Re: SSL Links and buttons
Hi Ernesto,
I tried your code and it's working for me, just with one issue I mention at
the end of this post. I had to make just 3 modifications: the method
resolve() stays like this:
public IRequestTarget resolve(RequestCycle rc, RequestParameters rp)
{
// if (portConfig.isPreferStateful()) {
Session.get().bind();
// }
IRequestTarget target = super.resolve(rc, rp);
return checkSecure(target);
}
because I can not find the isPreferStateful() method, and the SecureForm
onComponentTag() is like this:
@Override
protected void onComponentTag(ComponentTag tag) {
super.onComponentTag(tag);
String action = tag.getAttribute(action);
action = RequestUtils.toAbsolutePath(action);
if(!action.startsWith(https)) {
action = https + action.substring(4);
action =
action.replace(String.valueOf(MeteosixApplication.get().getHttpPort()),
String.valueOf(MeteosixApplication.get().getHttpsPort()));
}
tag.put(action, action);
}
to also substitute the port numbers in the action (I get them from my
Application class with custom methods).
and the annotation @SemiSecurePage is not needed at all, since it will enter
the ifs the same, so you can freely remove it.
The issue is that when validation fails, it does not find the CSS because my
browser is requesting it without the context (e.g.
http://localhost:9090/styles/main/layout.css instead of
http://localhost:9090/myapplication/styles/main/layout.css). Does not it
happen to you? How can I fix that? When does Wicket establish the URL for
static resources like that this? I'm adding it this way:
add(CSSPackageResource.getHeaderContribution(styles/main/layout.css));
The rest of the solution works great, I didn't have much time to inspect it
(I can see the tricky parts :) ) and to check how much
wicket-version-dependent it can be, but I think it's OK (since it's
working!).
So the only thing is to fix the CSS issue, do you have any idea of how...?
Thank you
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3014970.html
Sent from the Users forum mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
Hi,
I just added
https://issues.apache.org/jira/browse/WICKET-3133
Other answers inline:
I tried your code and it's working for me, just with one issue I mention at
the end of this post. I had to make just 3 modifications: the method
resolve() stays like this:
public IRequestTarget resolve(RequestCycle rc, RequestParameters rp)
{
// if (portConfig.isPreferStateful()) {
Session.get().bind();
// }
IRequestTarget target = super.resolve(rc, rp);
return checkSecure(target);
}
because I can not find the isPreferStateful() method, and the SecureForm
onComponentTag() is like this:
This method may have been added after 1.4.9: I'm using 1.4.12.
@Override
protected void onComponentTag(ComponentTag tag) {
super.onComponentTag(tag);
String action = tag.getAttribute(action);
action = RequestUtils.toAbsolutePath(action);
if(!action.startsWith(https)) {
action = https + action.substring(4);
action =
action.replace(String.valueOf(MeteosixApplication.get().getHttpPort()),
String.valueOf(MeteosixApplication.get().getHttpsPort()));
}
tag.put(action, action);
}
to also substitute the port numbers in the action (I get them from my
Application class with custom methods).
Ok. That might be a good addition if we want to have some generic solution.
and the annotation @SemiSecurePage is not needed at all, since it will enter
the ifs the same, so you can freely remove it.
I just added it as an extra check so that we don't have to inspect all
IListenerInterfaceRequestTarget.
The issue is that when validation fails, it does not find the CSS because my
browser is requesting it without the context (e.g.
http://localhost:9090/styles/main/layout.css instead of
http://localhost:9090/myapplication/styles/main/layout.css). Does not it
happen to you? How can I fix that? When does Wicket establish the URL for
static resources like that this? I'm adding it this way:
add(CSSPackageResource.getHeaderContribution(styles/main/layout.css));
No this do happens to me: I will try to do some experiments to see
what is missing
Can you try to replace method SecureBufferedWebResponse.getUrl with
protected String getUrl(String protocol, Integer port,
HttpServletRequest request, String queryString)
{
if(queryString.startsWith(http) ||
queryString.startsWith(https))
return queryString;
StringBuilder result = new StringBuilder();
result.append(protocol);
result.append(://);
result.append(request.getServerName());
if (port != null)
{
result.append(:);
result.append(port);
}
String path = request.getContextPath();
if(path != null path.length()0) {
result.append(path);
}
result.append(request.getRequestURI());
if (queryString != null)
{
if(queryString.startsWith(..) ) {
} else if(!queryString.startsWith(?))
result.append(?);
result.append(queryString);
}
return result.toString();
}
and see if it works now?
