ConnectionController Callback Secure URL

[vw729]

If my understanding is correct, the default callback url of the ConntectionController is the home URL of hosting site which is not a secure URL. If it is correct, I am wondering why I need to set a secure callback URL if I need a customized one (http://static.springsource.org/sprin...s/1.0.x/api/)?

[habuma]

First, the default is not the home URL of the hosting site. It is based on the URL of the current request when starting the connection flow. For example, in a typical Facebook connection flow, the path will be /connect/facebook, so the callback URL will also have the same path. If your app is at https://somesite.com/someapp, then the callback URL will be https://somesite.com/someapp/connect/facebook.

Whether the default URL is secure or not depends on whether the request that initiated the flow was secure. If you went to /connect/facebook over https, then the default callback URL will also be over https. Otherwise, it will not be.

Technically speaking, it's not mandatory that the callback URL be secure, although it probably should be. When you set a custom callback URL, you have the option of https or simply http. ConnectController doesn't enforce https; otherwise you'd have to go through extra effort to setup HTTPS to be able to use Spring Social apps when running on localhost.

[vw729]

Thanks Craig. I get it.