On Tue, Jan 16, 2018 at 4:33 PM, Pedro Santos <[email protected]> wrote:
> +0 > > Sounds a good idea since the quickstart is the fist contact most of new > users will have with Wicket. It makes sense to keep is as simple as > possible, focusing on showcasing components like WebPage, Label. > > Also the HTTPS configuration can easily go wrong as it will set a secure > cookie on the browser, and cause any following non secure access to fail in > to set a session cookie. Its not a Wicket problem, but its an avoidable > scenario for newcomers, and one that is already reported on the users list > The quickstart itself is stateless, so no sessions/cookies are created. Any code added by the developer can break the application in many different ways... No quickstart, no problems :-) > [1] > > 1 - > http://apache-wicket.1842946.n4.nabble.com/Endless- > Redirect-with-tracking-mode-COOKIE-and-Cookies-Disabled- > in-Browser-td4679364.html#a4679370 > > > Pedro Santos > > On Tue, Jan 16, 2018 at 6:17 AM, Emond Papegaaij < > [email protected] > > wrote: > > > -1 > > > > I agree, application servers, such as WildFly provide similar solutions. > By > > default WildFly will generate a self-signed certificate for the https/h2 > > listener. > > > > Emond > > > > On dinsdag 16 januari 2018 05:10:32 CET Maxim Solodovnik wrote: > > > -1 > > > > > > I believe it's good to have HTTPS configuration ready for the tests. > > > It is impossible to provide non-self-signed, so IMO security warning > > > is OK here > > > > > > On Mon, Jan 15, 2018 at 3:42 AM, Martin Grigorov <[email protected] > > > > wrote: > > > > -1 > > > > > > > > The current setup makes it easier to debug HTTPS related issues. > > > > I, personally, do not want to deal with openssl, keytool and > > > > jetty-https.xml just to debug an issue in HttpsMapper or related > code. > > > > > > > > A user can use http://localhost if (s)he doesn't want to accept self > > > > signed > > > > certs. > > > > > > > > My 2c. > > > > > > > > On Sun, Jan 14, 2018 at 8:16 PM, Martijn Dashorst < > > > > > > > > [email protected]> wrote: > > > >> The quick start uses a self signed certificate that gives errors in > > > >> browsers and requires folks to accept the certificate in their trust > > > >> chain. > > > >> > > > >> I suggest we remove the secure layer part from our quickstart just > to > > > >> make sure we don't train our users to accept any certificate. WDYT? > > > >> > > > >> Martijn > > > > > > >
