This message is sent across https from gmail :)
It only works however when you use https: in the first place to
connect to gmail. The default (http:) is less straining on the server
resources I suppose (though Google should have enough of that)
Martijn
On 7/30/07, shumbola <[EMAIL PROTECTED]> wrote:
>
>
>
> Upayavira-2 wrote:
> >
> > shumbola wrote:
> >> I want to be able to switch to SSL when SignIn page showed to a user and
> >> if
> >> successful, then switch back to normal HTTP protocol. I'm using
> >> wicket-1.3.
> >
> > We recently had a security firm audit our application. They pointed out
> > that such an approach is flawed.
> >
> > Basically, you secure the transfer of username/passwords, but from then
> > on, you pass a session cookie unprotected. For the lifespan of that
> > cookie, gaining access to the cookie would grant the same access to the
> > application as would the username/password.
> >
> > Therefore, by rights, if you wish to protect the transfer of
> > username/password, the entire application should use SSL.
> >
> > Hope I'm not missing something.
> >
> > Regards, Upayavira
> >
> >> In my Application class I've come up with the following:
> >>
> >> protected IRequestCycleProcessor newRequestCycleProcessor() {
> >> return new WebRequestCycleProcessor() {
> >> public void respond(RequestCycle requestCycle) {
> >> IRequestTarget target = requestCycle.getRequestTarget();
> >> WebResponse response = (WebResponse)
> >> requestCycle.getResponse();
> >> WebRequest request = (WebRequest)
> >> requestCycle.getRequest();
> >> HttpServletRequest httpServletRequest =
> >> request.getHttpServletRequest();
> >> if(target instanceof BookmarkablePageRequestTarget) {
> >> if(((BookmarkablePageRequestTarget)target).getPage()
> >> instanceof SignIn &&
> >> !httpServletRequest.isSecure())
> >> {
> >> StringBuffer url = new StringBuffer("https://";);
> >> url.append(httpServletRequest.getServerName());
> >> url.append(":").append(HTTPS_PORT);
> >> String s =
> >> RequestCycle.get().urlFor(target).toString();
> >> url.append("/app/").append(s);
> >> response.redirect(url.toString());
> >> }
> >> else if
> >> (((BookmarkablePageRequestTarget)target).getPage() instanceof Home &&
> >> httpServletRequest.isSecure()) {
> >> StringBuffer url = new StringBuffer("http://";);
> >> url.append(httpServletRequest.getServerName());
> >> url.append(":").append(HTTP_PORT);
> >> String s =
> >> RequestCycle.get().urlFor(target).toString();
> >> url.append("/app/").append(s);
> >> response.redirect(url.toString());
> >> } else
> >> target.respond(requestCycle);
> >> }
> >> else
> >> target.respond(requestCycle);
> >> }
> >> };
> >>
> >> }
> >>
> >> It kinda works but I'm not sure if I'm doing it right way. And I'm not
> >> sure
> >> if it is bug free. I dont fully understand how wicket requestcycle works,
> >> so
> >> I need your help there.
> >>
> >> Thanks.
> >> shumbola
> >>
> >>
> >
> >
>
> Doesn't yahoo mail, gmail, etc work that way?
> When I go to my yahoo mail it switches to the SSL signin page and after
> switches back to the http. Or is there additional protection then?
>
> shumbola
> --
> View this message in context:
> http://www.nabble.com/Switching-to-SSL-for-SignIn-page-tf4169495.html#a11862436
> Sent from the Wicket Users New mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
Wicket joins the Apache Software Foundation as Apache Wicket
Apache Wicket 1.3.0-beta2 is released
Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3.0-beta2/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
