Re: HttpsMapper creates HttpSession by default

Martin Grigorov Thu, 17 Nov 2011 00:37:35 -0800

Hi,

On Thu, Nov 17, 2011 at 10:34 AM, Dirk Forchel <dirk.forc...@exedio.com> wrote:
> Our Wicket application is stateless and doesn't need a HttpSession (the
> JSessionID is disabled by default for some SEO reasons for all requests). In
> Wicket 1.4 we use our own CodingStrategy implementation to switch between
> the Http/Https protocols if a secure annotation (RequireHttps) for a page
> class is present. This is not an option with Wicket 1.5 because coding
> strategies are replaced by IRequestMapper implementations.
> So we use the HttpsMapper as RootRequestMapper to switch over to Https. As
> I've noticed, using the HttpsMapper forces the application to create a
> HttpsSession by default, even if no secure page would be present. In my
> opinion, session binding should be done within the HttpsRequestChecker class
> (checkSecureIncoming) and only if the switch to the Https protocol is really
> required. Or do I miss something?
> Setting the HttpsConfig.setPreferStateful(false) is also not an option. In
> that case we end up with two sessions per user.


How that happens ?
This config option is there for exactly that purpose.

>
> HttpsMapper.java:
>
>        public IRequestHandler mapRequest(final Request request)
>        {
>                IRequestHandler requestHandler = delegate.mapRequest(request);
>                if (requestHandler != null)
>                {
>                        final IRequestHandler httpsHandler =
> checker.checkSecureIncoming(requestHandler,
>                                httpsConfig);
>                        // XXX do we need to check if httpsHandler is instance 
> of
> SwitchProtocolRequestHandler
>                        if (httpsConfig.isPreferStateful())
>                        {
>                                // we need to persist the session before a 
> redirect to https so the
> session lasts
>                                // across both http and https calls.
>                                Session.get().bind();
>                        }
>                        requestHandler = httpsHandler;
>                }
>                return requestHandler;
>        }
>
> --
> View this message in context: 
> http://apache-wicket.1842946.n4.nabble.com/HttpsMapper-creates-HttpSession-by-default-tp4079305p4079305.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>



-- 
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: HttpsMapper creates HttpSession by default

Reply via email to