Fork me on GitHub

Secure Link Tutorial

This tutorial looks at configuring a specific link for a page to only be accessed via a secure channel (HTTPS).

The below example for this tutorial will implement a simple non-secure page to provide login credentials via a secure link.

Tutorial Source

HTML

The page template content is as follows. Please note the link in the form action.

<!DOCTYPE html>
<html>
<body>
	<form action="/login" method="POST">
		Username: <input type="text" name="username" /> <br />
		Password: <input type="password" name="password" />
	</form>
	Other content of non-secure page.
</body>
</html>

Secure Link

To configure the login path to only be accessible via a secure channel (HTTPS), the following REST YAML configuration is used:

secure: true

Setting secure: true in the path-level YAML file ensures that any HTTP request to that path is automatically redirected (307) to HTTPS before the handler runs. This means connection.isSecure() will always be true when the handler executes.

Logic

The logic for the page is the following:

public class TemplateLogic {

	@Data
	@HttpParameters
	public static class LoginParameters implements Serializable {
		private static final long serialVersionUID = 1L;

		private String username;

		private String password;
	}

	public void login(LoginParameters credentials, ServerHttpConnection connection) {

		// Confirm a secure connection (not needed but included for tutorial)
		if (!connection.isSecure()) {
			throw new IllegalStateException();
		}

		// Logic for login
	}

}

This tutorial shows sending information over a secure channel (HTTPS) from a non-secure page.

Unit Test

The unit test demonstrates the rendering of the secure link. 

@ExtendWith(OfficeFloorExtension.class)
public class SecureLinkHttpServerTest {

	@RegisterExtension
	public final HttpClientExtension client = new HttpClientExtension();

	@Test
	public void ensureLinkRenderedSecure() throws Exception {

		// Obtain the page
		HttpResponse response = this.client.execute(new HttpGet("http://localhost:7878"));
		String renderedPage = EntityUtils.toString(response.getEntity());

		// Ensure login form is present (login endpoint is secure - HTTP redirects to HTTPS)
		assertTrue(renderedPage.contains("form action=\"/login"), "Login form should be present");
	}

}

Next

The next tutorial looks at authentication.