I don't believe this is about production mode; this is more likely an artifact of how your app is configured behind your firewall, rather than how it runs on your workstation ... modulo that, by default in development mode, secure is disabled.
When Tapestry detects that an incoming request is not secure but the pages referenced by the rendered page are secure, it forms a complete URL, to ensure the transition from HTTP to HTTPS. What I suspect is that you have marked your pages with @Secure, but that your firewall is handling the HTTPS, and forwarding an HTTP request into the servlet container hosting the application. When the firewall handles HTTPS, rather than the Tapestry application running inside the servlet container, then yes, your should not use @Secure and may want to deactivate it entirely. I'd appreciate some feedback about how well this matches your configuration before updating the documentation. On Mon, Apr 9, 2012 at 5:01 PM, Bob Harner <bobhar...@gmail.com> wrote: > Hi Richard! > > By default Tapestry is trying to be helpful and secure for apps in > which only some of the pages should be running with HTTPS. But when > the whole site should be running with HTTPS you'll need to tell > Tapestry this, and the correct way to do that is to set the > tapestry.secure-enabled symbol to false in your application module > class (normally AppModule.java). Yes, I know it seems > counter-intuitive at first. > > http://tapestry.apache.org/https.html provides a pretty good > description of these options, if you haven't seen it yet. > > But you're right, this needs to be better documented. All of the > effects of production mode should be listed or referenced at > http://tapestry.apache.org/configuration.html#Configuration-tapestry.productionmode, > and the FAQ should probably mention the HTTP -> HTTPS switching > behavior, which catches quite a few people. I'll make a note to > improve the docs in these areas if somebody doesn't beat me to it. Is > there any other place where you looked and didn't find this > information? > > On Mon, Apr 9, 2012 at 7:22 PM, Richard Frovarp <rfrov...@apache.org> wrote: >> I have a simple application in Tapestry 5.3.2. With production mode false, >> all of the URLs generated in the pages, including forms, are relative. This >> means HTTPS works just fine. >> >> With production mode true, all of the URLs are absolute with HTTP, which >> breaks things. >> >> I don't mind the full URLs, as they are at the correct host. The problem is >> the HTTP instead of HTTPS. Nothing in the documentation states that >> production mode will cause this change. I'm not sure if this is a bug or >> not. >> >> Additionally, how do I get it to use HTTPS only and all of the time? Looking >> at the documentation, it would seem that I should set tapestry.secure-page >> to true in my AppModule. >> >> Thanks, >> Richard >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > -- Howard M. Lewis Ship Creator of Apache Tapestry The source for Tapestry training, mentoring and support. Contact me to learn how I can get you up and productive in Tapestry fast! (971) 678-5210 http://howardlewisship.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
