[jboss-cvs] jboss-seam/doc/reference/en/modules ...
Shane Bryzak
sbryzak at redhat.com
Fri Feb 23 21:08:35 EST 2007
User: sbryzak2
Date: 07/02/23 21:08:35
Modified: doc/reference/en/modules security.xml
Log:
JBSEAM-914 documented scheme attribute
Revision Changes Path
1.46 +46 -0 jboss-seam/doc/reference/en/modules/security.xml
(In the diff below, changes in quantity of whitespace are not shown.)
Index: security.xml
===================================================================
RCS file: /cvsroot/jboss/jboss-seam/doc/reference/en/modules/security.xml,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -b -r1.45 -r1.46
--- security.xml 24 Feb 2007 00:54:06 -0000 1.45
+++ security.xml 24 Feb 2007 02:08:35 -0000 1.46
@@ -953,6 +953,52 @@
</sect1>
<sect1>
+ <title>SSL Security</title>
+
+ <para>
+ Seam includes basic support for serving sensitive pages via the HTTPS protocol. This is easily
+ configured by specifying a <literal>scheme</literal> for the page in <literal>pages.xml</literal>.
+ The following example shows how the view <literal>/login.xhtml</literal> is configured to use
+ HTTPS:
+ </para>
+
+ <programlisting><![CDATA[ <page view-id="/login.xhtml" scheme="https">]]></programlisting>
+
+ <para>
+ This configuration is automatically extended to both <literal>s:link</literal> and
+ <literal>s:button</literal> JSF controls, which (when specifying the <literal>view</literal>)
+ will also render the link using the correct protocol. Based on the previous example, the following
+ link will use the HTTPS protocol because <literal>/login.xhtml</literal> is configured to use it:
+ </para>
+
+ <programlisting><![CDATA[ <s:link view="/login.xhtml" value="Login"/> ]]></programlisting>
+
+ <para>
+ Browsing directly to a view when using the <emphasis>incorrect</emphasis> protocol will cause a
+ redirect to the same view using the <emphasis>correct</emphasis> protocol. For example, browsing
+ to a page that has <literal>scheme="https"</literal> using HTTP will cause a redirect to the same
+ page using HTTPS.
+ </para>
+
+ <para>
+ It is also possible to configure a default <literal>scheme</literal> for all pages. This is actually
+ quite important, as you might only wish to use HTTPS for a few pages, and if no default scheme is
+ specified then the default behavior is to continue using the current scheme. What this means is that
+ once you enter a page with HTTPS, then HTTPS will continue to be used even if you navigate away to
+ other non-HTTPS pages (a bad thing!). So it is strongly recommended to include a default
+ <literal>scheme</literal>, by configuring it on the default (<literal>"*"</literal>) view:
+ </para>
+
+ <programlisting><![CDATA[ <page view-id="*" scheme="http"> ]]></programlisting>
+
+ <para>
+ Of course, if <emphasis>none</emphasis> of the pages in your application use HTTPS then it is not
+ required to specify a default scheme.
+ </para>
+
+ </sect1>
+
+ <sect1>
<title>Implementing a Captcha Test</title>
<para>
More information about the jboss-cvs-commits
mailing list