switch to https

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

switch to https

Chris Cheshire
How do I tell a stripes:link or stripes:form that I want it to switch to https? Eg. Start at a non-secure page and switch to https on login.

Do I have to use url rewrite rules, or is there something in Stripes I can use?

Thanks

Chris

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: switch to https

Adam Stokar
I had to deal with this a long time ago.  The best solution was to make all pages use https.  When you switch from http to https, a new session id is created and it complicates everything.  Is there a reason you need http?


On Fri, Apr 19, 2013 at 10:13 AM, Chris Cheshire <[hidden email]> wrote:
How do I tell a stripes:link or stripes:form that I want it to switch to https? Eg. Start at a non-secure page and switch to https on login.

Do I have to use url rewrite rules, or is there something in Stripes I can use?

Thanks

Chris

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: switch to https

Chris Cheshire
No, I want to know how to switch from http to https without using url rewriting (apache, tomcat filter) if possible. I'm fine with everything being https once the switch is made, I just need to know how to make the switch when building links via stripes:link or stripes:form where possible.


On Fri, Apr 19, 2013 at 10:18 AM, Adam Stokar <[hidden email]> wrote:
I had to deal with this a long time ago.  The best solution was to make all pages use https.  When you switch from http to https, a new session id is created and it complicates everything.  Is there a reason you need http?


On Fri, Apr 19, 2013 at 10:13 AM, Chris Cheshire <[hidden email]> wrote:
How do I tell a stripes:link or stripes:form that I want it to switch to https? Eg. Start at a non-secure page and switch to https on login.

Do I have to use url rewrite rules, or is there something in Stripes I can use?

Thanks

Chris

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: switch to https

Adam Stokar
I use a stripes interceptor.  If any request comes in that is supposed to be secure, it will redirect to the https version.

if(isSecure(request) && url.indexOf("https") != 0) {

url = url.replace("http", "https");

return new RedirectResolution(url,false);

}



On Fri, Apr 19, 2013 at 11:22 AM, Chris Cheshire <[hidden email]> wrote:
No, I want to know how to switch from http to https without using url rewriting (apache, tomcat filter) if possible. I'm fine with everything being https once the switch is made, I just need to know how to make the switch when building links via stripes:link or stripes:form where possible.


On Fri, Apr 19, 2013 at 10:18 AM, Adam Stokar <[hidden email]> wrote:
I had to deal with this a long time ago.  The best solution was to make all pages use https.  When you switch from http to https, a new session id is created and it complicates everything.  Is there a reason you need http?


On Fri, Apr 19, 2013 at 10:13 AM, Chris Cheshire <[hidden email]> wrote:
How do I tell a stripes:link or stripes:form that I want it to switch to https? Eg. Start at a non-secure page and switch to https on login.

Do I have to use url rewrite rules, or is there something in Stripes I can use?

Thanks

Chris

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: switch to https

Chris Cheshire
I use essentially the same thing - the Tuckey URLRewrite servlet filter. Unfortunately it breaks form posts which is why I was wondering whether there is a way to build the url with https.



On Fri, Apr 19, 2013 at 11:28 AM, Adam Stokar <[hidden email]> wrote:
I use a stripes interceptor.  If any request comes in that is supposed to be secure, it will redirect to the https version.

if(isSecure(request) && url.indexOf("https") != 0) {

url = url.replace("http", "https");

return new RedirectResolution(url,false);

}



On Fri, Apr 19, 2013 at 11:22 AM, Chris Cheshire <[hidden email]> wrote:
No, I want to know how to switch from http to https without using url rewriting (apache, tomcat filter) if possible. I'm fine with everything being https once the switch is made, I just need to know how to make the switch when building links via stripes:link or stripes:form where possible.


On Fri, Apr 19, 2013 at 10:18 AM, Adam Stokar <[hidden email]> wrote:
I had to deal with this a long time ago.  The best solution was to make all pages use https.  When you switch from http to https, a new session id is created and it complicates everything.  Is there a reason you need http?


On Fri, Apr 19, 2013 at 10:13 AM, Chris Cheshire <[hidden email]> wrote:
How do I tell a stripes:link or stripes:form that I want it to switch to https? Eg. Start at a non-secure page and switch to https on login.

Do I have to use url rewrite rules, or is there something in Stripes I can use?

