Re: [Dynapi-Help] secure http - SOLUTION

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Just a quick note...
Mixing secure and unsecure items in a page has the unfortunate
side-effect of hte little yellow Lock symbol not showing up in the
bottom-right
corner of the browser (which is what people look for) as well as that
annoying
warning from the browser..

Not saying you should never mix these items, just a point to consider when
designing your app..

Maybe a good question to ask the client.. I know I will NVER enter personall
information unless the little yellow lock is there...

Oh an Leif.. when did you start feeling obsolete? :-)
For me it was when I couldn't convince my co-worksers that COBOL has no
native
array type... hehe

system.out.println("doug")

----- Original Message ----- 
From: "Leif W" <war...@us...>
To: <dyn...@li...>
Sent: Wednesday, May 05, 2004 1:11 PM
Subject: Re: [Dynapi-Help] secure http - SOLUTION

> Cool,
>
> That's what I was thinking (well I was thinking the old document.href,
> but that's pre-DOM I think, so I may showing my obsolete knowledge).
> ;-)
>
> I'd like to test this for robustness before committing.  Let's take a
> while to think through the combinations where this may or may not work,
> i.e. http page pulling https data from the same or a different server,
> for instance if page images and static content don't need to be
> encrypted, just the dynamic content fetched by the remote script?  It
> doesn't work for different protocol types, unless you manually modify
> those lines and add your protocol, using a switch statement or
> something.  It should just use whatever protocol the file was requested
> with if there's a complete URI, or else fallback to the protocol of the
> page it being called from.  Also to take into account are the port
> numbers.  Another non-standard configuration of my server is to use
> alternative port numbers to differentiate unique secure hosts with a
> single IP by using a unique IP:port pair.
>
> I figure while we're looking at it and fixing a bug for one condition,
> why not take on the larger problem revealed, and formulate a generalized
> improvement for as many cases as we can.  90% of the work is figuring
> out what's going on.  Why address it later when I've forgotten
> everything.  ;-)  Of course, I keep getting sidetracked with things...
> If you have the momentum, go ahead and fix it, otherwise I'll get to it
> as soon as I can, and you can keep using your patch and drop in a
> replacement later if you want.  :-)
>
> Leif
>
> ----- Original Message ----- 
> From: "Jeremy Wanamaker" <je...@ma...>
> To: <dyn...@li...>
> Sent: Wednesday, May 05, 2004 12:14 PM
> Subject: Re: [Dynapi-Help] secure http - SOLUTION
>
>
> > Here's my solution for anyone who may be interested. It works with
> both
> > secure and non-secure servers. In ioelement.js and the function
> _doRequest
> > it should read as follows starting on line 225
> >
> >             if (url.indexOf('http')!=0) {
> >                 var urlP = (this.doc.URL.indexOf('https') == 0) ?
> 'https://'
> > : 'http://';
> >                 if (url.substr(0,1)=='/') url =
> > urlP+dynapi.frame.document.domain+url;
> >                 else url = dynapi.documentPath+url;
> >             }
> >
> > Jeremy
> >
> > ----- Original Message ----- 
> > From: "Jeremy Wanamaker" <je...@ma...>
> > To: <dyn...@li...>
> > Sent: Wednesday, May 05, 2004 12:00 PM
> > Subject: Re: [Dynapi-Help] secure http
> >
> >
> > > Right. So if you call ioelement.post(handler, data, function) with
> handler
> > > set to a relative URL, this line expands it out to the full URI.
> What I'm
> > > thinking is that you could use the DOM to get something like
> this.doc.URL
> > > (not sure if this is the best place to check) and check if the
> prefix is
> > > http or https and then prepend the result to the url vaiable in
> > _doRequest.
> > >
> > > I'm gonna try that here on my local copy. It may be worth putting in
> the
> > > CVS, although I don't think it's been updated since Nov.
> > >
> > > Jeremy
> > >
> > > ----- Original Message ----- 
> > > From: "Leif W" <war...@us...>
> > > To: <dyn...@li...>
> > > Sent: Wednesday, May 05, 2004 11:04 AM
> > > Subject: Re: [Dynapi-Help] secure http
> > >
> > >
> > > > To get the protocol name you'll need to look at the full URI
> > > > (http://site/path/file.html) and not just the URL
> (/path/file.html).  At
> > > > that point in the script, it is making decisions without enough
