It is easy to require that an entire website require requests to come in via an encrypted connection (HTTPS). Until now, however, it was not possible to impose this requirement on some FlexWiki namespaces but not others. FlexWiki 2.0.0.48 introduces a feature (SourceForge RFE 1727666) that enables this scenario.

A new element has been added to flexwiki.config, and a new property has been introduced to _ContentBaseDefinition. The name of both the element and the property is RequireTransportSecurityFor. The value in _ContentBaseDefinition (if present) overrides the flexwiki.config value, which sets the default for the entire wiki.

In either location, the setting can have one of two values: "Content" or "None". If set to "Content" in a particular namespace (either by being set in _ContentBaseDefinition for that namespace or by being set in flexwiki.config for the entire wiki), a TransportSecurityRequirementException is thrown any time the full text of a topic from that namespace is retrieved. This exception is caught by the web application, which displays an error page with the text:

This request requires a secure connection (HTTPS). You will be redirected to the secure portion of the website momentarily, or you can use the link below to retry your request immediately.

Try again using HTTPS

NB: HTTPS requirement applies only to the full text of a topic

Note that this error message is only shown for actions that require the entire text of a topic to be retrieved, such as viewing or editing that topic. Other actions that access a topic's metadata (for example, displaying a link to a topic, which uses the Summary WikiProperty to create a ToolTip), do not trigger the exception. In this sense, some of the information from a "RequireTransportSecurityFor: Content" namespace may be exposed via a non-HTTPS connection. This is intentional - otherwise the requirement for HTTPS would quickly "leak" out of the desired namespace to the entire wiki. Using IIS's native facilities is a much better way to achieve this effect.

Some consideration of this effect has gone into the design. In the future, additional values beyond "Content" and "None" may be introduced. For example, "ContentAndProperties" could be implemented to force HTTPS access even for access to properties. There are no plans at present to add this capability, however.

Examples

Requiring HTTPS for all namespaces in a wiki

In flexwiki.config:

 <configuration>
   <!-- Other elements removed for clarity -->
   <FederationConfiguration>
     <RequireTransportSecurityFor>Content</RequireTransportSecurityFor>
   </FederationConfiguration>
 </configuration>

Requiring HTTPS for a single namespace in a wiki

In flexwiki.config:

 <configuration>
   <!-- Other elements removed for clarity -->
   <FederationConfiguration>
     <RequireTransportSecurityFor>None</RequireTransportSecurityFor>
   </FederationConfiguration>
 </configuration>

In _ContentBaseDefinition for the namespace in question:

 RequireTransportSecurityFor: Content

Requiring HTTPS for every namespace in a wiki except one

In flexwiki.config:

 <configuration>
   <!-- Other elements removed for clarity -->
   <FederationConfiguration>
     <RequireTransportSecurityFor>Content</RequireTransportSecurityFor>
   </FederationConfiguration>
 </configuration>

In _ContentBaseDefinition for the namespace in question:

 RequireTransportSecurityFor: None