Thanks

Chris

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: switch to https

Stone, Timothy

This seems to me to be a solved problem that is not directly a Stripes problem or a problem needing to be found in a Stripes solution.

 

1.       You can do this in Apache (not so much direct Tomcat, where Chris, downthread, gives an application context solution)
In your Directory, Location or VHost, require SSL:
SSLRequireSSL # this will outright deny access with HTTPS. May not be what you need.

We actually force SSL in non-secure domains with a RewriteCond and Rule
RewriteCond %{HTTPS} != “on”
RewriteRule  ^/(.*)$ https://www.domain.com/$1

2.       If you want to force HTTPS in a login, POST to HTTPS, e.g, <form action=”https://...”  method=”post” ...>, this will force negotiation of the secure channel before accidently leaking login information
This technique was formerly discouraged, but in wide use today. It will also solve the session state issue.

Hope this helps,

Tim

 

From: Chris Cheshire [mailto:[hidden email]]
Sent: Friday, April 19, 2013 11:35 AM
To: Stripes Users List
Subject: Re: [Stripes-users] switch to https

 

I use essentially the same thing - the Tuckey URLRewrite servlet filter. Unfortunately it breaks form posts which is why I was wondering whether there is a way to build the url with https.

 

 

On Fri, Apr 19, 2013 at 11:28 AM, Adam Stokar <[hidden email]> wrote:

I use a stripes interceptor.  If any request comes in that is supposed to be secure, it will redirect to the https version.

 

if(isSecure(request) && url.indexOf("https") != 0) {

url = url.replace("http", "https");

return new RedirectResolution(url,false);

}

 

On Fri, Apr 19, 2013 at 11:22 AM, Chris Cheshire <[hidden email]> wrote:

No, I want to know how to switch from http to https without using url rewriting (apache, tomcat filter) if possible. I'm fine with everything being https once the switch is made, I just need to know how to make the switch when building links via stripes:link or stripes:form where possible.

 

On Fri, Apr 19, 2013 at 10:18 AM, Adam Stokar <[hidden email]> wrote:

I had to deal with this a long time ago.  The best solution was to make all pages use https.  When you switch from http to https, a new session id is created and it complicates everything.  Is there a reason you need http?

 

On Fri, Apr 19, 2013 at 10:13 AM, Chris Cheshire <[hidden email]> wrote:

How do I tell a stripes:link or stripes:form that I want it to switch to https? Eg. Start at a non-secure page and switch to https on login.

 

Do I have to use url rewrite rules, or is there something in Stripes I can use?

 

Thanks


Chris

 

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users

 


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users

 


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users

 


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users

 


Barclaycard

www.barclaycardus.com

This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: switch to https

Joaquin Valdez-2
<base href="x-msg://2422/">This is how I do it in an ActionBean:

@DefaultHandler
@DontValidate
public Resolution form() {
       
          if (getContext().getRequest().isSecure()) {
            return new ForwardResolution(WELCOME);
          } else {
            return new RedirectResolution("https://www" + getContext().getRootCookieDomain() + "/" +getContext().getRequest().getContextPath(),false);
          }
    }

-Joaquin


On Apr 19, 2013, at 8:55 AM, "Stone, Timothy" <[hidden email]> wrote:

This seems to me to be a solved problem that is not directly a Stripes problem or a problem needing to be found in a Stripes solution.
 
1.       You can do this in Apache (not so much direct Tomcat, where Chris, downthread, gives an application context solution)
In your Directory, Location or VHost, require SSL:
SSLRequireSSL # this will outright deny access with HTTPS. May not be what you need.

We actually force SSL in non-secure domains with a RewriteCond and Rule
RewriteCond %{HTTPS} != “on”
RewriteRule  ^/(.*)$ https://www.domain.com/$1

2.       If you want to force HTTPS in a login, POST to HTTPS, e.g, <form action=”https://...”  method=”post” ...>, this will force negotiation of the secure channel before accidently leaking login information
This technique was formerly discouraged, but in wide use today. It will also solve the session state issue.

Hope this helps,
Tim
 
From: Chris Cheshire [mailto:cheshirator@gmail.com] 
Sent: Friday, April 19, 2013 11:35 AM
To: Stripes Users List
Subject: Re: [Stripes-users] switch to https
 
I use essentially the same thing - the Tuckey URLRewrite servlet filter. Unfortunately it breaks form posts which is why I was wondering whether there is a way to build the url with https.
 

