Versions Compared

Old Version 22

changes.mady.by.user Bob Harner

Saved on

compared with

New Version 23

changes.mady.by.user Bob Harner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: restore

Securing your application with HTTPS

Div
stylefloat:right
titleRelated Articles
classaui-label
Content by Label
showLabelsfalse
showSpacefalse
titleRelated Articles
cqllabel = "security" and space = currentSpace()

Tapestry assumes your application will be primarily deployed as a standard web application, using HTTP (not HTTPS) as the transport mechanism.

...

All that is necessary to mark a page as secure is to add the @Secure annotation to the page class:

Code Block
@Secure
public class ProcessOrder
{
  . . .
}

When a page is marked as secure, Tapestry will ensure that access to that page uses HTTPS. All links to the page will use the "https" protocol.

...

This is accomplished by making a contribution to the MetaDataLocator service configuration. For example, to secure all pages in the "admin" folder:

Code Block
public void contributeMetaDataLocator(MappedConfiguration<String,String> configuration)
{
    configuration.add("admin:" + MetaDataConstants.SECURE_PAGE, "true");
}

Here "admin" is the folder name, and the colon is a separator between the folder name and the the meta data key. SECURE_PAGE is a public constant for value "tapestry.secure-page";

...

If you want to make your entire application secure:

Code Block
public void contributeMetaDataLocator(MappedConfiguration<String,String> configuration)
{
    configuration.add(MetaDataConstants.SECURE_PAGE, "true");
}

With no colon, the meta data applies to the entire application (including any component libraries used in the application).

...

Fortunately, it is very easy to override this implementation. Here's an example of an override that uses the default port numbers that the Jetty servlet container uses for normal HTTP (port 8080) and for secure HTTPS (port 8443):

Code Block
    public static void contributeServiceOverride(MappedConfiguration<Class,Object> configuration)
    {
        BaseURLSource source = new BaseURLSource()
        {
            public String getBaseURL(boolean secure)
            {
                String protocol = secure ? "https" : "http";

                int port = secure ? 8443 : 8080;

                return String.format("%s://localhost:%d", protocol, port);
            }
        };

        configuration.add(BaseURLSource.class, source);
    }

This override is hardcoded to generate URLs for localhost; as such you might use it for development but certainly not in production.

...

When working in development mode, the Secure annotation is ignored. This is controlled by the tapestry.secure-enabled configuration symbol.

Application Server Configuration

...