SSL on url demand

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL on url demand

h3ph3st0s
Hi,

I built a small tapestry page under jboss. I read that in order to apply
SSL I had to either put @Secure annotation or configure with
configuration.add(MetaDataConstants.SECURE_PAGE, "true");

Everything is ok with that, but my issue how can I make this to be
reconfigured each time depending the url if it has "http" or "https" and
without restarting application server.

The request is that the application should be accessed with or without
SSL. Jboss is configured ok. But I am stack with this hardcoded "true".

Can I override it ?
Is there any other workaround ?

Just for clarification I wanted something like that ( depending on the
url ) :
String jbossDir= System.getProperty("jboss.server.base.dir");
         System.out.println(jbossDir);
         Properties appProp = new Properties();
         try {
             appProp.load(new BufferedInputStream(new
FileInputStream(String.format("%s/app.properties", jbossDir ) )));
             String ssl = appProp.getProperty("SSL");
             if ( ssl !=null ) {
                 ssl = ssl.toLowerCase().trim();
             }
*configuration.add(MetaDataConstants.SECURE_PAGE, ssl);*
         } catch (FileNotFoundException e) {
             configuration.add(MetaDataConstants.SECURE_PAGE, "true");
             e.printStackTrace();
         } catch (IOException e) {
             configuration.add(MetaDataConstants.SECURE_PAGE, "true");
             e.printStackTrace();
         }*
**
*
Reply | Threaded
Open this post in threaded view
|

Re: SSL on url demand

JumpStart
The simple answer is - the whole world is being moved to HTTPS very rapidly so just go with it, for EVERY request. See http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https

To do this, in your AppModule just set

        configuration.add(MetaDataConstants.SECURE_PAGE, "true”);

then in production, staging, UAT, etc. set this system property...

        -Dtapestry.secure-enabled=true

and in development you might like to turn it off…

        -Dtapestry.secure-enabled=false

Alternatively, if you really must allow some requests to use HTTP, then follow the tips in here:

        http://tapestry.apache.org/https.html

HTH,

Geoff

> On 9 Mar 2016, at 9:56 PM, h3ph3st0s <[hidden email]> wrote:
>
> Hi,
>
> I built a small tapestry page under jboss. I read that in order to apply SSL I had to either put @Secure annotation or configure with
> configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>
> Everything is ok with that, but my issue how can I make this to be reconfigured each time depending the url if it has "http" or "https" and without restarting application server.
>
> The request is that the application should be accessed with or without SSL. Jboss is configured ok. But I am stack with this hardcoded "true".
>
> Can I override it ?
> Is there any other workaround ?
>
> Just for clarification I wanted something like that ( depending on the url ) :
> String jbossDir= System.getProperty("jboss.server.base.dir");
>        System.out.println(jbossDir);
>        Properties appProp = new Properties();
>        try {
>            appProp.load(new BufferedInputStream(new FileInputStream(String.format("%s/app.properties", jbossDir ) )));
>            String ssl = appProp.getProperty("SSL");
>            if ( ssl !=null ) {
>                ssl = ssl.toLowerCase().trim();
>            }
> *configuration.add(MetaDataConstants.SECURE_PAGE, ssl);*
>        } catch (FileNotFoundException e) {
>            configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>            e.printStackTrace();
>        } catch (IOException e) {
>            configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>            e.printStackTrace();
>        }*
> **
> *


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SSL on url demand

Chris Poulsen
I think we're handling it like this:

// default to non-secure pages (allows us to support both http and https
based on the incoming request)
configuration.add( SymbolConstants.SECURE_ENABLED, "false" );

HTH.

