Dave, There is a difference in how items are displayed and how submits/links are to be performed. There are cases where a HTTP page has a form that is to be submitted via HTTPS. And furthermore, when an Page is to be displayed via HTTPS, not all items (images,resources) are to be served via HTTPS (ex: < i.m.g src="/path/image.gif"> on a secure page will be accessed via HTTPS). Hopefully you agree with this.
Let me explain via a use case, I think this would be more helpful. In the end, I will attempt to differentiate between the two approaches. Five pages for my application (to keep it simple): - home page - login page - user home page - user profile page - company info page. On the home page, I have login portlet/form (user id, password). Requirements: - home page is to be displayed via HTTP - Login form is to be submitted via HTTPS - Upon successful login, the user home page is displayed in HTTP - if login is unsuccessful, the login page is displayed in HTTPS On the user home page, there is a link to the user profile page. - user profile page is to be displayed via HTTPS - user profile submits are to be via HTTPS - canceling the user profile will send it back to the user home page via HTTP - All images and resource links are to be accessed via HTTP irregardless if the page itself is to be displayed in HTTP/HTTPS - Company info page is to be available at all times and is to be accessed via HTTP. Now I tried both approaches with the above scenarios and viewed the source of the generated html in the browser. Here are my observations. Please correct me if I mistaken as it is possible I have missed something or incorrect in my evaluation. In both approaches, LoginPage and UserProfile has @RequiredSSL. When accessed, they are displayed properly. The behaviors in your suggested approach are this: - I cannot have a login portlet on the home page submit the form via HTTPS unless the Home Page is in HTTPS - When on any secure page, the link to Company info page will first submit via HTTPS then redirect to HTTP (two network requests) - When on any secure page, all resources and images will be fetched via HTTPS In my suggested approach: - I can declare the Form @RequiredSSL and have its submit performed via HTTPS no matter if the form is on a non-secure page - All code generated resources and images will be accessed via HTTP no matter if page is displayed in HTTPS - no redirection is necessary when accessing a non-secure page from a secure page because the URL generatation is proactive Most of my clients do not want to have trivial resources (js, css, images) fetched via HTTPS. This creates an undo burden on the SSL pipe and ultimately affects performance, user experience, and capacity planning. While this is trivial for a 100 user site with 1 txn/sec, this will not scale well for 1000txn/sec site. I define txn as a http req in this case not business txn. Does this make sense to you? Have I cleared up a little? or have clouded it further? Cheers - Doug -- View this message in context: http://www.nabble.com/Redirect-to-HTTPS--tf4509537.html#a12906996 Sent from the Wicket - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]