Uploaded image for project: 'Tapestry 5'
  1. Tapestry 5
  2. TAP5-1511

RequestSecurityManager.checkPageSecurity() should return request security instead of INSECURE in case when security is disabled

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.2
    • Fix Version/s: 5.3
    • Component/s: tapestry-core
    • Labels:
      None

      Description

      In current version unless security is enabled RequestSecurityManager#checkPageSecurity always returns LinkSecurity.INSECURE.
      It could be better to return LinkSecurity.SECURE or LinkSecurity.INSECURE depends on request security flag.

              if (!securityEnabled)
                  return request.isSecure() ? LinkSecurity.SECURE : LinkSecurity.INSECURE;
      

      For now even if request to application is come by https tapestry generate http urls for getAbsolueURL call.

        Activity

        Hide
        hlship Howard M. Lewis Ship added a comment -

        Why would security be disabled in a production application? The intent of disabling security is to prevent unwanted http/https handover requests in development.

        Show
        hlship Howard M. Lewis Ship added a comment - Why would security be disabled in a production application? The intent of disabling security is to prevent unwanted http/https handover requests in development.
        Hide
        lucker Alexander Gavrilov added a comment -

        Https security is not required for our application but must be supported if request comes by https, because we serve pages that can be included into another sites through iframe.

        Show
        lucker Alexander Gavrilov added a comment - Https security is not required for our application but must be supported if request comes by https, because we serve pages that can be included into another sites through iframe.
        Hide
        hudson Hudson added a comment -

        Integrated in tapestry-trunk-freestyle #605 (See https://builds.apache.org/job/tapestry-trunk-freestyle/605/)
        TAP5-1511: RequestSecurityManager.checkPageSecurity() should return request security instead of INSECURE in case when security is disabled

        hlship : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1188278
        Files :

        • /tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManager.java
        • /tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImpl.java
        • /tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImplTest.java
        Show
        hudson Hudson added a comment - Integrated in tapestry-trunk-freestyle #605 (See https://builds.apache.org/job/tapestry-trunk-freestyle/605/ ) TAP5-1511 : RequestSecurityManager.checkPageSecurity() should return request security instead of INSECURE in case when security is disabled hlship : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1188278 Files : /tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManager.java /tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImpl.java /tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImplTest.java

          People

          • Assignee:
            hlship Howard M. Lewis Ship
            Reporter:
            lucker Alexander Gavrilov
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development