On the other hand in case someone will need HTTPS quickstart he/she need to write lots of stuff ....
On Wed, Jan 17, 2018 at 1:43 AM, Pedro Santos <[email protected]> wrote: >> The quickstart itself is stateless, so no sessions/cookies are created. > > Good point, one can even never navigate to the self signed certificate > error page. > Even so, it sounds a good idea for me to remove such unnecessary complexity > (HTTPS setup) for newcomers. > >> Any code added by the developer can break the application in many > different >> ways... >> >> No quickstart, no problems :-) > > Sure, but we can make non Wicket related problems more unlikely to happen > to > newcomers playing around. I thought this was the point of the proposal > > Pedro Santos > > On Tue, Jan 16, 2018 at 1:59 PM, Martin Grigorov <[email protected]> > wrote: > >> On Tue, Jan 16, 2018 at 4:33 PM, Pedro Santos <[email protected]> wrote: >> >> > +0 >> > >> > Sounds a good idea since the quickstart is the fist contact most of new >> > users will have with Wicket. It makes sense to keep is as simple as >> > possible, focusing on showcasing components like WebPage, Label. >> > >> > Also the HTTPS configuration can easily go wrong as it will set a secure >> > cookie on the browser, and cause any following non secure access to fail >> in >> > to set a session cookie. Its not a Wicket problem, but its an avoidable >> > scenario for newcomers, and one that is already reported on the users >> list >> > >> >> The quickstart itself is stateless, so no sessions/cookies are created. >> Any code added by the developer can break the application in many different >> ways... >> >> No quickstart, no problems :-) >> >> >> > [1] >> > >> > 1 - >> > http://apache-wicket.1842946.n4.nabble.com/Endless- >> > Redirect-with-tracking-mode-COOKIE-and-Cookies-Disabled- >> > in-Browser-td4679364.html#a4679370 >> > >> > >> > Pedro Santos >> > >> > On Tue, Jan 16, 2018 at 6:17 AM, Emond Papegaaij < >> > [email protected] >> > > wrote: >> > >> > > -1 >> > > >> > > I agree, application servers, such as WildFly provide similar >> solutions. >> > By >> > > default WildFly will generate a self-signed certificate for the >> https/h2 >> > > listener. >> > > >> > > Emond >> > > >> > > On dinsdag 16 januari 2018 05:10:32 CET Maxim Solodovnik wrote: >> > > > -1 >> > > > >> > > > I believe it's good to have HTTPS configuration ready for the tests. >> > > > It is impossible to provide non-self-signed, so IMO security warning >> > > > is OK here >> > > > >> > > > On Mon, Jan 15, 2018 at 3:42 AM, Martin Grigorov < >> [email protected] >> > > >> > > wrote: >> > > > > -1 >> > > > > >> > > > > The current setup makes it easier to debug HTTPS related issues. >> > > > > I, personally, do not want to deal with openssl, keytool and >> > > > > jetty-https.xml just to debug an issue in HttpsMapper or related >> > code. >> > > > > >> > > > > A user can use http://localhost if (s)he doesn't want to accept >> self >> > > > > signed >> > > > > certs. >> > > > > >> > > > > My 2c. >> > > > > >> > > > > On Sun, Jan 14, 2018 at 8:16 PM, Martijn Dashorst < >> > > > > >> > > > > [email protected]> wrote: >> > > > >> The quick start uses a self signed certificate that gives errors >> in >> > > > >> browsers and requires folks to accept the certificate in their >> trust >> > > > >> chain. >> > > > >> >> > > > >> I suggest we remove the secure layer part from our quickstart just >> > to >> > > > >> make sure we don't train our users to accept any certificate. >> WDYT? >> > > > >> >> > > > >> Martijn >> > > >> > > >> > > >> > >> -- WBR Maxim aka solomax
