Proper Login HTTPS - HTTP Redirect

[mlconnor]

What is the proper way to handle shifting the user from HTTPS back to HTTP in WebFlow?

My site has several situations where a user goes through a WebFlow that require SSL. These can be Login, Registration, and other form based flows. When the user is done with the flow they need to go back to HTTP. The client unfortunately hates the HTTPS-HTTP 302/303 redirect warnings the browser gives you complaining about moving from secure to insecure.

The only way I know to get around this is to use an HTML meta redirect tag.

Code:

<meta http-equiv="refresh" content="2;url=http://coca-cola.com/someInsecurePage">

The bad thing about this is that when I submit my HTTPS form, WebFlow sends an HTTP redirect back to the browser telling it to load the new view. The user goes back to the serve and WebFlow serves up the page with the meta redirect tag. They then go back to the server again and finally get the page they want (after two redirects).

I've also seen this useful tag in WebFlow...

Code:

      <webflow:flow-execution-attributes>
          <webflow:always-redirect-on-pause value="false"/>
      </webflow:flow-execution-attributes>

...which turns off POST redirects. Unfortunately it does it for every flow you have and then you have to put redirect: in all of your views...

Am I missing a much better way to handle this?
Is there a way to tell Spring to skip the redirect on just one view?

[mlconnor]

The documentation on this is quite incomplete for SWF 2.0 and not only that, the way you seem to handle this in SWF 1.0 and SWF 2.0 are different. From what I can tell, in SWF 1.0 if you used the tag...

Code:

<webflow:always-redirect-on-pause value="false"/>

...and you wanted to do a redirect on one of your actions then you...

Code:

<view-state id="showEnterPaymentInfo"
view="redirect:enterPaymentInfo">

this seems to throw null pointers in SWF 2.0. instead, it seems you have to set a redirect flag on the ViewState.

Code:

<view-state id="showEnterPaymentInfo"
view="enterPaymentInfo" redirect="true">

yuk.

[mlconnor]

A broader question... how do you redirect to HTTPS? When a user goes to update secure information, say their address... and we need to pre-populate the form, then it has to be secure. If we are in View A and go to View B, and View B wants to declare itself as secure, how should this done?

Code:

<view-state id="stateA" view="/viewA.ftl">
  <transition on="ok" to="viewB"/>
</view-state>

<!-- this state needs to be HTTPS because secure data is pre-populated -->
<view-state id="stateA" view="/viewB.ftl">
  <transition on="ok" to="viewB"/>
</view-state>

If I have stateA have view=https://${server}/${flowExecutionURL} then it won't render properly if there are errors in the form and it has to rerender. Thoughts?

Here is a similar post that talks about the same thing. The issue is securing parts of a flow as opposed to the same flow. The challenge is that WebFlow always uses the same URL for a flow so it's hard to use channel security.