Seam includes basic support for serving sensitive pages via the HTTPS protocol. This is easily configured by specifying a scheme
for the page in pages.xml
. The following example shows how the view /login.xhtml
is configured to use HTTPS:
<page view-id="/login.xhtml" scheme="https">
This configuration is automatically extended to both s:link
and s:button
JSF controls, which (when specifying the view
) will also render the link using the correct protocol. Based on the previous example, the following link will use the HTTPS protocol because /login.xhtml
is configured to use it:
<s:link view="/login.xhtml" value="Login"/>
Browsing directly to a view when using the
incorrect
protocol will cause a redirect to the same view using the
correct
protocol. For example, browsing to a page that has scheme="https"
using HTTP will cause a redirect to the same page using HTTPS.
It is also possible to configure a default scheme
for all pages. This is actually quite important, as you might only wish to use HTTPS for a few pages, and if no default scheme is specified then the default behavior is to continue using the current scheme. What this means is that once you enter a page with HTTPS, then HTTPS will continue to be used even if you navigate away to other non-HTTPS pages (a bad thing!). So it is strongly recommended to include a default scheme
, by configuring it on the default ("*"
) view:
<page view-id="*" scheme="http">
Of course, if
none
of the pages in your application use HTTPS then it is not required to specify a default scheme.