 

On Fri, Apr 19, 2013 at 11:28 AM, Adam Stokar <[hidden email]> wrote:
I use a stripes interceptor.  If any request comes in that is supposed to be secure, it will redirect to the https version.
 

if(isSecure(request) && url.indexOf("https") != 0) {

url = url.replace("http", "https");

return new RedirectResolution(url,false);

}

 

On Fri, Apr 19, 2013 at 11:22 AM, Chris Cheshire <[hidden email]> wrote:
No, I want to know how to switch from http to https without using url rewriting (apache, tomcat filter) if possible. I'm fine with everything being https once the switch is made, I just need to know how to make the switch when building links via stripes:link or stripes:form where possible.

 

On Fri, Apr 19, 2013 at 10:18 AM, Adam Stokar <[hidden email]> wrote:
I had to deal with this a long time ago.  The best solution was to make all pages use https.  When you switch from http to https, a new session id is created and it complicates everything.  Is there a reason you need http?

 

On Fri, Apr 19, 2013 at 10:13 AM, Chris Cheshire <[hidden email]> wrote:
How do I tell a stripes:link or stripes:form that I want it to switch to https? Eg. Start at a non-secure page and switch to https on login.
 
Do I have to use url rewrite rules, or is there something in Stripes I can use?
 
Thanks

Chris
 

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users

 


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users

 


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users

 


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users

 

Barclaycard

www.barclaycardus.com

This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: switch to https

Chris Cheshire
In reply to this post by Stone, Timothy



On Fri, Apr 19, 2013 at 11:55 AM, Stone, Timothy <[hidden email]> wrote:

This seems to me to be a solved problem that is not directly a Stripes problem or a problem needing to be found in a Stripes solution.

 

1.       You can do this in Apache (not so much direct Tomcat, where Chris, downthread, gives an application context solution)
In your Directory, Location or VHost, require SSL:
SSLRequireSSL # this will outright deny access with HTTPS. May not be what you need.

We actually force SSL in non-secure domains with a RewriteCond and Rule
RewriteCond %{HTTPS} != “on”
RewriteRule  ^/(.*)$ https://www.domain.com/$1


Yes I can do this via the vhosts setup I have. 

2.       If you want to force HTTPS in a login, POST to HTTPS, e.g, <form action=”https://...”  method=”post” ...>, this will force negotiation of the secure channel before accidently leaking login information
This technique was formerly discouraged, but in wide use today. It will also solve the session state issue.


I know I can also put the URL in myself instead of doing <stripes:form beanclass= ... >, but I was hoping to avoid this. I was hoping there'd be something like a parameter to the tag that would set the scheme in the generated url, rather than inheriting it. I had a poke through the docs and couldn't find anything.

I guess it's just a matter of accepting the redirect or writing the urls directly, rather than having them generated.

Thanks 

Chris

Hope this helps,

Tim

 

From: Chris Cheshire [mailto:[hidden email]]
Sent: Friday, April 19, 2013 11:35 AM
To: Stripes Users List
Subject: Re: [Stripes-users] switch to https

 

I use essentially the same thing - the Tuckey URLRewrite servlet filter. Unfortunately it breaks form posts which is why I was wondering whether there is a way to build the url with https.

 

 

On Fri, Apr 19, 2013 at 11:28 AM, Adam Stokar <[hidden email]> wrote:

I use a stripes interceptor.  If any request comes in that is supposed to be secure, it will redirect to the https version.

 

if(isSecure(request) && url.indexOf("https") != 0) {

url = url.replace("http", "https");

return new RedirectResolution(url,false);

}

 

On Fri, Apr 19, 2013 at 11:22 AM, Chris Cheshire <[hidden email]> wrote:

No, I want to know how to switch from http to https without using url rewriting (apache, tomcat filter) if possible. I'm fine with everything being https once the switch is made, I just need to know how to make the switch when building links via stripes:link or stripes:form where possible.

 

On Fri, Apr 19, 2013 at 10:18 AM, Adam Stokar <[hidden email]> wrote:

I had to deal with this a long time ago.  The best solution was to make all pages use https.  When you switch from http to https, a new session id is created and it complicates everything.  Is there a reason you need http?

