Securing your application with HTTPS
Div | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
|
Tapestry assumes your application will be primarily deployed as a standard web application, using HTTP (not HTTPS) as the transport mechanism.
...
All that is necessary to mark a page as secure is to add the @Secure annotation to the page class:
Code Block |
---|
@Secure public class ProcessOrder { . . . } |
When a page is marked as secure, Tapestry will ensure that access to that page uses HTTPS. All links to the page will use the "https" protocol.
...
This is accomplished by making a contribution to the MetaDataLocator service configuration. For example, to secure all pages in the "admin" folder:
Code Block |
---|
public void contributeMetaDataLocator(MappedConfiguration<String,String> configuration) { configuration.add("admin:" + MetaDataConstants.SECURE_PAGE, "true"); } |
Here "admin" is the folder name, and the colon is a separator between the folder name and the the meta data key. SECURE_PAGE is a public constant for value "tapestry.secure-page";
...
If you want to make your entire application secure:
Code Block |
---|
public void contributeMetaDataLocator(MappedConfiguration<String,String> configuration) { configuration.add(MetaDataConstants.SECURE_PAGE, "true"); } |
With no colon, the meta data applies to the entire application (including any component libraries used in the application).
...
Fortunately, it is very easy to override this implementation. Here's an example of an override that uses the default port numbers that the Jetty servlet container uses for normal HTTP (port 8080) and for secure HTTPS (port 8443):
Code Block |
---|
public static void contributeServiceOverride(MappedConfiguration<Class,Object> configuration) { BaseURLSource source = new BaseURLSource() { public String getBaseURL(boolean secure) { String protocol = secure ? "https" : "http"; int port = secure ? 8443 : 8080; return String.format("%s://localhost:%d", protocol, port); } }; configuration.add(BaseURLSource.class, source); } |
This override is hardcoded to generate URLs for localhost; as such you might use it for development but certainly not in production.
...
When working in development mode, the Secure annotation is ignored. This is controlled by the tapestry.secure-enabled configuration symbol.
Application Server Configuration
...