--
Chris

On Thu, Mar 10, 2016 at 3:36 AM, JumpStart <
[hidden email]> wrote:

> The simple answer is - the whole world is being moved to HTTPS very
> rapidly so just go with it, for EVERY request. See
> http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https
>
> To do this, in your AppModule just set
>
>         configuration.add(MetaDataConstants.SECURE_PAGE, "true”);
>
> then in production, staging, UAT, etc. set this system property...
>
>         -Dtapestry.secure-enabled=true
>
> and in development you might like to turn it off…
>
>         -Dtapestry.secure-enabled=false
>
> Alternatively, if you really must allow some requests to use HTTP, then
> follow the tips in here:
>
>         http://tapestry.apache.org/https.html
>
> HTH,
>
> Geoff
>
> > On 9 Mar 2016, at 9:56 PM, h3ph3st0s <[hidden email]> wrote:
> >
> > Hi,
> >
> > I built a small tapestry page under jboss. I read that in order to apply
> SSL I had to either put @Secure annotation or configure with
> > configuration.add(MetaDataConstants.SECURE_PAGE, "true");
> >
> > Everything is ok with that, but my issue how can I make this to be
> reconfigured each time depending the url if it has "http" or "https" and
> without restarting application server.
> >
> > The request is that the application should be accessed with or without
> SSL. Jboss is configured ok. But I am stack with this hardcoded "true".
> >
> > Can I override it ?
> > Is there any other workaround ?
> >
> > Just for clarification I wanted something like that ( depending on the
> url ) :
> > String jbossDir= System.getProperty("jboss.server.base.dir");
> >        System.out.println(jbossDir);
> >        Properties appProp = new Properties();
> >        try {
> >            appProp.load(new BufferedInputStream(new
> FileInputStream(String.format("%s/app.properties", jbossDir ) )));
> >            String ssl = appProp.getProperty("SSL");
> >            if ( ssl !=null ) {
> >                ssl = ssl.toLowerCase().trim();
> >            }
> > *configuration.add(MetaDataConstants.SECURE_PAGE, ssl);*
> >        } catch (FileNotFoundException e) {
> >            configuration.add(MetaDataConstants.SECURE_PAGE, "true");
> >            e.printStackTrace();
> >        } catch (IOException e) {
> >            configuration.add(MetaDataConstants.SECURE_PAGE, "true");
> >            e.printStackTrace();
> >        }*
> > **
> > *
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: SSL on url demand

h3ph3st0s
In reply to this post by JumpStart
Hi and thank you for the responses,

Perhaps it was not clear the question.
If I use configuration or "-D" or @Secure then I am stack application
wide for entire usage.
What I would like to know if there is a way to switch on or off
depending if the user requested https and port e.g. 8443 OR http and
port 8080.

But without restart of applicationserver or redeployment.

Thanks,
Dimitri

On 2016-03-10 4:36, JumpStart wrote:

> The simple answer is - the whole world is being moved to HTTPS very rapidly so just go with it, for EVERY request. See http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https
>
> To do this, in your AppModule just set
>
> configuration.add(MetaDataConstants.SECURE_PAGE, "true”);
>
> then in production, staging, UAT, etc. set this system property...
>
> -Dtapestry.secure-enabled=true
>
> and in development you might like to turn it off…
>
> -Dtapestry.secure-enabled=false
>
> Alternatively, if you really must allow some requests to use HTTP, then follow the tips in here:
>
> http://tapestry.apache.org/https.html
>
> HTH,
>
> Geoff
>
>> On 9 Mar 2016, at 9:56 PM, h3ph3st0s <[hidden email]> wrote:
>>
>> Hi,
>>
>> I built a small tapestry page under jboss. I read that in order to apply SSL I had to either put @Secure annotation or configure with
>> configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>>
>> Everything is ok with that, but my issue how can I make this to be reconfigured each time depending the url if it has "http" or "https" and without restarting application server.
>>
>> The request is that the application should be accessed with or without SSL. Jboss is configured ok. But I am stack with this hardcoded "true".
>>
>> Can I override it ?
>> Is there any other workaround ?
>>
>> Just for clarification I wanted something like that ( depending on the url ) :
>> String jbossDir= System.getProperty("jboss.server.base.dir");
>>         System.out.println(jbossDir);
>>         Properties appProp = new Properties();
>>         try {
>>             appProp.load(new BufferedInputStream(new FileInputStream(String.format("%s/app.properties", jbossDir ) )));
>>             String ssl = appProp.getProperty("SSL");
>>             if ( ssl !=null ) {
>>                 ssl = ssl.toLowerCase().trim();
>>             }
>> *configuration.add(MetaDataConstants.SECURE_PAGE, ssl);*
>>         } catch (FileNotFoundException e) {
>>             configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>>             e.printStackTrace();
>>         } catch (IOException e) {
>>             configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>>             e.printStackTrace();
>>         }*
>> **
>> *
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SSL on url demand

