Tapestry 5
  1. Tapestry 5
  2. TAP5-1511

RequestSecurityManager.checkPageSecurity() should return request security instead of INSECURE in case when security is disabled

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 5.2
    • Fix Version/s: 5.3
    • Component/s: tapestry-core
    • Labels:
      None

      Description

      In current version unless security is enabled RequestSecurityManager#checkPageSecurity always returns LinkSecurity.INSECURE.
      It could be better to return LinkSecurity.SECURE or LinkSecurity.INSECURE depends on request security flag.

              if (!securityEnabled)
                  return request.isSecure() ? LinkSecurity.SECURE : LinkSecurity.INSECURE;
      

      For now even if request to application is come by https tapestry generate http urls for getAbsolueURL call.

        Activity

        Alexander Gavrilov created issue -
        Hide
        Howard M. Lewis Ship added a comment -

        Why would security be disabled in a production application? The intent of disabling security is to prevent unwanted http/https handover requests in development.

        Show
        Howard M. Lewis Ship added a comment - Why would security be disabled in a production application? The intent of disabling security is to prevent unwanted http/https handover requests in development.
        Hide
        Alexander Gavrilov added a comment -

        Https security is not required for our application but must be supported if request comes by https, because we serve pages that can be included into another sites through iframe.

        Show
        Alexander Gavrilov added a comment - Https security is not required for our application but must be supported if request comes by https, because we serve pages that can be included into another sites through iframe.
        Howard M. Lewis Ship made changes -
        Field Original Value New Value
        Affects Version/s 5.2 [ 12313900 ]
        Affects Version/s 5.2.5 [ 12315565 ]
        Howard M. Lewis Ship made changes -
        Summary RequestSecurityManager#checkPageSecurity should return request security insed of INSECURE in case when security is disabled RequestSecurityManager.checkPageSecurity() should return request security instead of INSECURE in case when security is disabled
        Howard M. Lewis Ship made changes -
        Status Open [ 1 ] Closed [ 6 ]
        Assignee Howard M. Lewis Ship [ hlship ]
        Fix Version/s 5.3 [ 12316024 ]
        Resolution Fixed [ 1 ]
        Hide
        Hudson added a comment -

        Integrated in tapestry-trunk-freestyle #605 (See https://builds.apache.org/job/tapestry-trunk-freestyle/605/)
        TAP5-1511: RequestSecurityManager.checkPageSecurity() should return request security instead of INSECURE in case when security is disabled

        hlship : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1188278
        Files :

        • /tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManager.java
        • /tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImpl.java
        • /tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImplTest.java
        Show
        Hudson added a comment - Integrated in tapestry-trunk-freestyle #605 (See https://builds.apache.org/job/tapestry-trunk-freestyle/605/ ) TAP5-1511 : RequestSecurityManager.checkPageSecurity() should return request security instead of INSECURE in case when security is disabled hlship : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1188278 Files : /tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManager.java /tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImpl.java /tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImplTest.java

          People

          • Assignee:
            Howard M. Lewis Ship
            Reporter:
            Alexander Gavrilov
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development