> The quickstart itself is stateless, so no sessions/cookies are created.
Good point, one can even never navigate to the self signed certificate error page. Even so, it sounds a good idea for me to remove such unnecessary complexity (HTTPS setup) for newcomers. > Any code added by the developer can break the application in many different > ways... > > No quickstart, no problems :-) Sure, but we can make non Wicket related problems more unlikely to happen to newcomers playing around. I thought this was the point of the proposal Pedro Santos On Tue, Jan 16, 2018 at 1:59 PM, Martin Grigorov <[email protected]> wrote: > On Tue, Jan 16, 2018 at 4:33 PM, Pedro Santos <[email protected]> wrote: > > > +0 > > > > Sounds a good idea since the quickstart is the fist contact most of new > > users will have with Wicket. It makes sense to keep is as simple as > > possible, focusing on showcasing components like WebPage, Label. > > > > Also the HTTPS configuration can easily go wrong as it will set a secure > > cookie on the browser, and cause any following non secure access to fail > in > > to set a session cookie. Its not a Wicket problem, but its an avoidable > > scenario for newcomers, and one that is already reported on the users > list > > > > The quickstart itself is stateless, so no sessions/cookies are created. > Any code added by the developer can break the application in many different > ways... > > No quickstart, no problems :-) > > > > [1] > > > > 1 - > > http://apache-wicket.1842946.n4.nabble.com/Endless- > > Redirect-with-tracking-mode-COOKIE-and-Cookies-Disabled- > > in-Browser-td4679364.html#a4679370 > > > > > > Pedro Santos > > > > On Tue, Jan 16, 2018 at 6:17 AM, Emond Papegaaij < > > [email protected] > > > wrote: > > > > > -1 > > > > > > I agree, application servers, such as WildFly provide similar > solutions. > > By > > > default WildFly will generate a self-signed certificate for the > https/h2 > > > listener. > > > > > > Emond > > > > > > On dinsdag 16 januari 2018 05:10:32 CET Maxim Solodovnik wrote: > > > > -1 > > > > > > > > I believe it's good to have HTTPS configuration ready for the tests. > > > > It is impossible to provide non-self-signed, so IMO security warning > > > > is OK here > > > > > > > > On Mon, Jan 15, 2018 at 3:42 AM, Martin Grigorov < > [email protected] > > > > > > wrote: > > > > > -1 > > > > > > > > > > The current setup makes it easier to debug HTTPS related issues. > > > > > I, personally, do not want to deal with openssl, keytool and > > > > > jetty-https.xml just to debug an issue in HttpsMapper or related > > code. > > > > > > > > > > A user can use http://localhost if (s)he doesn't want to accept > self > > > > > signed > > > > > certs. > > > > > > > > > > My 2c. > > > > > > > > > > On Sun, Jan 14, 2018 at 8:16 PM, Martijn Dashorst < > > > > > > > > > > [email protected]> wrote: > > > > >> The quick start uses a self signed certificate that gives errors > in > > > > >> browsers and requires folks to accept the certificate in their > trust > > > > >> chain. > > > > >> > > > > >> I suggest we remove the secure layer part from our quickstart just > > to > > > > >> make sure we don't train our users to accept any certificate. > WDYT? > > > > >> > > > > >> Martijn > > > > > > > > > > > >
