Re: HttpsMapper creates HttpSession by default
I know, that this setting tells Wicket when to create the HttpSession. And it seems that if the HttpSession is created in the Https request, the created Session is not visible to any Http request. In Wicket 1.4 we never switch back to the Http protocol once the secure protocol is used. So probably this problem never occured. I try to use the listener to figure out what happens. -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/HttpsMapper-creates-HttpSession-by-default-tp4079305p4079409.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: HttpsMapper creates HttpSession by default
This setting is to tell Wicket whether to create a http session before
going https.
Otherwise if there is no http session until now and you create it in
https request then this session wont be visible to any http request.
Setting it to false wont bind the Session (i.e. wont create http session).
Register SessingBindingListener in web.xml and put a breakpoint in it
to see where is created the session.
On Thu, Nov 17, 2011 at 10:44 AM, Dirk Forchel wrote:
> I'm not sure. But this is the comment within the source of the
> HttpsConfig.class:
>
> /**
> * Sets whether or not a new session is created before redirecting from
> {@code http} to {@code
> * https}
> *
> * BE VERY CAREFUL WHEN SETTING THIS VALUE TO {@code false}.
> *
> * If set to {@code false} it is possible that the session created
> when in
> {@code https} pages
> * will not be accessible to {@code http} pages, and so you may end up
> with
> two sessions per
> * user both potentially containing different login information.
> *
> *
> * @param preferStateful
> */
> public void setPreferStateful(boolean preferStateful)
> {
> this.preferStateful = preferStateful;
> }
>
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/HttpsMapper-creates-HttpSession-by-default-tp4079305p4079330.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: HttpsMapper creates HttpSession by default
I'm not sure. But this is the comment within the source of the
HttpsConfig.class:
/**
* Sets whether or not a new session is created before redirecting from
{@code http} to {@code
* https}
*
* BE VERY CAREFUL WHEN SETTING THIS VALUE TO {@code false}.
*
* If set to {@code false} it is possible that the session created when
in
{@code https} pages
* will not be accessible to {@code http} pages, and so you may end up
with
two sessions per
* user both potentially containing different login information.
*
*
* @param preferStateful
*/
public void setPreferStateful(boolean preferStateful)
{
this.preferStateful = preferStateful;
}
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/HttpsMapper-creates-HttpSession-by-default-tp4079305p4079330.html
Sent from the Users forum mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: HttpsMapper creates HttpSession by default
Hi,
On Thu, Nov 17, 2011 at 10:34 AM, Dirk Forchel wrote:
> Our Wicket application is stateless and doesn't need a HttpSession (the
> JSessionID is disabled by default for some SEO reasons for all requests). In
> Wicket 1.4 we use our own CodingStrategy implementation to switch between
> the Http/Https protocols if a secure annotation (RequireHttps) for a page
> class is present. This is not an option with Wicket 1.5 because coding
> strategies are replaced by IRequestMapper implementations.
> So we use the HttpsMapper as RootRequestMapper to switch over to Https. As
> I've noticed, using the HttpsMapper forces the application to create a
> HttpsSession by default, even if no secure page would be present. In my
> opinion, session binding should be done within the HttpsRequestChecker class
> (checkSecureIncoming) and only if the switch to the Https protocol is really
> required. Or do I miss something?
> Setting the HttpsConfig.setPreferStateful(false) is also not an option. In
> that case we end up with two sessions per user.
How that happens ?
This config option is there for exactly that purpose.
>
> HttpsMapper.java:
>
> public IRequestHandler mapRequest(final Request request)
> {
> IRequestHandler requestHandler = delegate.mapRequest(request);
> if (requestHandler != null)
> {
> final IRequestHandler httpsHandler =
> checker.checkSecureIncoming(requestHandler,
> httpsConfig);
> // XXX do we need to check if httpsHandler is instance
> of
> SwitchProtocolRequestHandler
> if (httpsConfig.isPreferStateful())
> {
> // we need to persist the session before a
> redirect to https so the
> session lasts
> // across both http and https calls.
> Session.get().bind();
> }
> requestHandler = httpsHandler;
> }
> return requestHandler;
> }
>
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/HttpsMapper-creates-HttpSession-by-default-tp4079305p4079305.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
HttpsMapper creates HttpSession by default
Our Wicket application is stateless and doesn't need a HttpSession (the
JSessionID is disabled by default for some SEO reasons for all requests). In
Wicket 1.4 we use our own CodingStrategy implementation to switch between
the Http/Https protocols if a secure annotation (RequireHttps) for a page
class is present. This is not an option with Wicket 1.5 because coding
strategies are replaced by IRequestMapper implementations.
So we use the HttpsMapper as RootRequestMapper to switch over to Https. As
I've noticed, using the HttpsMapper forces the application to create a
HttpsSession by default, even if no secure page would be present. In my
opinion, session binding should be done within the HttpsRequestChecker class
(checkSecureIncoming) and only if the switch to the Https protocol is really
required. Or do I miss something?
Setting the HttpsConfig.setPreferStateful(false) is also not an option. In
that case we end up with two sessions per user.
HttpsMapper.java:
public IRequestHandler mapRequest(final Request request)
{
IRequestHandler requestHandler = delegate.mapRequest(request);
if (requestHandler != null)
{
final IRequestHandler httpsHandler =
checker.checkSecureIncoming(requestHandler,
httpsConfig);
// XXX do we need to check if httpsHandler is instance
of
SwitchProtocolRequestHandler
if (httpsConfig.isPreferStateful())
{
// we need to persist the session before a
redirect to https so the
session lasts
// across both http and https calls.
Session.get().bind();
}
requestHandler = httpsHandler;
}
return requestHandler;
}
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/HttpsMapper-creates-HttpSession-by-default-tp4079305p4079305.html
Sent from the Users forum mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
