tapestry-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Chandler <a...@chandlerfamily.org.uk>
Subject Re: https again and still absolutely clueless :(
Date Fri, 27 Jan 2006 23:24:49 GMT
On Friday 27 January 2006 16:17, Cliff Zhao wrote:
> I'm not a Apache expert, but I think that you can have Apache redirect your
> pages. Namely, when Apache gets http requests supposed to be https, Apache
> will redirect them to the https equivalent.
>

I think you have to be quite careful.  The https causes the browser to 
negotiate the encryption, so you can't use apache to randomly change incoming 
protocols.

I am not I understand the problem from earlier discussion in this thread. 
However ...

I run an application that I want to be https when accessed from the internet 
(so that the basic authentication is properly encrypted - as well as the fact 
that the application is displaying sensitive financial data), but uses http 
when accessed from in tmy local area network.  I have tomcat front ended by 
apache (which I use for all my security control). Effectively inside apache I 
have almose identical virtual host configurations for the two (by using a 
common include file and then use rewrite rules to block access from the 
internet to non https protocols.  This acutally causes the user to see an 
error message if he tries it. However, tapestry builds urls in the correct 
protocol (http or https) as the incoming request.

In order to get it to allow logon to selected areas, I use basic 
authentication (actually its enhanced to look up users and groups in a 
database) controlled via <location> blocks within the apache configuration.  
I gave up on tomcat's validation when I realised it didn't work with apache 
in from of it.

What I suspect is being asked here is that when moving from one part of the 
application to another that you transition from http to https.  In Tapestry 4 
I beleive that what the "scheme" parameter is on the @DirectLink and 
@PageLink components is about.

Even so, in this case, I think you will need separate virtual hosts inside 
apache for the http and https parts as http will be received on port 80 and 
https on port 443. 

-- 
Alan Chandler
http://www.chandlerfamily.org.uk
Open Source. It's the difference between trust and antitrust.

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org


Mime
View raw message