The rest of the solution works great, I didn't have much time to inspect it
(I can see the tricky parts :) ) and to check how much
wicket-version-dependent it can be, but I think it's OK (since it's
working!).
IMHO: It will be very nice if this corner use case is included on
default HttpsRequestCycleProcessor. Will try to produce a patch and
attach it issue mentioned before.
No thanks needed: we all benefit from this discussion;-)
Regards,
Ernesto
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
). Does not it happen to you? How can I fix that? When does Wicket establish the URL for static resources like that this? I'm adding it this way: add(CSSPackageResource.getHeaderContribution(styles/main/layout.css)); The rest of the solution works great, I didn't have much time to inspect it (I can see the tricky parts :) ) and to check how much wicket-version-dependent it can be, but I think it's OK (since it's working!). So the only thing is to fix the CSS issue, do you have any idea of how...? Thank you -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3014970.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
Hi,
It does not work for me. For correctly replace the ports I had to modify a
bit the SecureForm code, leaving it as follows:
@Override
protected void onComponentTag(ComponentTag tag) {
super.onComponentTag(tag);
String action = tag.getAttribute(action);
if (!action.startsWith(http))
action = RequestUtils.toAbsolutePath(action);
// rewrite action to use HTTPs
if (!action.startsWith(https)) {
action = replacePort(https + action.substring(4));
}
else {
action = replacePort(action);
}
tag.put(action, action);
}
private String replacePort(String action) {
RequestCycle requestCycle = RequestCycle.get();
SecureHttpsRequestCycleProcessor processor =
(SecureHttpsRequestCycleProcessor) requestCycle
.getProcessor();
Integer port = processor.getConfig().getHttpPort();
Integer httpsPort = processor.getConfig().getHttpsPort();
action = action.replace(: + Integer.toString(port) + /,
: + Integer.toString(httpsPort) + /);
return action;
}
but the modification of the getUrl() method of SecureBufferedWebResponse
doesn't seem to affect the request for the CSS file, but only for the URLs
of links and buttons in the page (the debugger never entered that point in
that request). I'll continue trying it and modifications and keep this
thread informed up-to-date.
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3015404.html
Sent from the Users forum mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
It works fine for me for CSS, images, JavaScript and so on: it must be
something we are missing on getUrl() method:-(
What's the url you are getting for layout.css? I'm including CSS using
resource references
add(CSSPackageResource.getHeaderContribution(Styles.ESTILOS));
and
public class Styles {
public static final ResourceReference ESTILOS = new
ResourceReference(Styles.class,estilos.css);
..
}
Ernesto
On Wed, Oct 27, 2010 at 3:03 PM, sonxurxo sonxu...@gmail.com wrote:
Hi,
It does not work for me. For correctly replace the ports I had to modify a
bit the SecureForm code, leaving it as follows:
@Override
protected void onComponentTag(ComponentTag tag) {
super.onComponentTag(tag);
String action = tag.getAttribute(action);
if (!action.startsWith(http))
action = RequestUtils.toAbsolutePath(action);
// rewrite action to use HTTPs
if (!action.startsWith(https)) {
action = replacePort(https + action.substring(4));
}
else {
action = replacePort(action);
}
tag.put(action, action);
}
private String replacePort(String action) {
RequestCycle requestCycle = RequestCycle.get();
SecureHttpsRequestCycleProcessor processor =
(SecureHttpsRequestCycleProcessor) requestCycle
.getProcessor();
Integer port = processor.getConfig().getHttpPort();
Integer httpsPort = processor.getConfig().getHttpsPort();
action = action.replace(: + Integer.toString(port) + /,
: + Integer.toString(httpsPort) + /);
return action;
}
but the modification of the getUrl() method of SecureBufferedWebResponse
doesn't seem to affect the request for the CSS file, but only for the URLs
of links and buttons in the page (the debugger never entered that point in
that request). I'll continue trying it and modifications and keep this
thread informed up-to-date.
