We have now added the X-Forwarded-Proto and X-Forwarded-For to the
requests but we still get 302 loop:
GET /ngm/start HTTP/1.1
Host: bo-ci.eget.fi
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169
Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,sv;q=0.8,fi;q=0.7,lv;q=0.6,es;q=0.5
Cookie: _ga=GA1.2.2095789035.1543389393;
AMCV_A5A139F7569D5CB57F000101%40AdobeOrg=1406116232%7CMCIDTS%7C17864%7CMCMID%7C21405024211598008102491243369473793569%7CMCAAMLH-1543994214%7C6%7CMCAAMB-1543994214%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1543396614s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C2.5.0;
_gcl_au=1.1.558442318.1553672462;
__cfduid=d3fcfc204dc54bf4c4d94a53ee955a6581557830653;
NGM=g49j5fJxzz-XyMWzYBJ4YoebaB8rgEwPw_gG2tEjudRZqYbykvGY!-2115956942
X-Forwarded-For: 10.5.128.233
X-Forwarded-Proto: https
HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 17 Jun 2019 06:23:19 GMT
Transfer-Encoding: chunked
Location: https://bo-ci.eget.fi/ngm/start
0103
<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved
temporarily.</p>
<p>It's now at <a
href="https://bo-ci.eget.fi/ngm/start";>https://bo-ci.eget.fi/ngm/start</a>.</p>
</body></html>
0000
Any more tips?
Br,
Kim
2019-06-14 12:24 skrev Kim Syväluoma:
Thanks for the answers. We will try adding the "X-Forwarded-Proto:
https" header to our requests.
/Kim
2019-06-14 11:34 skrev Chris Poulsen:
Hi,
We use:
// default to non-secure pages (allows us to support both http and
https
based on the request)
configuration.add( SymbolConstants.SECURE_ENABLED, "false" );
And always have an upstream proxy for performing SSL termination. This
relies on the X-Forward-* headers being set and handled correctly by
the
various servers.
--
Chris
On Fri, Jun 14, 2019 at 10:06 AM Dmitry Gusev <dmitry.gu...@gmail.com>
wrote:
Hi,
I'd suggest to check value of `Request#isSecure()`, it looks like
it's
false.
It can happen if your WebSphere is behind a proxy/load balancer which
terminates SSL,
in this case you may need to configure WebSphere to acknowledge the
x-forwarded-proto HTTP header.
On Fri, Jun 14, 2019 at 9:17 AM Kim Syväluoma <kim....@aland.net>
wrote:
> We have a Tapestry application which we need to use over HTTPS only. We
> are using Weblogic only.
>
> We have these set in the AppModule of the Tapestry application:
>
> public static void contributeApplicationDefaults(
> final MappedConfiguration<String, String> configuration) {
> configuration.add("tapestry.supported-locales", "en");
> configuration.add("tapestry.start-page-name", "start");
> configuration.add(SymbolConstants.HOSTPORT_SECURE, "443");
> configuration.add(SymbolConstants.SECURE_ENABLED, "true");
> }
>
> public static void contributeMetaDataLocator(final
> MappedConfiguration<String, String> configuration) {
> configuration.add(MetaDataConstants.SECURE_PAGE, "true");
> }
>
> In the Start page we have a redirect like this:
>
> final Object onActivate() {
> if (!this.sessionHandler.isLoggedIn()) {
> return this.loginPage;
> }
> return this.mainFrameSet;
> }
>
> We we try to access our app by HTTPS at root or directly at the start
> page, loginPage or mainFrameSet page we get infinite redirect loop (302)
> to the same page we are accessing.
>
> If we set the MetaDataConstants.SECURE_PAGE to false we can access our
> app over HTTPS but all page requests/links within the app is then done
> over HTTP and that does not work.
> We need to have all functionality within the app to work over, and using
> only, HTTPS.
>
> What have we missed?
>
> Br,
> Kim
>
--
Dmitry Gusev
AnjLab Team
http://anjlab.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
