Tapestry 5
  1. Tapestry 5
  2. TAP5-1511

RequestSecurityManager.checkPageSecurity() should return request security instead of INSECURE in case when security is disabled

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 5.2
    • Fix Version/s: 5.3
    • Component/s: tapestry-core
    • Labels:
      None

      Description

      In current version unless security is enabled RequestSecurityManager#checkPageSecurity always returns LinkSecurity.INSECURE.
      It could be better to return LinkSecurity.SECURE or LinkSecurity.INSECURE depends on request security flag.

              if (!securityEnabled)
                  return request.isSecure() ? LinkSecurity.SECURE : LinkSecurity.INSECURE;
      

      For now even if request to application is come by https tapestry generate http urls for getAbsolueURL call.

        Activity

        Hide
        Hudson added a comment -

        Integrated in tapestry-trunk-freestyle #605 (See https://builds.apache.org/job/tapestry-trunk-freestyle/605/)
        TAP5-1511: RequestSecurityManager.checkPageSecurity() should return request security instead of INSECURE in case when security is disabled

        hlship : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1188278
        Files :

        • /tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManager.java
        • /tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImpl.java
        • /tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImplTest.java
        Show
        Hudson added a comment - Integrated in tapestry-trunk-freestyle #605 (See https://builds.apache.org/job/tapestry-trunk-freestyle/605/ ) TAP5-1511 : RequestSecurityManager.checkPageSecurity() should return request security instead of INSECURE in case when security is disabled hlship : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1188278 Files : /tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManager.java /tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImpl.java /tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImplTest.java
        Hide
        Alexander Gavrilov added a comment -

        Https security is not required for our application but must be supported if request comes by https, because we serve pages that can be included into another sites through iframe.

        Show
        Alexander Gavrilov added a comment - Https security is not required for our application but must be supported if request comes by https, because we serve pages that can be included into another sites through iframe.
        Hide
        Howard M. Lewis Ship added a comment -

        Why would security be disabled in a production application? The intent of disabling security is to prevent unwanted http/https handover requests in development.

        Show
        Howard M. Lewis Ship added a comment - Why would security be disabled in a production application? The intent of disabling security is to prevent unwanted http/https handover requests in development.

          People

          • Assignee:
            Howard M. Lewis Ship
            Reporter:
            Alexander Gavrilov
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development