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3015404.html
Sent from the Users forum mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
I'm using: add(CSSPackageResource.getHeaderContribution(styles/main/layout.css)); literally as I have just written. -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3015516.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
Hi Ernesto and others, Yes that's what I mentioned before, I'm able to do what you say, or to redirect to the HTTP page but not showing the validation errors, but not both HTTP and show errors. By the way, if you check for secureForm.hasError(), will it catch a situation where there's not literally a validation error but a business-logic error? (e.g. when, in the onSubmit() method of your login form, you check that the password is incorrect, it's not a wicket-validation error, and then you invoke manually the error() method of the panel containing the form to show the message but not the error() method of the form itself). Will it detect those situations? I'm trying and secureForm.hasError() always return false, no matter there are even wicket-validation errors or not. -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3013201.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
errors or not. -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3013201.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3001634.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
Hi all. I've been dealing with this and I don't have a working solution yet. The problem that my previously posted solution had is that when the form validation fails, it falls into an infinite redirect loop. Playing with my custom HttpsRequestCycleProcessor all I have achieved is to make it redirect to the right page, but in its HTTPS version, when it should be HTTP (remember, HTTPS form embedded in a HTTP page). Or if I point my custom HttpsRequestCycleProcessor to redirect it to the HTTP version, it falls in that infinite redirect cycle or it loose the form data. Any hint? Any idea? How could I override checkSecureIncoming and checkSecureOutgoing methods to be aware of those situations? Thank you in advance -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3009814.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
Hi,
I'm also interested on solving this as I will need to implement a
similar use case in a coming application. The main problem I see in
solving it is that on
protected IRequestTarget checkSecureOutgoing(IRequestTarget target) {
}
even if you check for ListenerInterfaceRequestTarget and your Secure form e.g.
if (target instanceof IListenerInterfaceRequestTarget) {
IListenerInterfaceRequestTarget
interfaceRequestTarget =
(IListenerInterfaceRequestTarget) target;
Component c =
interfaceRequestTarget.getTarget();
if(SecureForm.class.isAssignableFrom(c.getClass())) {
SecureForm? secureForm =
(SecureForm?)c;
if(secureForm.hasError()) {
return target;
}
}
}
, to return the same target when you have validation errors,
ListenerInterfaceRequestTarget seem to be using logic from
PageRequestTarget
public void respond(RequestCycle requestCycle)
{
// Should page be redirected to?
if (requestCycle.isRedirect())
{
// Redirect to the page
requestCycle.redirectTo(page);
}
else
{
// Let page render itself
page.renderPage();
}
}
to redirect to a new version of the page and as the request arrives
over HTTPS then you get redirected to the page, showing validation
errors, but over https. I don't see yet how to switch it to HTTP.
Regards,
Ernesto
On Mon, Oct 25, 2010 at 8:58 AM, sonxurxo sonxu...@gmail.com wrote:
Hi all.
I've been dealing with this and I don't have a working solution yet. The
problem that my previously posted solution had is that when the form
validation fails, it falls into an infinite redirect loop.
Playing with my custom HttpsRequestCycleProcessor all I have achieved is to
make it redirect to the right page, but in its HTTPS version, when it
should be HTTP (remember, HTTPS form embedded in a HTTP page). Or if I point
my custom HttpsRequestCycleProcessor to redirect it to the HTTP version, it
falls in that infinite redirect cycle or it loose the form data.
