Request cycle processor that can switch between http and https protocols based on the
RequireHttps annotation.
Once this processor is installed, any page annotated with the
RequireHttps annotation
will be served over https, while any page lacking the annotation will be served over http. The
annotation can be placed on a super class or an interface that a page implements.
To install this processor:
class MyApplication extends WebApplication
{
@Override
protected IRequestCycleProcessor newRequestCycleProcessor()
{
return new HttpsRequestCycleProcessor(config);
}
}
Notes: According to servlet spec a cookie created on an https request is marked as secure,
such cookies are not available for http requests. What this means is that a session started over
https will not be propagated to further http calls because JSESSIONID cookie will be marked as
secure and not available to http requests. This entails that unless a session is created and
bound on http prior to using an https request any wicket pages or session values stored in the
https session will not be available to further http requests. If your application requires a
http->https->http interactions (such as the case where only a login page and my account
pages are secure) you must make sure a session is created and stored in the http request prior to
the first http->https redirect.