h3ph3st0s
In reply to this post by Chris Poulsen
Chris hi,
thanks for the answer but this is already tested & it works. But it is
hard-coded and practically does not allow me to switch on or off the
overall SSL context per user request.

I have seen other applications that work either http or https
simultaneously without redeploying new compiled code.
Is there a way to accomplish this with tapestry ( for java and
javascript part ) framework version 5.3?

Regards
Dimitri

On 2016-03-10 12:40, Chris Poulsen wrote:
> I think we're handling it like this:
>
> // default to non-secure pages (allows us to support both http and https
> based on the incoming request)
> configuration.add( SymbolConstants.SECURE_ENABLED, "false" );
>
> HTH.
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SSL on url demand

Chris Poulsen
I has been a long while since I looked at this, but as far as i can
remember that setting allows the application to work in both http / https
mode depending on the protocol specified by the request (we use T5.4) - so
if the page is requested using https all links that are generated are
respecting that.

--
Chris

On Thu, Mar 10, 2016 at 12:34 PM, h3ph3st0s <[hidden email]> wrote:

> Chris hi,
> thanks for the answer but this is already tested & it works. But it is
> hard-coded and practically does not allow me to switch on or off the
> overall SSL context per user request.
>
> I have seen other applications that work either http or https
> simultaneously without redeploying new compiled code.
> Is there a way to accomplish this with tapestry ( for java and javascript
> part ) framework version 5.3?
>
> Regards
> Dimitri
>
> On 2016-03-10 12:40, Chris Poulsen wrote:
>
>> I think we're handling it like this:
>>
>> // default to non-secure pages (allows us to support both http and https
>> based on the incoming request)
>> configuration.add( SymbolConstants.SECURE_ENABLED, "false" );
>>
>> HTH.
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: SSL on url demand

trsvax
In reply to this post by h3ph3st0s
I think you could override the service RequestSecurityManager and make it
do whatever you want.

On Wednesday, March 9, 2016, h3ph3st0s <[hidden email]> wrote:

> Hi,
>
> I built a small tapestry page under jboss. I read that in order to apply
> SSL I had to either put @Secure annotation or configure with
> configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>
> Everything is ok with that, but my issue how can I make this to be
> reconfigured each time depending the url if it has "http" or "https" and
> without restarting application server.
>
> The request is that the application should be accessed with or without
> SSL. Jboss is configured ok. But I am stack with this hardcoded "true".
>
> Can I override it ?
> Is there any other workaround ?
>
> Just for clarification I wanted something like that ( depending on the url
> ) :
> String jbossDir= System.getProperty("jboss.server.base.dir");
>         System.out.println(jbossDir);
>         Properties appProp = new Properties();
>         try {
>             appProp.load(new BufferedInputStream(new
> FileInputStream(String.format("%s/app.properties", jbossDir ) )));
>             String ssl = appProp.getProperty("SSL");
>             if ( ssl !=null ) {
>                 ssl = ssl.toLowerCase().trim();
>             }
> *configuration.add(MetaDataConstants.SECURE_PAGE, ssl);*
>         } catch (FileNotFoundException e) {
>             configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>             e.printStackTrace();
>         } catch (IOException e) {
>             configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>             e.printStackTrace();
>         }*
> **
> *
>
Reply | Threaded
Open this post in threaded view
|

Re: SSL on url demand

Norman Franke-2
In reply to this post by JumpStart
Unless, of course, you offload SSL processing to a load balancer. Tapestry doesn’t seem to handle that at all.

