Re: @Secure solution (was Re: [t5.0.18] Secure Annotation / BaseURLSource)

Tue, 09 Feb 2010 03:20:35 -0800 

Hi Geoff,

Yes thats a pretty robust configuration, we have Tapestry configured this way 
in production for a couple of years now without issues, if you can use a recent 
version of Apache, i.e.: 2.1 onwards then its best to use the built in 
mod_proxy_ajp module: http://httpd.apache.org/docs/2.1/mod/mod_proxy_ajp.html

The only drawback I have found using this set-up is that using reverse AJAX (or 
Comet if u prefer) through the proxy can be unreliable (under Tomcat6 with DWR 
it was leaking), but Jetty faired better.

Kind regards,
Peter



----- Original Message -----
From: "Geoff Callender" <geoff.callender.jumpst...@gmail.com>
To: "Tapestry users" <users@tapestry.apache.org>
Sent: Tuesday, 9 February, 2010 05:33:07 GMT +02:00 Athens, Beirut, Bucharest, 
Istanbul
Subject: @Secure solution (was Re: [t5.0.18] Secure Annotation / BaseURLSource)

I've found a solution - use AJP (instead of HTTP) from Apache to Jetty/Tomcat. 
Apache handles the SSL and AJP preserves the security info, so Tapestry knows a 
secure channel was used and the @Secure annotation just works. Perfect.

For the record, the key lines for httpd-ssl.conf are like this:

        SSLOptions +ExportCertData
 
        ProxyRequests Off
        ProxyPreserveHost On

        <Proxy *>
                AddDefaultCharset Off
                Order deny,allow
                Allow from all
        </Proxy>

        ProxyPass       /myapp ajp://gc1.local:18080/myapp retry=5
        ProxyPassReverse        /myapp ajp://gc1.local:18080/myapp

The full config info is in these articles:

        
http://www.zeitoun.net/articles/client-certificate-x509-authentication-behind-reverse-proxy/start
 (see "Between Apache and Tomcat")
        http://docs.codehaus.org/display/JETTY/Configuring+mod_proxy 
(alternative 1 causes the problem, whereas alternative 2 works!)

HTH someone else,

Geoff

On 09/02/2010, at 12:23 AM, Geoff Callender wrote:

> Hi Dave et al,
> 
> Did you find an OK solution to this? I too am hoping to have Apache look 
> after https and feed only http to the web server, but any page marked @Secure 
> will reject http and redirect to https, so you end in a loop bouncing between 
> browser and webserver via Apache.
> 
> Cheers,
> 
> Geoff
> 
> On 20/05/2009, at 1:02 AM, Dave Greggory wrote:
> 
>> 
>> I'm attempting to contribute my own RequestSecurityManager, but if anybody 
>> else has a better idea where I don't have to touch internal stuff let me 
>> know.
>> 
>> 
>> 
>> ----- Original Message ----
>> From: Dave Greggory <davegregg...@yahoo.com>
>> To: Tapestry users <users@tapestry.apache.org>
>> Sent: Tuesday, May 19, 2009 10:51:41 AM
>> Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource
>> 
>> 
>> Well looks like our internal network structure is pretty set and can't be 
>> changed. 
>> 
>> Users <-- internet (http / https connections ) --> load balancer/firewall 
>> <-- internal network (http) --> tomcat
>> 
>> We have a way of determining from within a tomcat application whether 
>> internet connection to firewall is secure. This can be done because the 
>> firewall adds a request header indicating SSL status. This is how we usually 
>> determine this. Can I get tapestry use my helper method that does this check 
>> to determine whether the connection was secure? How can I get secure 
>> connections working in this situation? 
>> 
>> Thanks so much.
>> Dave
>> 
>> 
>> 
>> 
>> ----- Original Message ----
>> From: Dave Greggory <davegregg...@yahoo.com>
>> To: Tapestry users <users@tapestry.apache.org>
>> Sent: Monday, May 18, 2009 12:16:36 PM
>> Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource
>> 
>> 
>> Don't worry about it, turns out our internal network is screwed up... 
>> connections between users and the load balancer is secure, but not between 
>> load balancer and app server.
>> 
>> 
>> 
>> ----- Original Message ----
>> From: Dave Greggory <davegregg...@yahoo.com>
>> To: Tapestry users <users@tapestry.apache.org>
>> Sent: Monday, May 18, 2009 11:56:56 AM
>> Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource
>> 
>> 
>> obviously, it is.
>> 
>> 
>> 
>> ----- Original Message ----
>> From: Martin Strand <do.not.eat.yellow.s...@gmail.com>
>> To: Tapestry users <users@tapestry.apache.org>
>> Sent: Monday, May 18, 2009 11:40:40 AM
>> Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource
>> 
>> Just a guess... perhaps baseSecureURL is not an https url?
>> 
>> 
>> On Mon, 18 May 2009 15:15:50 +0200, Dave Greggory <davegregg...@yahoo.com> 
>> wrote:
>> 
>>> 
>>> I've been using BaseURLSource(since behind a firewall/load balancer) fine 
>>> all this time, and recently I needed a secure page, so I added the @Secure 
>>> annotation on that page. But that page is no longer working because @Secure 
>>> annotation ends up sending continuous redirects. What am I doing wrong?
>>> 
>>> My BaseURLSource implementation:
>>> 
>>> BaseURLSource source = new BaseURLSource()
>>> {
>>> public String getBaseURL(boolean secure)
>>> {
>>>    return (secure) ? baseURL : baseSecureURL;
>>> }
>>> }
>>> 
>>> Thanks,
>>> Dave
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>> For additional commands, e-mail: users-h...@tapestry.apache.org
>> 
>> 
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>> For additional commands, e-mail: users-h...@tapestry.apache.org
>> 
>> 
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>> For additional commands, e-mail: users-h...@tapestry.apache.org
>> 
>> 
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>> For additional commands, e-mail: users-h...@tapestry.apache.org
>> 
>> 
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>> For additional commands, e-mail: users-h...@tapestry.apache.org
>> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org

Reply via email to