Skip to Content

Web Applications-Development-SSL requests via https protocol

Version 28.1 by Kieran Kelleher on 2008/07/21 14:59

Introduction

Sooner or later you will need to develop WebObjects applications that work with SSL requests over https protocol. If ssl is configured on your deployment server, you can probably just change http to https in the app entry URL and the app will probably just work over https protocol. However if your application requires security, you cannot just depend on your users typing in a URL that begins with https. Also since SSL encryption adds more load to the webserver, you may want decide that just some pages need to be returned securely over https and the rest returned via plain old http. In any case, you may want to or need to set up your local OS X development machine to support https protocol so that you can properly test your application. This article endeavors to do this in a concise way while referring to 3rd party sources where applicable. Note also that setting up ssl for testing can be a far simpler task (and not really secure) than setting up real authentic SSL certificates for use in a production server.

Information
Compatability

These instructions were written and tested on

  • OS X Leopard Client 10.5.4
  • Standard built-in apache2
  • If you like record and verify your OS config as follows:
    • $ openssl version
      *

Development via Apache Webserver

By default, WebObjects development installations typically run via DirectConnect. For https development, we must run thru the apache webserver built in to every OS X machine. So before going any further, configure your WebObjects development environment so that your development application launches and runs thru apache using the host name "localhost".

Configuring Apache for https://localhost

Detecting SSL

Code for detecting whether SSL is active for the current request:
I'm told this won't work with IIS:


// Is this page being accessed securely?
boolean secureMode = false;
String header = context.request().headerForKey("https");
if( header == null ) {
 log.debug( "no https header, looking for server_port" );
 header = context.request().headerForKey( "server_port" );
 if( header == null ) {
   log.debug( "no server_port header found, assuming insecure connection" );
  } else {
   log.debug( "server_port header found, using it" );
   secureMode = header.equals( "443" );
  }
} else {
 log.debug( "https header found, using it" );
 secureMode = header.equals( "on" );
}
log.debug( "secure mode set to " + secureMode );