> > > > information, based only on the URL.  So, it's got to be pulled
> from
> > > > elsewhere.  As I said before, I never really modified the
> ioelement.js
> > > > (except some other minor thing), so I haven't got a good sense of
> what
> > > > goes on in there, yet.
> > > >
> > > > Leif
> > > >
> > > > ----- Original Message ----- 
> > > > From: "Jeremy Wanamaker" <je...@ma...>
> > > > To: <dyn...@li...>
> > > > Sent: Wednesday, May 05, 2004 10:52 AM
> > > > Subject: Re: [Dynapi-Help] secure http
> > > >
> > > >
> > > > > Ok, I tried changing that http to https in ioelement.js and it
> worked.
> > > > > Sorry, I should have tried it before I wrote that last email.
> > > > >
> > > > > What I'm wondering now is if there is a way to differentiate
> between
> > > > > secure/non-secure connections so that the appropriate prefix
> > > > (http/https)
> > > > > could be attached at
> > > > >
> > > > > if (url.substr(0,1)=='/') url =
> > > > 'http://'+dynapi.frame.document.domain+url;
> > > > >
> > > > > and you wouldn't have to run separate copies of dynapi for
> secure and
> > > > > non-secure servers.
> > > > >
> > > > >
> > > > > ----- Original Message ----- 
> > > > > From: "Jeremy Wanamaker" <je...@ma...>
> > > > > To: <dyn...@li...>
> > > > > Sent: Wednesday, May 05, 2004 10:26 AM
> > > > > Subject: Re: [Dynapi-Help] secure http
> > > > >
> > > > >
> > > > > > Leif,
> > > > > >
> > > > > > What you have described is exactly what I am trying to do.
> > > > > >
> > > > > > > script over HTTPS to get data from a MySQL server.  I've
> used
> > > > ioelement
> > > > > > > to talk to both Perl and PHP scripts, over HTTPS.  But in my
> case,
> > > > all
> > > > > > > these servers are running on the same mahine and I have
> total
> > > > control
> > > > > >
> > > > > > Because Mozilla crashes, I'm having a difficult time debugging
> the
> > > > error.
> > > > > > IE's script debugger says it's crashing in
> _monitorTransactions in
> > > > > > ioelement.js. at the following if statement:
> > > > > >
> > > > > >        elm=this.getScope(r[4]);
> > > > > >        if(elm && elm.document && !elm.document._tranState){
> > > > > >
> > > > > > So I'm assuming the getScope function on the previous line is
> > > > returning a
> > > > > > null value. I'm not sure why this would be, and maybe I'm way
> off
> > > > base.
> > > > > The
> > > > > > only other thing I'm wondering about is if the following lines
> are
> > > > causing
> > > > > a
> > > > > > problem in _doRequest
> > > > > >
> > > > > >             if (url.indexOf('http')!=0) {
> > > > > >                 if (url.substr(0,1)=='/') url =
> > > > > > 'http://'+dynapi.frame.document.domain+url;
> > > > > >                 else url = dynapi.documentPath+url;
> > > > > >             }
> > > > > >
> > > > > > Did you have to change these lines to set the url variable to
> start
> > > > with
> > > > > > https rather than http?
> > > > > >
> > > > > > Thanks for your help.
> > > > > >
> > > > > > Jeremy
> > > > > >
> > > > > >
> > > > > >
> > > > > > ----- Original Message ----- 
> > > > > > From: "Leif W" <war...@us...>
> > > > > > To: <dyn...@li...>
> > > > > > Sent: Monday, May 03, 2004 11:22 AM
> > > > > > Subject: Re: [Dynapi-Help] secure http
> > > > > >
> > > > > >
> > > > > > > Hmm, not sure about that one.  But the first part makes
> sense: you
> > > > don't
> > > > > > > want to start loading insecure data over a secure
> connection,
> > > > because
> > > > > > > then the data that is loaded is not going to be transmitted
> > > > securely,
> > > > > > > giving the false impression to the user that the entire
> session is
> > > > > > > secure.  The second part, about the browser going into a
> loop and
> > > > giving
> > > > > > > an application error, seems like a bug a Doug suggested, but
> I
> > > > have no
> > > > > > > idea.
> > > > > > >
> > > > > > > How are you calling this PHP script?  Is there any reason
> you
> > > > can't use
> > > > > > > a secure URL to the PHP script in the JS code?
> > > > > > > https://domain.dom/sql.php  Then, you are just talking HTTP
> over a
> > > > > > > secure connection, and the browser won't know or care what
> the PHP
> > > > > > > script does insecurely while talking to the database (which
> could
> > > > be
> > > > > > > another point of concern from the security view).  I use a
> plain
> > > > PHP
> > > > > > > script over HTTPS to get data from a MySQL server.  I've
> used
