A project of The Apache Software Foundation
Navigation

How to enforce HTTPS

Configure Wicket to require HTTPS connections for secure pages

HTTPS is the standard technology adopted on Internet to create a secure communication channel between web applications and their users.

In Wicket we can easily protect our pages with HTTPS mounting a special request mapper called HttpsMapper and using annotation RequireHttps with those pages we want to serve over this protocol. Both these two entities are in package org.apache.wicket.protocol.https.

HttpsMapper wraps an existing mapper and redirects incoming requests to HTTPS if the related response must render a page annotated with RequireHttps. Most of the times the wrapped mapper will be the root one, just like we saw before for CryptoMapper in paragraph 10.6.

Another parameter needed to build a HttpsMapper is an instance of class HttpsConfig. This class allows us to specify which ports must be used for HTTPS and HTTP. By default the port numbers used by these two protocols are respectively 443 and 80.

The following code is taken from project HttpsProtocolExample and illustrates how to enable HTTPS in our applications:

//Application class code...
@Override
public void init(){   
   setRootRequestMapper(new HttpsMapper(getRootRequestMapper(), 
                                       new HttpsConfig(8080, 8443)));
}

Now we can use annotation RequireHttps to specify which pages must be served using HTTPS:

@RequireHttps
public class HomePage extends WebPage {
    public HomePage(final PageParameters parameters) {
        super(parameters);  
    }
}

If we want to protect many pages with HTTPS without adding annotation RequireHttps to each of them, we can annotate a marker interface or a base page class and implement/extend it in any page we want to make secure:

// Marker interface:
@RequireHttps
public interface IMarker {
}

// Base class:
@RequireHttps
public class BaseClass extends WebPage {
//Page code...
}

// Secure page inheriting from BaseClass:
public class HttpsPage extends BaseClass {
//Page code...
}

// Secure page implementing IMarker:
public class HttpsPage extends WebPage implements IMarker {
//Page code...
}