cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sylvain Wallez <sylv...@apache.org>
Subject Re: Protocol switch in portals
Date Tue, 20 Sep 2005 16:54:20 GMT
Ralph Goers wrote:

> Sylvain Wallez wrote:
>
>>
>> You're right: a working getServerName() is actually needed as soon as 
>> we want to switch protocols. But that only happens on sites mixing 
>> http and https for urls served by Cocoon, which isn't always the case.
>
>
> You'd be surprised how often you need this!  Obviously, you need it 
> for something like the petstore where you place an order, but you need 
> it for almost any form that has data that might be considered 
> "sensitive", i.e. it has account numbers, social security numbers, 
> passwords, etc.  In fact, the login page really should be secure but 
> then you want to switch to http for the majority of a site.


Hmm... but if you switch to http after having authenticated through 
https, then the session-id can be hijacked, thus allowing access to the 
sensitive data.

>>  
>> Sorry: what do you mean by "current protocol" and "protocol request"? 
>> I guess it's "the protocol of the current request" and "the protocol 
>> asked for by the caller of getLinkURI()"?
>>
>> That should be something like:
>>  String proto;
>>  if (secure == null) {
>>      proto = request.scheme();
>>  } else {
>>      proto = secure.booleanValue() ? "https" : "http";
>>  }
>>
>>  if (proto.equals(request.getScheme()) {
>>      // same scheme: do not absolutize
>>  } else {
>>      // different scheme: absolutize
>>  }
>>
>> This actually filters more cases where absolutizing will effectively 
>> happen, which I like :-)
>
>
> Yes, this looks like what is needed.


Great!

Sylvain

-- 
Sylvain Wallez                        Anyware Technologies
http://people.apache.org/~sylvain     http://www.anyware-tech.com
Apache Software Foundation Member     Research & Technology Director


Mime
View raw message