Our Wicket application is stateless and doesn't need a HttpSession (the
JSessionID is disabled by default for some SEO reasons for all requests). In
Wicket 1.4 we use our own CodingStrategy implementation to switch between
the Http/Https protocols if a secure annotation (RequireHttps) for a page
class is present. This is not an option with Wicket 1.5 because coding
strategies are replaced by IRequestMapper implementations.
So we use the HttpsMapper as RootRequestMapper to switch over to Https. As
I've noticed, using the HttpsMapper forces the application to create a
HttpsSession by default, even if no secure page would be present. In my
opinion, session binding should be done within the HttpsRequestChecker class
(checkSecureIncoming) and only if the switch to the Https protocol is really
required. Or do I miss something?
Setting the HttpsConfig.setPreferStateful(false) is also not an option. In
that case we end up with two sessions per user.
HttpsMapper.java:
public IRequestHandler mapRequest(final Request request)
{
IRequestHandler requestHandler = delegate.mapRequest(request);
if (requestHandler != null)
{
final IRequestHandler httpsHandler =
checker.checkSecureIncoming(requestHandler,
httpsConfig);
// XXX do we need to check if httpsHandler is instance
of
SwitchProtocolRequestHandler
if (httpsConfig.isPreferStateful())
{
// we need to persist the session before a
redirect to https so the
session lasts
// across both http and https calls.
Session.get().bind();
}
requestHandler = httpsHandler;
}
return requestHandler;
}
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/HttpsMapper-creates-HttpSession-by-default-tp4079305p4079305.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
