Using HTTPS to secure certain parts of a webpage is a common requirement when dealing with confidential information. Yet I have been struggling to find a decent tutorial about the HTTPS support of the Apache Wicket framework. This blog entry is written as an answer to that problem, and I am going to describe, how you can create secure webpages by using Apache Wicket.
Required Steps
The steps needed to enable the HTTPS support of Apache Wicket are explained in following (Note: this information is tested with Apache Wicket 1.4.15):
- Configuring your application to use HttpsRequestCycleProcessor
- Specifying the secured webpages
These steps are described with more details in following.
Configuring your application to use HttpsRequestCycleProcessor
The Javadoc documentation of HttpsRequestCycleProcessor class describes its function as follows:
Request cycle processor that can switch between http and https protocols based on the RequireHttps annotation. Once this processor is installed, any page annotated with the RequireHttps annotation will be served over https, while any page lacking the annotation will be served over http.
Before you can create a new HttpsRequestCycleProcessor object, you must first define the ports used to serve HTTP and HTTPS requests. This is done by creating a new HttpsConfig object, which is given to the constructor of the HttpsRequestCycleProcessor as a parameter. The following code example describes the usage of the HttpsRequestCycleProcessor in practice:
import org.apache.wicket.protocol.http.WebApplication; import org.apache.wicket.protocol.https.HttpsConfig; import org.apache.wicket.protocol.https.HttpsRequestCycleProcessor; import org.apache.wicket.request.IRequestCycleProcessor; public class WicketApplication extends WebApplication { @Override public Class<HomePage> getHomePage() { return HomePage.class; } @Override public void init() { super.init(); } @Override protected IRequestCycleProcessor newRequestCycleProcessor() { HttpsConfig config = new HttpsConfig(); //Port 8080 is used for HTTP config.setHttpPort(8080); //Port 8443 is used for HTTPS config.setHttpsPort(8443); return new HttpsRequestCycleProcessor(config); } }
Specifying the secured webpages
After you have configured your application to use the HttpsRequestCycleProcessor instead of the WebRequestCycleProcessor, you have to specify the secured webpages by using the RequireHttps annotation. There are three different methods of using the RequireHttps annotation, which are described in following:
- Add the RequireHttps annotation to a single class. This is the best approach, if you want secure only a few webpages, which do not share common functions and they are not implementing the same interfaces.
- Add the RequireHttps annotation to a base class. You can now create secure webpages by extending that base class. This approach is great, if you want to secure a large group of webpages, which all share common functions.
- Add the RequireHttps annotation to an interface. Secure webpages can now be created by implementing that interface. This approach is useful in situations, where secured webpages are all implementing the same interface, but do not share common functions.
What is Next?
Congratulations. You have just successfully configured the HTTPS support of Apache Wicket and secured some of your webpages as well. The next part of this tutorial will describe methods for using HTTPS to submit information entered in for example registration or login forms.