Norman Franke
Answering Service for Directors, Inc.
www.myasd.com <http://www.myasd.com/>



> On Mar 9, 2016, at 9:36 PM, JumpStart <[hidden email]> wrote:
>
> The simple answer is - the whole world is being moved to HTTPS very rapidly so just go with it, for EVERY request. See http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https
>
> To do this, in your AppModule just set
>
> configuration.add(MetaDataConstants.SECURE_PAGE, "true”);
>
> then in production, staging, UAT, etc. set this system property...
>
> -Dtapestry.secure-enabled=true
>
> and in development you might like to turn it off…
>
> -Dtapestry.secure-enabled=false
>
> Alternatively, if you really must allow some requests to use HTTP, then follow the tips in here:
>
> http://tapestry.apache.org/https.html
>
> HTH,
>
> Geoff
>
>> On 9 Mar 2016, at 9:56 PM, h3ph3st0s <[hidden email]> wrote:
>>
>> Hi,
>>
>> I built a small tapestry page under jboss. I read that in order to apply SSL I had to either put @Secure annotation or configure with
>> configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>>
>> Everything is ok with that, but my issue how can I make this to be reconfigured each time depending the url if it has "http" or "https" and without restarting application server.
>>
>> The request is that the application should be accessed with or without SSL. Jboss is configured ok. But I am stack with this hardcoded "true".
>>
>> Can I override it ?
>> Is there any other workaround ?
>>
>> Just for clarification I wanted something like that ( depending on the url ) :
>> String jbossDir= System.getProperty("jboss.server.base.dir");
>>       System.out.println(jbossDir);
>>       Properties appProp = new Properties();
>>       try {
>>           appProp.load(new BufferedInputStream(new FileInputStream(String.format("%s/app.properties", jbossDir ) )));
>>           String ssl = appProp.getProperty("SSL");
>>           if ( ssl !=null ) {
>>               ssl = ssl.toLowerCase().trim();
>>           }
>> *configuration.add(MetaDataConstants.SECURE_PAGE, ssl);*
>>       } catch (FileNotFoundException e) {
>>           configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>>           e.printStackTrace();
>>       } catch (IOException e) {
>>           configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>>           e.printStackTrace();
>>       }*
>> **
>> *
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

Reply | Threaded
Open this post in threaded view
|

Re: SSL on url demand

h3ph3st0s
In reply to this post by trsvax
Yes, it seems nice. But in deed I don't know how to "glue" it within
requests/responses and especially ajax.

Also it says about Request.isSecure() method which also seems good, right ?
Should be within a method with @AfterRender, in order to evaluate always
the calls ?

Thanks and regards,
Dimitris

On 2016-03-10 15:15, Barry Books wrote:

> I think you could override the service RequestSecurityManager and make it
> do whatever you want.
>
> On Wednesday, March 9, 2016, h3ph3st0s <[hidden email]> wrote:
>
>> Hi,
>>
>> I built a small tapestry page under jboss. I read that in order to apply
>> SSL I had to either put @Secure annotation or configure with
>> configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>>
>> Everything is ok with that, but my issue how can I make this to be
>> reconfigured each time depending the url if it has "http" or "https" and
>> without restarting application server.
>>
>> The request is that the application should be accessed with or without
>> SSL. Jboss is configured ok. But I am stack with this hardcoded "true".
>>
>> Can I override it ?
>> Is there any other workaround ?
>>
>> Just for clarification I wanted something like that ( depending on the url
>> ) :
>> String jbossDir= System.getProperty("jboss.server.base.dir");
>>          System.out.println(jbossDir);
>>          Properties appProp = new Properties();
>>          try {
>>              appProp.load(new BufferedInputStream(new
>> FileInputStream(String.format("%s/app.properties", jbossDir ) )));
>>              String ssl = appProp.getProperty("SSL");
>>              if ( ssl !=null ) {
>>                  ssl = ssl.toLowerCase().trim();
>>              }
>> *configuration.add(MetaDataConstants.SECURE_PAGE, ssl);*
>>          } catch (FileNotFoundException e) {
>>              configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>>              e.printStackTrace();
>>          } catch (IOException e) {
>>              configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>>              e.printStackTrace();
>>          }*
>> **
>> *
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]