Hi,
On Thu, Nov 17, 2011 at 10:34 AM, Dirk Forchel <[email protected]> wrote:
> Our Wicket application is stateless and doesn't need a HttpSession (the
> JSessionID is disabled by default for some SEO reasons for all requests). In
> Wicket 1.4 we use our own CodingStrategy implementation to switch between
> the Http/Https protocols if a secure annotation (RequireHttps) for a page
> class is present. This is not an option with Wicket 1.5 because coding
> strategies are replaced by IRequestMapper implementations.
> So we use the HttpsMapper as RootRequestMapper to switch over to Https. As
> I've noticed, using the HttpsMapper forces the application to create a
> HttpsSession by default, even if no secure page would be present. In my
> opinion, session binding should be done within the HttpsRequestChecker class
> (checkSecureIncoming) and only if the switch to the Https protocol is really
> required. Or do I miss something?
> Setting the HttpsConfig.setPreferStateful(false) is also not an option. In
> that case we end up with two sessions per user.
How that happens ?
This config option is there for exactly that purpose.
>
> HttpsMapper.java:
>
> public IRequestHandler mapRequest(final Request request)
> {
> IRequestHandler requestHandler = delegate.mapRequest(request);
> if (requestHandler != null)
> {
> final IRequestHandler httpsHandler =
> checker.checkSecureIncoming(requestHandler,
> httpsConfig);
> // XXX do we need to check if httpsHandler is instance
> of
> SwitchProtocolRequestHandler
> if (httpsConfig.isPreferStateful())
> {
> // we need to persist the session before a
> redirect to https so the
> session lasts
> // across both http and https calls.
> Session.get().bind();
> }
> requestHandler = httpsHandler;
> }
> return requestHandler;
> }
>
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/HttpsMapper-creates-HttpSession-by-default-tp4079305p4079305.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]