Seam includes basic support for serving sensitive pages via the HTTPS protocol. This is easily configured by specifying a scheme for the page in pages.xml. The following example shows how the view /login.xhtml is configured to use HTTPS:
<page view-id="/login.xhtml" scheme="https">
This configuration is automatically extended to both s:link and s:button JSF controls, which (when specifying the view) will also render the link using the correct protocol. Based on the previous example, the following link will use the HTTPS protocol because /login.xhtml is configured to use it:
<s:link view="/login.xhtml" value="Login"/>
Browsing directly to a view when using the
incorrect
protocol will cause a redirect to the same view using the
correct
protocol. For example, browsing to a page that has scheme="https" using HTTP will cause a redirect to the same page using HTTPS.
It is also possible to configure a default scheme for all pages. This is actually quite important, as you might only wish to use HTTPS for a few pages, and if no default scheme is specified then the default behavior is to continue using the current scheme. What this means is that once you enter a page with HTTPS, then HTTPS will continue to be used even if you navigate away to other non-HTTPS pages (a bad thing!). So it is strongly recommended to include a default scheme, by configuring it on the default ("*") view:
<page view-id="*" scheme="http">
Of course, if
none
of the pages in your application use HTTPS then it is not required to specify a default scheme.