Any hint? Any idea? How could I override checkSecureIncoming and
checkSecureOutgoing methods to be aware of those situations? Thank you in
advance
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3009814.html
Sent from the Users forum mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
Yes, the HttpsRequestCycleProcessor is doing a redirect from HTTPS to HTTP, both using POST and GET methods (btw Melinda, as you pointed, this last ones preserves the values as it was expected but I can not use this way...). Is there anything I can do to avoid that? The checkSecureIncoming(IRequestTarget target) method of that class checks only that the class (or its superinterfaces) are annotated with RequireHttps, and if not, redirects to HTTP. Is there something I can do to sent the form with POST? Thank you again in advance -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005126.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
Since you don't use secure Pages (pages with @RequireHttps) then I see no reason to register HttpsRequestCycleProcessor. On Thu, Oct 21, 2010 at 9:24 AM, sonxurxo sonxu...@gmail.com wrote: Yes, the HttpsRequestCycleProcessor is doing a redirect from HTTPS to HTTP, both using POST and GET methods (btw Melinda, as you pointed, this last ones preserves the values as it was expected but I can not use this way...). Is there anything I can do to avoid that? The checkSecureIncoming(IRequestTarget target) method of that class checks only that the class (or its superinterfaces) are annotated with RequireHttps, and if not, redirects to HTTP. Is there something I can do to sent the form with POST? Thank you again in advance -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005126.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
I use some secure pages annotated with @RequireHttps, but not all the pages where the login panel will be. For example, the main page or the general info page will be no secured, but the login panel will be there in both pages. There are also other profile-dependent pages that are of course full secured, and others -as I mentioned in an older post, the registration page is an example-. -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005153.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
Then maybe you'll need to modify org.apache.wicket.protocol.https.HttpsRequestCycleProcessor.checkSecureIncoming(IRequestTarget) to your needs. On Thu, Oct 21, 2010 at 9:56 AM, sonxurxo sonxu...@gmail.com wrote: I use some secure pages annotated with @RequireHttps, but not all the pages where the login panel will be. For example, the main page or the general info page will be no secured, but the login panel will be there in both pages. There are also other profile-dependent pages that are of course full secured, and others -as I mentioned in an older post, the registration page is an example-. -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005153.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
Thank you all for your responses. Yes, I was thinking about that. How could I achieve that? I'd like to be able to access the form that generated the request through the target parameter, but it's not visible. If I could, I'd determine if it's an instance of my custom SecureForm class and process the request properly. Also, I see that when the form is sent using POST, the target argument received in the checkSecureIncoming(IRequestTarget target) method is an instance of BookmarkablePageRequestTarget, and I can access there to the POST parameters which get lost after the redirect, but I don't know what can I do with them to keep them, and even more, I don't know if the things I do there may interfer with other normal request processing. Any hints to do that? Thanks -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005272.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
On Thu, Oct 21, 2010 at 11:30 AM, sonxurxo sonxu...@gmail.com wrote: Thank you all for your responses. Yes, I was thinking about that. How could I achieve that? I'd like to be able to access the form that generated the request through the target parameter, but it's not visible. If I could, I'd determine if it's an instance of my custom SecureForm class and process the request properly. Also, I see that when the form is sent using POST, the target argument received in the checkSecureIncoming(IRequestTarget target) method is an instance of BookmarkablePageRequestTarget, and I can access there to the POST parameters which get lost after the redirect, but I don't know what can I do with them to keep them, and even more, I don't know if the things I do there may interfer with other normal request processing. Any hints to do that? Thanks From the current request you can check the protocol (https), the parameters (their names are specific for that form, I guess) and if you recognize that this is the special case then just suppress the normal checkSecureIncoming() (it is protected, so you can provide your own impl). So the POST request will not be immediately redirected to GET, but it will be processed. -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005272.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
Hi all,
I think I finally have the solution, thanks everyone who guide me. Please
correct me if I'm missing something, I tested it quite well and everything
is OK. What I do is the following:
- I have my custom SecureForm class (inherits from Form), as I mentioned
before. It overrides the onComponentTag(ComponentTag tag) method to force it
to use HTTPS. The forms I want to use HTTPS inherit from that class.
