For the custom navigation handler, I don't have an example, but you
could just setup some kind of pattern that you could parse via regex.
Something like
secure:/myview.xhtml
Then in the navigation handler, see:
private final static String SECURE = "secure:";
...
if (viewId.startsWith(SECURE))
{
viewId = viewId.substring(SECURE.length());
// see if the HttpServletRequest.isSecure() returns false
// if so then:
// get the faces external context
// build the full URL including "https"
// call external context.redirect
// call context.responseComplete();
}
else ...
You have to use a redirect one way or another, so it being in a
navigation handler just makes it available to all action responses.
Also, make sure you remember once you redirect the user, they may lose
their session, and they definitely will if you redirect from HTTPS to
HTTP. Servlets use a in-memory cookie to store the session ID. Since
it is a cookie, it falls under the W3C specification for cookie
handling. So for example, if the cookie is marked as secure, it cannot
be seen from HTTP.
Make sure you are not planning on authenticating them under HTTPS, and
then redirecting them to HTTP and trying to retain an insecure session
ID. If so, impersonation attacks would be a piece of cake against your
code.
On 5/3/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Andrew,
Thanks for the tips. I think that method (1) can work for me in some
situations, but not in general. Would you happen to know or have any
examples for the method (2) [custom navigation handler]? I appreciate
your help *very* much!
----- Original Message -----
From: Andrew Robinson <[EMAIL PROTECTED]>
Date: Wednesday, May 2, 2007 3:50 pm
Subject: Re: Navigation to and from an HTTPS URL
To: MyFaces Discussion <[email protected]>
> Two methods:
>
> 1) In your action or actionListener use the external context to
> send a
> redirect or
> 2) Use a custom navigation handler that builds a URL then changes
> the protocol
>
> On 5/2/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > Does anyone have any tips how you can implement navigating to and
> from> an HTTPS URL from a commandLink or commandButton?
> >
>
