HTTPS Encryption

A WebDSL application can specify whether a page or form should be accessed over an encrypted https channel.

Tomcat Configuration

Using https requires some extra configuration when deploying to an external tomcat server, the tomcat instance used in the plugin and command-line test and run commands is already configured (note: this uses a dummy configuration which should not be used in production deployment of the app). Follow these steps to configure Tomcat 6:

Run this command and follow the instructions (note down the password):

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA

Then, in tomcat/conf/server.xml add (use the password entered in the keytool):

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
  maxThreads="150" scheme="https" secure="true"
  keystoreFile="${user.home}/.keystore" keystorePass="--password--"
  clientAuth="false" sslProtocol="TLS" />   

Read more about this topic here: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

Usage in WebDSL

With Tomcat configured for https, the following is supported:

navigate bla()[secure]{ "go to secure https" }
navigate root()[not-secure]{ "go to regular http" }

When switching to https or http, regular navigation and submits will stay in the same mode.

form [secure]{
  input(test.i)
  submit action{ } { "save https mode" }
}
form [not-secure]{
  input(test.i)
  submit action{ } { "save http mode" }
}

The form submit will use https or http regardless of the current mode. This will also switch the current mode.

define secure page importantpage(){
  "secure"
}

define not-secure page homepage(){
  "not secure"
}

Adding secure and not-secure to the page modifier will always redirect the page when accessed in the wrong mode.

Example

A common use case is to have a login form submit over https in order to avoid sending the password in plain text. This can be implemented as follows:

define not-secure page login(){  
  var name : String
  var pass : Secret
  form [secure]{
    input(name)
    input(pass)
    submit action{ authenticate(name,pass); } { "login" }
  }
}

Note: since after logging in the protocol is switched back to http, the session cookie is continuously sent in plain text and could potentially be hijacked. For security sensitive applications, using https for all pages is recommended; however, it does add overhead, therefore it’s not suitable for all applications.