- I wrote a custom MyHttpsRequestCycleProcessor, which extends
HttpsRequestCycleProcessor, and rewrites hasSecureAnnotation() and
getPageClass() (leaving them exactly as in HttpsRequestCycleProcessor class,
it's just because they are private and I need them). I create this utility
method:
private boolean isSecureFormRequest(IRequestTarget target) {
if (target instanceof ListenerInterfaceRequestTarget) {
Component c = ((ListenerInterfaceRequestTarget)
target).getTarget();
return SecureForm.class.isAssignableFrom(c.getClass());
}
return false;
}
and override (now actually modifying) the checkSecureIncoming() method. It
now looks like as follows:
protected IRequestTarget checkSecureIncoming(IRequestTarget target) {
if (target != null target instanceof
SwitchProtocolRequestTarget) {
return target;
}
if (getConfig() == null) {
return target;
}
Class? pageClass = getPageClass(target);
if (pageClass != null) {
IRequestTarget redirect = null;
if (hasSecureAnnotation(pageClass) ||
this.isSecureFormRequest(target)) {
redirect =
SwitchProtocolRequestTarget.requireProtocol(Protocol.HTTPS);
} else {
redirect =
SwitchProtocolRequestTarget.requireProtocol(Protocol.HTTP);
}
if (redirect != null) {
return redirect;
}
}
return target;
}
What I do is force HTTPS redirect not only when I find the @HttpsRequired
annotation in the Page, but also when a request is made trough an instance
of SecureForm or any of its possible subclasses.
What's your opinion? Am I missing something? Did I break something that I'll
realize in some weeks? Thank you very much for your very useful help, I just
had to put pieces together!!
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005339.html
Sent from the Users forum mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
By the way, now that it's done and supposing it's OK, wouldn't be a good idea to include something like that in the trunk? Or maybe in an extension? Maybe do the same with some links? It's just an idea, I'm surprised not a lot of people had to lead with this. -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005352.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
I localized an error in my solution: when validation fails, it enters an
infinite loop of redirects through:
[...]
if (this.isSecureFormRequest(target)) {
redirect = SwitchProtocolRequestTarget.requireProtocol(Protocol.HTTPS);
}
[...]
I don't know how to make it stop when validation fails on that form. If you
have any hints, thank you in advance. If I find a solution I'll also post it
here, of course. Thanks
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3005514.html
Sent from the Users forum mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
Hi Igor, thank you for your response.
I tried what you pointed. The action URL in the form is correctly replaced,
since I can see it with Firebug. And even Wicket receives the request when
pressing the submit button, but it fails on validating required fields: it
does not receive the values, neither with theFormField.getInput() (returns
) nor theFormField.getDefaultModelObjectAsString() (returns null).
Just in case it matters, I'm trying it both with Jetty (http port:9090,
https port:8443) and with Tomcat (http port:80 -with mod_jk, https
port:443), so I modified the onComponentTag method you post and my
SecureForm class now looks like:
public class SecureFormT extends FormT {
public SecureForm(String id) {
super(id);
}
@Override
protected void onComponentTag(ComponentTag tag) {
super.onComponentTag(tag);
String action = tag.getAttribute(action);
action = RequestUtils.toAbsolutePath(action);
action = https + action.substring(4);
action = action.replace(MyApplication.get().getHttpPort(),
MyApplication.get().getHttpsPort());
tag.put(action, action);
}
}
but that modification doesn't seem to be a problem since the action URL
looks OK in both cases (the port number is well replaced). Debugging with
Firebug I can see that the field values are correctly sent by POST.
More possible important info: the form is included in a Page that is NOT
annotated with @RequireHttps.
Am I missing something? Any ideas? Thank you in advance.
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3003364.html
Sent from the Users forum mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
Can you try using
form wicket:id=form method=get
/form
E.M.D
On Wed, Oct 20, 2010 at 9:05 AM, sonxurxo sonxu...@gmail.com wrote:
Hi Igor, thank you for your response.
I tried what you pointed. The action URL in the form is correctly replaced,
since I can see it with Firebug. And even Wicket receives the request when
pressing the submit button, but it fails on validating required fields: it
does not receive the values, neither with theFormField.getInput() (returns
) nor theFormField.getDefaultModelObjectAsString() (returns null).
Just in case it matters, I'm trying it both with Jetty (http port:9090,
https port:8443) and with Tomcat (http port:80 -with mod_jk, https
port:443), so I modified the onComponentTag method you post and my
SecureForm class now looks like:
public class SecureFormT extends FormT {
public SecureForm(String id) {
super(id);
}
@Override
protected void onComponentTag(ComponentTag tag) {
super.onComponentTag(tag);
String action = tag.getAttribute(action);
action = RequestUtils.toAbsolutePath(action);
action = https + action.substring(4);
action = action.replace(MyApplication.get().getHttpPort(),
MyApplication.get().getHttpsPort());
tag.put(action, action);
}
}
but that modification doesn't seem to be a problem since the action URL
looks OK in both cases (the port number is well replaced). Debugging with
Firebug I can see that the field values are correctly sent by POST.
