Re: URL writing problem with production mode true
On 04/09/2012 09:54 PM, Richard Frovarp wrote: I can verify with the 5.3 archetype, but it certainly seems to me that production mode of false lets the URLs be relative, but when you set it to true it starts to do extra work and looking to see if pages are marked as secured. I'm finding it in an odd way because everything on my application servers are behind HTTPS for every single request. mvn archetype:generate -DarchetypeCatalog=http://tapestry.apache.org http://tapestry.apache.org/ mvn jetty:run Go to localhost. Look at URLs and they are relative. Change to production mode, restart jetty, look at URLs and they are relative. Proxy to Jetty from HTTPS using HTTP, URLs are relative in both modes. Create a war of the code, put it under Tomcat. Hit Tomcat directly at 8080 over HTTP and URLs are all relative in production mode true and false. Proxy to Tomcat using mod_proxy_ajp. Start up Tomcat, hit HTTPD with HTTPS and proxy via AJP to Tomcat the menu looks like this: div class=menu ul li class=current_page_item a href=http://myhost/url-test/;Index/a /li li a href=http://myhost/url-test/about;About/a /li li a href=http://myhost/url-test/contact;Contact/a /li /ul /div Add -Dtapestry.production-mode=false to JAVA_OPTS, restart Tomcat, refresh the page and the menus looks like this: divclass=menu ul liclass=current_page_item ahref=/url-test/ view-source:https://wings.cc.ndsu.nodak.edu/url-test/Index/a /li li ahref=/url-test/about view-source:https://wings.cc.ndsu.nodak.edu/url-test/aboutAbout/a /li li ahref=/url-test/contact view-source:https://wings.cc.ndsu.nodak.edu/url-test/contactContact/a /li /ul /div So this certainly looks like a bug. Production mode changes URLs to absolute under AJP proxying only. At this time I don't know it if is Tomcat only, or if I did AJP to another container one would see the same results.
URL writing problem with production mode true
I have a simple application in Tapestry 5.3.2. With production mode false, all of the URLs generated in the pages, including forms, are relative. This means HTTPS works just fine. With production mode true, all of the URLs are absolute with HTTP, which breaks things. I don't mind the full URLs, as they are at the correct host. The problem is the HTTP instead of HTTPS. Nothing in the documentation states that production mode will cause this change. I'm not sure if this is a bug or not. Additionally, how do I get it to use HTTPS only and all of the time? Looking at the documentation, it would seem that I should set tapestry.secure-page to true in my AppModule. Thanks, Richard - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: URL writing problem with production mode true
Hi Richard! By default Tapestry is trying to be helpful and secure for apps in which only some of the pages should be running with HTTPS. But when the whole site should be running with HTTPS you'll need to tell Tapestry this, and the correct way to do that is to set the tapestry.secure-enabled symbol to false in your application module class (normally AppModule.java). Yes, I know it seems counter-intuitive at first. http://tapestry.apache.org/https.html provides a pretty good description of these options, if you haven't seen it yet. But you're right, this needs to be better documented. All of the effects of production mode should be listed or referenced at http://tapestry.apache.org/configuration.html#Configuration-tapestry.productionmode, and the FAQ should probably mention the HTTP - HTTPS switching behavior, which catches quite a few people. I'll make a note to improve the docs in these areas if somebody doesn't beat me to it. Is there any other place where you looked and didn't find this information? On Mon, Apr 9, 2012 at 7:22 PM, Richard Frovarp rfrov...@apache.org wrote: I have a simple application in Tapestry 5.3.2. With production mode false, all of the URLs generated in the pages, including forms, are relative. This means HTTPS works just fine. With production mode true, all of the URLs are absolute with HTTP, which breaks things. I don't mind the full URLs, as they are at the correct host. The problem is the HTTP instead of HTTPS. Nothing in the documentation states that production mode will cause this change. I'm not sure if this is a bug or not. Additionally, how do I get it to use HTTPS only and all of the time? Looking at the documentation, it would seem that I should set tapestry.secure-page to true in my AppModule. Thanks, Richard - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: URL writing problem with production mode true
I don't believe this is about production mode; this is more likely an artifact of how your app is configured behind your firewall, rather than how it runs on your workstation ... modulo that, by default in development mode, secure is disabled. When Tapestry detects that an incoming request is not secure but the pages referenced by the rendered page are secure, it forms a complete URL, to ensure the transition from HTTP to HTTPS. What I suspect is that you have marked your pages with @Secure, but that your firewall is handling the HTTPS, and forwarding an HTTP request into the servlet container hosting the application. When the firewall handles HTTPS, rather than the Tapestry application running inside the servlet container, then yes, your should not use @Secure and may want to deactivate it entirely. I'd appreciate some feedback about how well this matches your configuration before updating the documentation. On Mon, Apr 9, 2012 at 5:01 PM, Bob Harner bobhar...