Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add navigation "scrollbar" macro


Note

This page describes Tapestry's mechanism for automatically switching between HTTP and HTTPS URLs. With the recent trend to have all web sites use HTTPS, you will likely want to disable this behavior. To do so, set the tapestry.secure-enabled configuration symbol to false (counter-intuitively).

By default,

Securing your application with HTTPS

 
Wiki Markup
{float:right|background=#eee}
{contentbylabel:title=Related Articles|showLabels=false|showSpace=false|space=@self|labels=security}
{float}

Tapestry assumes your application will be primarily deployed as a standard web application, using HTTP (not HTTPS) as the transport mechanism.primary protocol.

Div
stylefloat:right; margin: 1em
titleRelated Articles
classaui-label
Content by Label
showLabelsfalse
showSpacefalse
titleRelated Articles
cqllabel = "security" and space = currentSpace()

Many However, many applications will need to have some of their pages secured: only accessible via HTTPS. This could be a login page, or a product ordering wizard, or administrative pages.

All that is necessary to mark a page as secure is to add the @Secure annotation to the page class:

Code Block
languagejava
@Secure
public class ProcessOrder
{
  . . .
}

...

Rather than placing an @Secure annotation on individual pages, it is possible to enable security https URL redirecting for entire folders of pages. All pages in or beneath the folder will be secured.

This is accomplished by making a contribution to the MetaDataLocator service configuration. For example, to secure all pages in the "admin" folder:

Code Block
languagejava
titleAppModule.java (partial)
public void contributeMetaDataLocator(MappedConfiguration<String,String> configuration)
{
    configuration.add("admin:" + MetaDataConstants.SECURE_PAGE, "true");
}

...

If you want to make your entire application secure:

Code Block
languagejava
titleAppModule.java (partial)
public void contributeMetaDataLocator(MappedConfiguration<String,String> configuration)
{
    configuration.add(MetaDataConstants.SECURE_PAGE, "true");
}

...

Fortunately, it is very easy to override this implementation. Here's an example of an override that uses the default port numbers that the Jetty servlet container uses for normal HTTP (port 8080) and for secure HTTPS (port 8443):

Code Block
languagejava
titleAppModule.java (partial)
    public static void contributeServiceOverride(MappedConfiguration<Class,Object> configuration)
    {
        BaseURLSource source = new BaseURLSource()
        {
            public String getBaseURL(boolean secure)
            {
                String protocol = secure ? "https" : "http";

                int port = secure ? 8443 : 8080;

                return String.format("%s://localhost:%d", protocol, port);
            }
        };

        configuration.add(BaseURLSource.class, source);
    }

...

When working in development mode, the Secure annotation is ignored. This is controlled by the tapestry.secure-enabled configuration symbol.

Application Server Configuration

Setting up HTTPS support varies from application server to application server.

 

Scrollbar