On Fri, Apr 19, 2013 at 11:55 AM, Stone, Timothy
<tst...@barclaycardus.com>wrote:
> This seems to me to be a solved problem that is not directly a Stripes
> problem or a problem needing to be found in a Stripes solution.****
>
> ** **
>
> **1. **You can do this in Apache (not so much direct Tomcat, where
> Chris, downthread, gives an application context solution)
> In your Directory, Location or VHost, require SSL:
> SSLRequireSSL # this will outright deny access with HTTPS. May not be what
> you need.
>
> We actually force SSL in non-secure domains with a RewriteCond and Rule
> RewriteCond %{HTTPS} != “on”
> RewriteRule ^/(.*)$ https://www.domain.com/$1
>
>
Yes I can do this via the vhosts setup I have.
> ****
>
> **2. **If you want to force HTTPS in a login, POST to HTTPS, e.g,
> <form action=”https://...” method=”post” ...>, this will force
> negotiation of the secure channel before accidently leaking login
> information
> This technique was formerly discouraged, but in wide use today. It will
> also solve the session state issue.
>
>
I know I can also put the URL in myself instead of doing <stripes:form
beanclass= ... >, but I was hoping to avoid this. I was hoping there'd be
something like a parameter to the tag that would set the scheme in the
generated url, rather than inheriting it. I had a poke through the docs and
couldn't find anything.
I guess it's just a matter of accepting the redirect or writing the urls
directly, rather than having them generated.
Thanks
Chris
> ****
>
> Hope this helps,****
>
> Tim****
>
> ** **
>
> *From:* Chris Cheshire [mailto:cheshira...@gmail.com]
> *Sent:* Friday, April 19, 2013 11:35 AM
> *To:* Stripes Users List
> *Subject:* Re: [Stripes-users] switch to https****
>
> ** **
>
> I use essentially the same thing - the Tuckey URLRewrite servlet filter.
> Unfortunately it breaks form posts which is why I was wondering whether
> there is a way to build the url with https.****
>
> ** **
>
> ** **
>
> On Fri, Apr 19, 2013 at 11:28 AM, Adam Stokar <ajsto...@gmail.com> wrote:*
> ***
>
> I use a stripes interceptor. If any request comes in that is supposed to
> be secure, it will redirect to the https version.****
>
> ** **
>
> if(isSecure(request) && url.indexOf("https") != 0) {****
>
> url = url.replace("http", "https");****
>
> return new RedirectResolution(url,false);****
>
> }****
>
> ** **
>
> On Fri, Apr 19, 2013 at 11:22 AM, Chris Cheshire <cheshira...@gmail.com>
> wrote:****
>
> No, I want to know how to switch from http to https without using url
> rewriting (apache, tomcat filter) if possible. I'm fine with everything
> being https once the switch is made, I just need to know how to make the
> switch when building links via stripes:link or stripes:form where possible.
> ****
>
> ** **
>
> On Fri, Apr 19, 2013 at 10:18 AM, Adam Stokar <ajsto...@gmail.com> wrote:*
> ***
>
> I had to deal with this a long time ago. The best solution was to make
> all pages use https. When you switch from http to https, a new session id
> is created and it complicates everything. Is there a reason you need http?
> ****
>
> ** **
>
> On Fri, Apr 19, 2013 at 10:13 AM, Chris Cheshire <cheshira...@gmail.com>
> wrote:****
>
> How do I tell a stripes:link or stripes:form that I want it to switch
> to https? Eg. Start at a non-secure page and switch to https on login.****
>
> ** **
>
> Do I have to use url rewrite rules, or is there something in Stripes I can
> use?****
>
> ** **
>
> Thanks****
>
>
> Chris****
>
> ** **
>
>
>
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