@gmail.com wrote: Hi Richard! By default Tapestry is trying to be helpful and secure for apps in which only some of the pages should be running with HTTPS. But when the whole site should be running with HTTPS you'll need to tell Tapestry this, and the correct way to do that is to set the tapestry.secure-enabled symbol to false in your application module class (normally AppModule.java). Yes, I know it seems counter-intuitive at first. http://tapestry.apache.org/https.html provides a pretty good description of these options, if you haven't seen it yet. But you're right, this needs to be better documented. All of the effects of production mode should be listed or referenced at http://tapestry.apache.org/configuration.html#Configuration-tapestry.productionmode, and the FAQ should probably mention the HTTP - HTTPS switching behavior, which catches quite a few people. I'll make a note to improve the docs in these areas if somebody doesn't beat me to it. Is there any other place where you looked and didn't find this information? On Mon, Apr 9, 2012 at 7:22 PM, Richard Frovarp rfrov...@apache.org wrote: I have a simple application in Tapestry 5.3.2. With production mode false, all of the URLs generated in the pages, including forms, are relative. This means HTTPS works just fine. With production mode true, all of the URLs are absolute with HTTP, which breaks things. I don't mind the full URLs, as they are at the correct host. The problem is the HTTP instead of HTTPS. Nothing in the documentation states that production mode will cause this change. I'm not sure if this is a bug or not. Additionally, how do I get it to use HTTPS only and all of the time? Looking at the documentation, it would seem that I should set tapestry.secure-page to true in my AppModule. Thanks, Richard - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org -- Howard M. Lewis Ship Creator of Apache Tapestry The source for Tapestry training, mentoring and support. Contact me to learn how I can get you up and productive in Tapestry fast! (971) 678-5210 http://howardlewisship.com - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: URL writing problem with production mode true
Hey Bob, how's it been? On 04/09/2012 07:01 PM, Bob Harner wrote: http://tapestry.apache.org/https.html provides a pretty good description of these options, if you haven't seen it yet. I honestly did not see that page. Thanks for point it out. But you're right, this needs to be better documented. All of the effects of production mode should be listed or referenced at http://tapestry.apache.org/configuration.html#Configuration-tapestry.productionmode, and the FAQ should probably mention the HTTP - HTTPS switching behavior, which catches quite a few people. I'll make a note to improve the docs in these areas if somebody doesn't beat me to it. Is there any other place where you looked and didn't find this information? I spent all of my time looking at what production mode does and does not do. I knew that it limited error pages and some of the meta pages. Here are the places I looked. http://wiki.apache.org/tapestry/Tapestry5UsefulConfigurationsForDevelopment http://tapestry.apache.org/configuration.html#Configuration-tapestry.productionmode I do see further down on the configuration page it does state that production mode false disables the secured annotation. Listing everything under the production mode piece would be handy to know everything it affects. To be clear, it's not an HTTP/HTTPS problem I encountered, it was a relative/absolute URL problem. With it off, the URLs were relative and happy under HTTPS, with it on, the URLs were then set to absolute and used HTTP. I'm going to respond to Howard's email with some more details. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: URL writing problem with production mode true
On 04/09/2012 07:44 PM, Howard Lewis Ship wrote: I don't believe this is about production mode; this is more likely an artifact of how your app is configured behind your firewall, rather than how it runs on your workstation ... modulo that, by default in development mode, secure is disabled. When Tapestry detects that an incoming request is not secure but the pages referenced by the rendered page are secure, it forms a complete URL, to ensure the transition from HTTP to HTTPS. What I suspect is that you have marked your pages with @Secure, but that your firewall is handling the HTTPS, and forwarding an HTTP request into the servlet container hosting the application. When the firewall handles HTTPS, rather than the Tapestry application running inside the servlet container, then yes, your should not use @Secure and may want to deactivate it entirely. I'd appreciate some feedback about how well this matches your configuration before updating the documentation. I have the same webapp deployed on two RHEL 5 boxes running the RHEL version of HTTPD and a 7.0.x version of Tomcat. Both deployments of the webapp are identical with a different in Spring Security CAS URLs to go against. HTTPD is using mod_proxy_ajp to send requests to Tomcat. The AJP connectors on both Tomcats are configured exactly the same. Oh, and the proxy lines are identical. I am not using the normal Tapestry environment variable to set production mode. We had a Lift application installed first, so I'm using that value and setting production mode in AppModule. That is the only difference between the two installs. In addition, I'm displaying the values if production mode is false, so I know my logic is working. Where production mode is false I get URLs of /oss-info/secure/lookup. When production mode is true, I get URLs of http://apps.ndsu.edu/oss-info/secure/lookup. On both systems the AJP connector is configured as secure, and I am getting a secure session cookie. On the same production system, I have a couple of Tapestry 5.1 apps where production mode is false. They are all generating relative URLs. With production mode false I also get relative URLs under Jetty with Tapestry 5.3.2. I can verify with the 5.3 archetype, but it certainly seems to me that production mode of false lets the URLs be relative, but when you set it to true it starts to do extra work and looking to see if pages are marked as secured. I'm finding it in an odd way because everything on my application servers are behind HTTPS for every single request. Thanks, Richard - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org