, Java and Hibernate consultant and developer
http://machina.com.br
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS on not @Secure page

Carlos Montero Canabal
Hi Thiago,

I could create a simple project with the problem, but I only know to reproduce it on production mode with my valid https certificate, in localhost I don’t know how to configure jetty to try it.

However I have fixed the problem. I only use event links to AJAX interactions, so in my AppModule I decorate ComponentEventLinkEncoder as below:

        public ComponentEventLinkEncoder decorateComponentEventLinkEncoder(
                final Request request,
                final ComponentEventLinkEncoder oldHandler) {

                return new ComponentEventLinkEncoder() {

                        @Override
                        public Link createPageRenderLink(final PageRenderRequestParameters parameters) {
                                return oldHandler.createPageRenderLink(parameters);
                        }

                        @Override
                        public Link createComponentEventLink(final ComponentEventRequestParameters parameters, final boolean forForm) {

                                final Link link = oldHandler.createComponentEventLink(parameters, forForm);
                                if (request.isSecure()) {
                                        link.setSecurity(LinkSecurity.FORCE_SECURE);
                                }

                                return link;
                        }

                        @Override
                        public ComponentEventRequestParameters decodeComponentEventRequest(final Request request) {
                                return oldHandler.decodeComponentEventRequest(request);
                        }

                        @Override
                        public PageRenderRequestParameters decodePageRenderRequest(final Request request) {
                                return oldHandler.decodePageRenderRequest(request);
                        }

                };
        }

And everything works fine for me. This solution is valid but it isn´t the best (I think that if a Evenlink is not AJAX and the page is not @Secure, you will generate an https request that it isn´t necessary).

I think the solution is modify the Components because they know when they are async or with Zone param. For example, for EventLink would be fixed as below:

"EventLink extends AbstractComponentEventLink so we have to modify AbstractComponentEventLink”

public abstract class AbstractComponentEventLink extends AbstractLink{

...

void beginRender(MarkupWriter writer)
    {
        if (isDisabled()) return;

        Link link = createLink(context);
        if (request.isSecure() && (async || zone != null)){
             link.setSecurity(LinkSecurity.FORCE_SECURE);
        }

        writeLink(writer, link);

        writer.attributes("data-update-zone", zone);

        if (async)
        {
            javaScriptSupport.require("t5/core/zone");
            writer.attributes("data-async-trigger", true);
        }
    }

I’m busy with a deadline now, but in some weeks I can create the sample project if you want Thiago.

Regards

Carlos Montero

http://dev.carlosmontero.es <http://dev.carlosmontero.es/>


> El 2/9/2016, a las 14:13, Thiago H de Paula Figueiredo <[hidden email]> escribió:
>
> On Tue, 30 Aug 2016 20:04:58 -0300, Carlos Montero Canabal <[hidden email] <mailto:[hidden email]>> wrote:
>
> I have configured my webapp with @Secure on pages who need it. But I have a problem when I write manually the URL on browser. If I write https on not @Secure page, the links  (actionLinks with t:zone or t:async for ajax support)  created by tapestry starts with http and browsers blocked the content when I click on them. Any solution? (Yes, I would host all my webapp on https). I think that it is a bug, and Tapestry would see that the request is secure and generate the ajax links secured too.
>
> Olá, Carlos!
>
> Yeah, this is indeed a bug. Could you please create a small project which demonstrates this bug and attach it to a new Jira ticket? Thanks in advance. :)
>
>
> Regards
>
> Carlos Montero
>
>
>
> --
> Thiago H. de Paula Figueiredo
> Tapestry, Java and Hibernate consultant and developer
> http://machina.com.br <http://machina.com.br/>