 

On Fri, Apr 19, 2013 at 10:13 AM, Chris Cheshire <[hidden email]> wrote:

How do I tell a stripes:link or stripes:form that I want it to switch to https? Eg. Start at a non-secure page and switch to https on login.

 

Do I have to use url rewrite rules, or is there something in Stripes I can use?

 

Thanks


Chris

 



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: switch to https

Janne Jalkanen
In reply to this post by Joaquin Valdez-2

I just simply inherited StripesFormTag to provide my own SecureStripesFormTag which is smart enough to force SSL in form submission if it's not enabled before.  The code looks like this

public class SecureFormTag extends FormTag
{
    @Override
    protected String buildAction()
    {
        String action = super.buildAction();

        return HttpUtil.httpsify(action);
    }
}

where httpsify() just takes an action and returns it as a secure URL.  Note that you will need to be able to handle relative URLs when you do this. The good thing is that this works just like you would expect within Stripes.

/Janne

On Apr 19, 2013, at 19:30 , Joaquin Valdez <[hidden email]> wrote:

<base href="x-msg://2422/">
This is how I do it in an ActionBean:

@DefaultHandler
@DontValidate
public Resolution form() {
       
          if (getContext().getRequest().isSecure()) {
            return new ForwardResolution(WELCOME);
          } else {
            return new RedirectResolution("https://www" + getContext().getRootCookieDomain() + "/" +getContext().getRequest().getContextPath(),false);
          }
    }

-Joaquin


On Apr 19, 2013, at 8:55 AM, "Stone, Timothy" <[hidden email]> wrote:

This seems to me to be a solved problem that is not directly a Stripes problem or a problem needing to be found in a Stripes solution.
 
1.       You can do this in Apache (not so much direct Tomcat, where Chris, downthread, gives an application context solution)
In your Directory, Location or VHost, require SSL:
SSLRequireSSL # this will outright deny access with HTTPS. May not be what you need.

We actually force SSL in non-secure domains with a RewriteCond and Rule
RewriteCond %{HTTPS} != “on”
RewriteRule  ^/(.*)$ https://www.domain.com/$1

2.       If you want to force HTTPS in a login, POST to HTTPS, e.g, <form action=”https://...”  method=”post” ...>, this will force negotiation of the secure channel before accidently leaking login information
This technique was formerly discouraged, but in wide use today. It will also solve the session state issue.

Hope this helps,
Tim
 
From: Chris Cheshire [mailto:cheshirator@gmail.com] 
Sent: Friday, April 19, 2013 11:35 AM
To: Stripes Users List
Subject: Re: [Stripes-users] switch to https
 
I use essentially the same thing - the Tuckey URLRewrite servlet filter. Unfortunately it breaks form posts which is why I was wondering whether there is a way to build the url with https.
 

 

On Fri, Apr 19, 2013 at 11:28 AM, Adam Stokar <[hidden email]> wrote:
I use a stripes interceptor.  If any request comes in that is supposed to be secure, it will redirect to the https version.
 

if(isSecure(request) && url.indexOf("https") != 0) {

url = url.replace("http", "https");

return new RedirectResolution(url,false);

}

 

On Fri, Apr 19, 2013 at 11:22 AM, Chris Cheshire <[hidden email]> wrote:
No, I want to know how to switch from http to https without using url rewriting (apache, tomcat filter) if possible. I'm fine with everything being https once the switch is made, I just need to know how to make the switch when building links via stripes:link or stripes:form where possible.

 

On Fri, Apr 19, 2013 at 10:18 AM, Adam Stokar <[hidden email]> wrote:
I had to deal with this a long time ago.  The best solution was to make all pages use https.  When you switch from http to https, a new session id is created and it complicates everything.  Is there a reason you need http?

 

On Fri, Apr 19, 2013 at 10:13 AM, Chris Cheshire <[hidden email]> wrote:
How do I tell a stripes:link or stripes:form that I want it to switch to https? Eg. Start at a non-secure page and switch to https on login.
 
Do I have to use url rewrite rules, or is there something in Stripes I can use?
 
Thanks

Chris
 

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users

 


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users

 


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users

 


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users

 

Barclaycard

www.barclaycardus.com

This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users