There is a difference in how items are displayed and how submits/links are
to be performed.  There are cases where a HTTP page has a form that is to be
submitted via HTTPS.  And furthermore, when an Page is to be displayed via
HTTPS, not all items (images,resources) are to be served via HTTPS  (ex: <
i.m.g src="/path/image.gif"> on a secure page will be accessed via HTTPS). 
Hopefully you agree with this.

Let me explain via a use case, I think this would be more helpful.  In the
end, I will attempt to differentiate between the two approaches.

Five pages for my application (to keep it simple): 
- home page
- login page
- user home page
- user profile page
- company info page.

On the home page, I have login portlet/form (user id, password).
- home page is to be displayed via HTTP
- Login form is to be submitted via HTTPS
- Upon successful login, the user home page is displayed in HTTP
- if login is unsuccessful, the login page is displayed in HTTPS

On the user home page, there is a link to the user profile page.
- user profile page is to be displayed via HTTPS
- user profile submits are to be via HTTPS
- canceling the user profile will send it back to the user home page via

- All images and resource links are to be accessed via HTTP irregardless if
the page itself is to be displayed in HTTP/HTTPS
- Company info page is to be available at all times and is to be accessed
via HTTP.

Now I tried both approaches with the above scenarios and viewed the source
of the generated html in the browser.  Here are my observations.  Please
correct me if I mistaken as it is possible I have missed something or
incorrect in my evaluation.

In both approaches, LoginPage and UserProfile has @RequiredSSL.  When
accessed, they are displayed properly.

The behaviors in your suggested approach are this:
   - I cannot have a login portlet on the home page submit the form via
HTTPS unless the Home Page is in HTTPS
   - When on any secure page, the link to Company info page will first
submit via HTTPS then redirect to HTTP (two network requests)
   - When on any secure page, all resources and images will be fetched via

In my suggested approach:
  - I can declare the Form @RequiredSSL and have its submit performed via
HTTPS no matter if the form is on a non-secure page
  - All code generated resources and images will be accessed via HTTP no
matter if page is displayed in HTTPS
  - no redirection is necessary when accessing a non-secure page from a
secure page because the URL generatation is proactive

Most of my clients do not want to have trivial resources (js, css, images)
fetched via HTTPS.  This creates an undo burden on the SSL pipe and
ultimately affects performance, user experience, and capacity planning. 
While this is trivial for a 100 user site with 1 txn/sec, this will not
scale well for 1000txn/sec site.  I define txn as a http req in this case
not business txn.

Does this make sense to you?  Have I cleared up a little? or have clouded it

- Doug

View this message in context: 
Sent from the Wicket - User mailing list archive at Nabble.com.

To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to