From: Amit L. <aa...@gm...> - 2007-08-29 21:25:47
|
>From what I can tell, most of the instances of these are in configuration files, which should be changed to suite deployment specific settings anyway. Some of the instances are in comments, which, as far as functionality is concerned, have no effect, and some are in fact to external links - which, as Andrew said, are fine. There is one instance were I saw a mifos URL hard coded, in MifosServiceStub, which as far as I can tell, is auto generated and we don't really use it. Any broken links should have shown up on the test server, or current deployments, where access is not from a remote machine (so the address is something like: http://somemfi.org/mifos). I don't think this is an issue, but it's probably worth testing like Tom suggested. -Amit On 8/29/07, Tom Bostelmann <tbo...@gm...> wrote: > A quick look through the code for instances of 'http://localhost:8080/' > uncovered several (seven for this specific search). So, yes, this leaves > the possibility for unencrypted communication. > > A typical way of testing this is to configure an apache/tomcat setup where > apache only forwards https requests to the tomcat server. This should > expose any traffic that isn't being sent via https (the links will break, > essentially). > -Tom > > On 8/29/07, George Conard <gc...@gr...> wrote: > > > > > > > > adding developer listserv to this as at least part of the question is > code-related > > > > i'll let others comment on the substance > > > > > > ________________________________ > From: mif...@li... > [mailto:mif...@li...] On > Behalf Of Andrew White > > Sent: Wednesday, August 29, 2007 12:40 PM > > To: Mifos functional discussions > > Subject: [Mifos-functional] http vs https for access to Mifos > > > > > > > > Hi all, > > > > Here in Honduras we are hoping to force all the traffic to our Mifos > implementation through an SSL (https) session so that usernames and > passwords, as well as financial data, to not cross the Internet in > cleartext. > > > > While forcing a normal web session through https via http can be easily > accomplished via configuration settings in Tomcat+JBoss, I am concerned that > some of the html that is output to the client's browser (e.g . via > javascript) will output http: links. A quick glance through some of the > code seems to show this concern is indeed valid ... I see references to http > methods but am not sure if http links are output to the client browser. > > > > Does anyone know if this concern is indeed justified? Does anyone else > have the concern that there is no encryption supported for Mifos sessions? > > > > -Andrew > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Splunk Inc. > > Still grepping through log files to find problems? Stop. > > Now Search log events and configuration files using AJAX and a browser. > > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > _______________________________________________ > > Mifos-functional mailing list > > Mif...@li... > > > https://lists.sourceforge.net/lists/listinfo/mifos-functional > > > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Mifos-functional mailing list > Mif...@li... > https://lists.sourceforge.net/lists/listinfo/mifos-functional > > |