15.8. SSL Security
Seam includes basic support for serving sensitive pages via the HTTPS protocol. To configure this, specify a
scheme
for the page in pages.xml
. The following example shows how the view /login.xhtml
can be configured to use HTTPS:
<page view-id="/login.xhtml" scheme="https"/>
This configuration automatically extends to both
s:link
and s:button
JSF controls, which (when specifying the view
) will render the link under the correct protocol. Based on the previous example, the following link will use the HTTPS protocol because /login.xhtml
is configured to use it:
<s:link view="/login.xhtml" value="Login"/>
If a user browses directly to a view with the incorrect protocol, a redirect is triggered, and the same view will be reloaded with the correct protocol. For example, browsing to a
scheme="https"
page with HTTP triggers a redirect to the same page using HTTPS.
You can also configure a default scheme for all pages. This is useful if you only want to use HTTPS for a few pages. If no default scheme is specified, the current scheme will be used. So, once the user accesses a page requiring HTTPS, then HTTPS continues to be used after the user has navigated to other non-HTTPS pages. This is good for security, but not for performance. To define HTTP as the default
scheme
, add this line to pages.xml
:
<page view-id="*" scheme="http" />
If none of the pages in your application use HTTPS, you need not define a default scheme.
You can configure Seam to automatically invalidate the current HTTP session each time the scheme changes. To do so, add this line to
components.xml
:
<web:session invalidate-on-scheme-change="true"/>
This option offers more protection from session ID sniffing and sensitive data leakage from pages using HTTPS to pages using HTTP.
15.8.1. Overriding the default ports
If you wish to configure the HTTP and HTTPS ports manually, you can do so in
pages.xml
by specifying the http-port
and https-port
attributes on the pages
element:
<pages xmlns="http://jboss.com/products/seam/pages" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://jboss.com/products/seam/pages http://jboss.com/products/seam/pages-2.2.xsd" no-conversation-view-id="/home.xhtml" login-view-id="/login.xhtml" http-port="8080" https-port="8443">