More possible important info: the form is included in a Page that is NOT
annotated with @RequireHttps.
Am I missing something? Any ideas? Thank you in advance.
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3003364.html
Sent from the Users forum mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
Thank you Melinda for your response, I didn't try that because, even when querystring (and therefore GET parameters are too) is secured with SSL, there are some reasons that point that it's a bad idea (look at the first answer at http://stackoverflow.com/questions/323200/is-a-https-query-string-secure). Thank you anyway :) -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3003805.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
look at the requests and make sure that the httpsrequestcycleprocessor
is not doing a secure-unsecure redirect which would lose the form
values.
-igor
On Wed, Oct 20, 2010 at 12:05 AM, sonxurxo sonxu...@gmail.com wrote:
Hi Igor, thank you for your response.
I tried what you pointed. The action URL in the form is correctly replaced,
since I can see it with Firebug. And even Wicket receives the request when
pressing the submit button, but it fails on validating required fields: it
does not receive the values, neither with theFormField.getInput() (returns
) nor theFormField.getDefaultModelObjectAsString() (returns null).
Just in case it matters, I'm trying it both with Jetty (http port:9090,
https port:8443) and with Tomcat (http port:80 -with mod_jk, https
port:443), so I modified the onComponentTag method you post and my
SecureForm class now looks like:
public class SecureFormT extends FormT {
public SecureForm(String id) {
super(id);
}
�...@override
protected void onComponentTag(ComponentTag tag) {
super.onComponentTag(tag);
String action = tag.getAttribute(action);
action = RequestUtils.toAbsolutePath(action);
action = https + action.substring(4);
action = action.replace(MyApplication.get().getHttpPort(),
MyApplication.get().getHttpsPort());
tag.put(action, action);
}
}
but that modification doesn't seem to be a problem since the action URL
looks OK in both cases (the port number is well replaced). Debugging with
Firebug I can see that the field values are correctly sent by POST.
More possible important info: the form is included in a Page that is NOT
annotated with @RequireHttps.
Am I missing something? Any ideas? Thank you in advance.
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3003364.html
Sent from the Users forum mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
SSL Links and buttons
Hi all, This question applies to Wicket 1.4.9. I have an app where I have a Sign-in component (Panel) that is shown in (almost) every page of the site. I'd like all the app to work over http, and that form to work over https. Since the @RequireHttps annotation only works on pages and not Components, how can I achieve that? I have some other pages (e.g. registration page) that is fully working over https with the mentioned annotation, everything is OK. But I can not get the sign-in form (included in quite some http-pages) work over https. Any ideas? If there's a core developer reading this, is there any plan of extending the @RequireHttps annotation to other Components rather than just pages? -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3001634.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: SSL Links and buttons
so far i dont think there are any plans to support ssl forms outside
of @RequireHttps
here is something that might work for you though:
class secureform extends form {
oncomponenttag(tag) {
super.oncomponenttag(tag);
string act=tag.get('action);
act=rqeuestutils.toabsoluteurl(act);
act=https+act.substring(4);
tag.put(action, act);
}
}
-igor
On Tue, Oct 19, 2010 at 1:15 AM, sonxurxo sonxu...@gmail.com wrote:
Hi all,
This question applies to Wicket 1.4.9.
I have an app where I have a Sign-in component (Panel) that is shown in
(almost) every page of the site. I'd like all the app to work over http, and
that form to work over https. Since the @RequireHttps annotation only works
on pages and not Components, how can I achieve that?
I have some other pages (e.g. registration page) that is fully working over
https with the mentioned annotation, everything is OK. But I can not get the
sign-in form (included in quite some http-pages) work over https.
Any ideas?
If there's a core developer reading this, is there any plan of extending
the @RequireHttps annotation to other Components rather than just pages?
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/SSL-Links-and-buttons-tp3001634p3001634.html
Sent from the Users forum mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
