THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
| Note |
|---|
This page describes Tapestry's mechanism for automatically switching between HTTP and HTTPS URLs. With the recent trend to have all web sites use HTTPS, you will likely want to disable this behavior. To do so, set the tapestry.secure-enabled configuration symbol to false (counter-intuitively). |
By default,
Securing your application with HTTPS
Tapestry assumes your application will be primarily deployed as a standard web application, using HTTP HTTP (not HTTPS) as the transport mechanism.primary protocol.
| Div | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
|
Many However, many applications will need to have some of their pages secured: only accessible via HTTPS. This could be a login page, or a product ordering wizard, or administrative pages.
All that is necessary to mark a page as secure is to add the Secure @Secure annotation to the page class:
| Code Block | |
|---|---|
| |
| |
@Secure
public class ProcessOrder
{
. . .
}
|
...
The rationale behind using secure links to assets from secure pages is that it prevents the client web browser from reporting a mixed security level.
Securing Multiple Pages
Rather than placing an @Secure annotation on individual pages, it is possible to enable security https URL redirecting for entire folders of pages. All pages in or beneath the folder will be secured.
This is accomplished by making a contribution to the MetaDataLocator service configuration. For example, to secure all pages in the "admin" folder:
| Code Block | ||||
|---|---|---|---|---|
| ||||
| No Format | ||||
public void contributeMetaDataLocator(MappedConfiguration<String,String> configuration)
{
configuration.add("admin:" + MetaDataConstants.SECURE_PAGE, "true");
}
|
...
If you want to make your entire application secure:
| Code Block | ||||
|---|---|---|---|---|
| ||||
| No Format | ||||
public void contributeMetaDataLocator(MappedConfiguration<String,String> configuration)
{
configuration.add(MetaDataConstants.SECURE_PAGE, "true");
}
|
With no colon, the meta data applies to the entire application (including any component libraries used in the application).
Base URL Support
When Tapestry switches back and forth between secure and unsecure mode, it must create a full URL (rather than a relative URL) that identifies the protocol, server host name and perhaps even a port number.
...
Because of this, Tapestry includes a hook to allow you to override how these default URLs are created: the BaseURLSource service.
The default implementation is based on just the getServerName() method; it's often not the correct choice even for development.
Fortunately, it is very easy to override this implementation. Here's an example of an override that uses the default port numbers that the Jetty servlet container uses for normal HTTP (port 8080) and for secure HTTPS (port 8443):
| Code Block | ||||
|---|---|---|---|---|
| ||||
| No Format | ||||
public static void contributeAliascontributeServiceOverride(Configuration<AliasContribution>MappedConfiguration<Class,Object> configuration) { BaseURLSource source = new BaseURLSource() { public String getBaseURL(boolean secure) { String protocol = secure ? "https" : "http"; int port = secure ? 8443 : 8080; return String.format("%s://localhost:%d", protocol, port); } }; configuration.add(AliasContribution.create(BaseURLSource.class, source)); } |
This override is hardcoded to generate URLs for localhost; as such you might use it for development but certainly not in production.The Alias service exists just for these kinds of overrides; it allows a late-binding to a customized implementation of the BaseURLSource service that hides the built-in Tapestry implementation.
Development Mode
When working in development mode, the Secure annotation is ignored. This is controlled by the tapestry.secure-enabled configuration symbol.
Application Server Configuration
Setting up HTTPS support varies from application server to application server.
| Scrollbar |
|---|