Ralph Goers wrote:
Sylvain Wallez wrote:
You're right: a working getServerName() is actually needed as soon as
we want to switch protocols. But that only happens on sites mixing
http and https for urls served by Cocoon, which isn't always the case.
You'd be surprised how often you need this! Obviously, you need it
for something like the petstore where you place an order, but you need
it for almost any form that has data that might be considered
"sensitive", i.e. it has account numbers, social security numbers,
passwords, etc. In fact, the login page really should be secure but
then you want to switch to http for the majority of a site.
Hmm... but if you switch to http after having authenticated through
https, then the session-id can be hijacked, thus allowing access to the
sensitive data.
Sorry: what do you mean by "current protocol" and "protocol request"?
I guess it's "the protocol of the current request" and "the protocol
asked for by the caller of getLinkURI()"?
That should be something like:
String proto;
if (secure == null) {
proto = request.scheme();
} else {
proto = secure.booleanValue() ? "https" : "http";
}
if (proto.equals(request.getScheme()) {
// same scheme: do not absolutize
} else {
// different scheme: absolutize
}
This actually filters more cases where absolutizing will effectively
happen, which I like :-)
Yes, this looks like what is needed.
Great!
Sylvain
--
Sylvain Wallez Anyware Technologies
http://people.apache.org/~sylvain http://www.anyware-tech.com
Apache Software Foundation Member Research & Technology Director
