12 Replies Latest reply on Sep 5, 2008 3:08 AM by rickhoro2

    Seam and HTTPS

    accountclosed

      Hello,


      I'm trying to make some pages use HTTP and some use HTTPS (done what chapter 14 of the 2.0.2 Seam manual suggests). For example, the register.html page is defined with a scheme of https:



      <page view-id="/register.html" scheme="https">
      ...
      </page>



      In my web.xml file I have:



        <security-constraint>
          <web-resource-collection>
            <web-resource-name>SSL Pages</web-resource-name>
            <description />
            <url-pattern>/register.html</url-pattern>
            <http-method>GET</http-method>
            <http-method>PUT</http-method>
            <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
            <description />
            <role-name>Everyone</role-name>
          </auth-constraint>
          <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
        </security-constraint>




      Tomcat 6.0 has the following entry in the server.xml file:


        <Connector port="8443" protocol="HTTP/1.1"
          SSLEnabled="true"
          maxThreads="150" scheme="https" secure="true"
          clientAuth="false" sslProtocol="TLS" />



      Problem is that when I navigate to the page with the HTTPS protocol (and correct port), from:



      http://localhost:8080/index.html




      To



      https://localhost:8443/register.html



      It can't find the page. I'm using Seam 2.0.2, Tomcat 6, Facelets, and the Urlewrite Filter. Anyone know how to make this work correctly? Any help appreciated.

        • 1. Re: Seam and HTTPS

          Is https enabled in you Tomcat? (did you enable it in server.xml?)

          • 2. Re: Seam and HTTPS

            Maybe this can help. You seem to be your https configuration incomplete (you didn't specify your keystore file):


            <Connector 
                       port="8443" minSpareThreads="5" maxSpareThreads="75"
                       enableLookups="true" disableUploadTimeout="true" 
                       acceptCount="100"  maxThreads="200"
                       scheme="https" secure="true" SSLEnabled="true"
                       keystoreFile="${user.home}/.keystore" keystorePass="changeit"
                       clientAuth="false" sslProtocol="TLS"/>
            

            • 3. Re: Seam and HTTPS

              Ups, posted accidentally:


              You seem to be your https configuration incomplete (you didn't specify your keystore file):


              was supposed to be:


              You seem to HAVE your https configuration incomplete (you didn't specify your keystore file):

              • 4. Re: Seam and HTTPS
                accountclosed

                Francisco,


                Thanks for your reply. Actually it works either way (Tomcat 6 doesn't require you to specify the keystore attributes, it goes and gets them itself ... but I also did use the longer version which does specify the keystore and it doesn't fix things).


                I have managed to figure out a bit of the problem. If you are telling Seam about things such as HTTPS and HTTP, then you need to take out of your web.xml file the security-constraint element (posted above) - Seam apparently takes care of that itself.


                However, there still is the problem with any sort of a link from an HTTP page, to an HTTPS page (and possibly vice versa although I haven't gotten that far yet). I have an index.html page that is HTTP



                http://localhost:8080/index.html




                I have a register.html page (as HTTPS) and it is:



                https://localhost:8443/register.html




                Now if I type either of those URLs into the URL text field of my web browser, ( http://localhost:8080/index.html or https://localhost:8443/register.html ), both pages load under the correct protocol and display correctly. That is to say, I type the URL myself manually and I don't click on a hyper link within the page, I get the correct and successful page loading.


                The problem is that the link is either incorrect or it doesn't invoke the correct protocol/port. If I use a plain old HTML anchor element (inside of the Facelet), the rendered link (after the Facelet does its thing) is:


                <a href="./register.html" class="registerbutton"> </a>



                No surprise there. If I use a Seam link (Seam's link element), the rendered link (again, Facelet stuff), I get:



                <a href="https://localhost:8080/register.html?cid=1" 
                  id="j_id9">Register</a>



                Notice how Seam's seam link is changing the protocol but not the port whereas the HTML anchor element simply points to http://localhost:8080/register.html (so it doesn't change either the protocol nor the port).


                I've tried the same test without using the UrlRewriteFilter, so I can rule that out. And since the web.xml file does not contain the security constraint in it, it can't be some sort of problem with Tomcat. Something in Seam ...


                Not sure how to get this working correctly. I've scoured the docs but have not come across the solution.

                • 5. Re: Seam and HTTPS
                  shane.bryzak

                  You can override the default ports in pages.xml:


                  <pages http-port="8080" https-port="8443">



                  Sorry this isn't documented clearly, I'll update the security chapter to include this info.

                  • 6. Re: Seam and HTTPS
                    accountclosed

                    Shane,


                    Thanks for getting back to me on this so quickly. I did add both of those attributes to the pages (root) element of the pages.xml document but it didn't solve the problem (I stopped Tomcat, re-installed the WAR, restarted Tomcat and still both the Seam link element and the plain old HTML anchor element want to connect to port 8080). I'm using Seam 2.0.2.


                    I've downloaded Seam 2.0.3 and looked at the pages.xml files for both versions (2.0.2 and 2.0.3) and they both specify the XML schema instance as (that is the xsi attribute of the pages.xml schema which I downloaded from):



                    http://jboss.com/products/seam/pages-2.0.xsd




                    Which (if downloaded and viewed) doesn't specify any port attributes. Is this something specific to 2.1? That's fine if it is, I can wait for HTTPS handling for a bit. If not, I can submit a JIRA report if need be. What's your call?

                    • 7. Re: Seam and HTTPS
                      shane.bryzak

                      The lack of those attributes in the xsd file is an oversight, I've fixed it up now and committed to svn trunk.  As for your issue, if you like you can raise it in JIRA and assign to me - make sure you include a test case with clear steps to reproduce, including code.

                      • 8. Re: Seam and HTTPS
                        accountclosed

                        Will do. I'll put together a test case and submit it. Thanks.

                        • 9. Re: Seam and HTTPS
                          accountclosed

                          Shane,


                          I've posted to JIRA here:


                          HTTPS Links Contain Wrong Port


                          Let me know if you need anything more info on this issue. Thanks again for offering to look at this.

                          • 10. Re: Seam and HTTPS
                            rickhoro2

                            Hi,


                            I added a request about a week ago that JIRA 3274 be fixed for Seam 2.0.3 and was wondering if anyone saw the request since 3274 had already been closed. Thanks in advance for a response on this.


                            Rick

                            • 11. Re: Seam and HTTPS
                              accountclosed

                              For me I was looking forward and deciding on waiting. However, Beta 1 just came out and it's now borked for Tomcat based on Problem with StandardDeploymentStrategy in Seam 2.1.0.BETA1


                              I'm hoping that Beta 2 will be out to fix this soon, my app kind of needs it.

                              • 12. Re: Seam and HTTPS
                                rickhoro2

                                Hey...I was away on vacation and busy with other things for a few days. I, too, am having a deployment problem with beta 1...different from yours. I will post a separate thread about it.


                                I'd still like to know if JIRA 3274 can be implemented on Seam 2.0.3 so I can move forward with my development. Got a customer waiting...Thanks.