> > > > ioelement
> > > > > > > to talk to both Perl and PHP scripts, over HTTPS.  But in my
> case,
> > > > all
> > > > > > > these servers are running on the same mahine and I have
> total
> > > > control
> > > > > > > over it, so I know it's configured to work the way I expect.
> I
> > > > haven't
> > > > > > > tried having the initial web page on one HTTPS server, and
> calling
> > > > the
> > > > > > > PHP from a separate HTTP/HTTPS server, which may be what
> you're
> > > > doing.
> > > > > > >
> > > > > > > If you have control over the database machine, and it's a
> UNIX
> > > > box, you
> > > > > > > can install a program that enables SSL connections to
> arbitrary
> > > > server
> > > > > > > programs, with no modification to the server.  Two such
> programs I
> > > > am
> > > > > > > aware of (both use OpenSSL) are stunnel and sslwrap.  I'm
> using
> > > > stunnel
> > > > > > > for SWAT (Samba Web Administration Tool), which doesn't use
> > > > Apache, it
> > > > > > > has it's own web server functionality, but specifically for
> the
> > > > task at
> > > > > > > hand.
> > > > > > >
> > > > > > > Leif
> > > > > > >
> > > > > > > ----- Original Message ----- 
> > > > > > > From: "Jeremy Wanamaker" <je...@ma...>
> > > > > > > To: <dyn...@li...>
> > > > > > > Sent: Monday, May 03, 2004 9:47 AM
> > > > > > > Subject: Re: [Dynapi-Help] secure http
> > > > > > >
> > > > > > >
> > > > > > > > Sorry, I should have been more specific in my original
> email. I
> > > > am
> > > > > > > using
> > > > > > > > Dynapi 3 with ioelement.js to get data from a database via
> php
> > > > > > > scripts. It
> > > > > > > > works fine when it's running over http (port 80). When I
> switch
> > > > to
> > > > > > > https
> > > > > > > > (port 443), Mozilla gives me the following warning:
> > > > > > > >
> > > > > > > > Although this page is encrypted, the information you have
> > > > entered is
> > > > > > > to be
> > > > > > > > sent over an unencrypted connection and could easily be
> read by
> > > > a
> > > > > > > third
> > > > > > > > party.
> > > > > > > >
> > > > > > > > It asks me if wish to continue.... I click yes and then
> mozilla
> > > > goes
> > > > > > > into a
> > > > > > > > loop and gets an application error. Any idea on how I can
> fix
> > > > this. I
> > > > > > > really
> > > > > > > > need to be able to use secure http for my application.
> > > > > > > >
> > > > > > > > Jeremy
> > > > > > > >
> > > > > > > > ----- Original Message ----- 
> > > > > > > > From: "Leif W" <war...@us...>
> > > > > > > > To: <dyn...@li...>
> > > > > > > > Sent: Friday, April 30, 2004 10:08 PM
> > > > > > > > Subject: Re: [Dynapi-Help] secure http
> > > > > > > >
> > > > > > > >
> > > > > > > > > Work in what way?  It should work fine in a general
> sense.
> > > > The
> > > > > > > browser
> > > > > > > > > handles the connection to the server.  The server does
> not
> > > > care what
> > > > > > > the
> > > > > > > > > file contents are, they are just static javascript
> files.  The
> > > > > > > browser
> > > > > > > > > handles running the JavaScript, the server has no part
> in this
> > > > > > > process.
> > > > > > > > > I have a local copy of CVS with some of my tinkerings in
> it,
> > > > so it's
> > > > > > > a
> > > > > > > > > "dirty" copy of the CVS, but it's 99.99% untouched.  You
> can
> > > > see it
> > > > > > > at
> > > > > > > > > http://dynapi.kicks-ass.net/ , and you'll see, it
> > > > automatically
> > > > > > > > > redirects to the secure site.  I did most of my work
> with
> > > > IOElement
> > > > > > > and
> > > > > > > > > SODA here.
> > > > > > > > >
> > > > > > > > > :D  Ohh yeah, the site is down right now, as I'm
> modifying
> > > > some
> > > > > > > Apache
> > > > > > > > > config settings, to get more details in my log files,
> and I
> > > > kind of
> > > > > > > shut
> > > > > > > > > the site off and started modifying some live files so I
> can't
> > > > turn
> > > > > > > it
> > > > > > > > > back up until the configs are finished.  Should be
> tonight or
> > > > > > > tomorrow,
> > > > > > > > > once I am able to finish.
> > > > > > > > >
> > > > > > > > > In any case, what are you trying now and what isn't
> working?
> > > > > > > > >
> > > > > > > > > Leif
> > > > > > > > >
> > > > > > > > > ----- Original Message ----- 
> > > > > > > > > From: "Jeremy Wanamaker" <je...@ma...>
> > > > > > > > > To: <dyn...@li...>
> > > > > > > > > Sent: Friday, April 30, 2004 3:35 PM
> > > > > > > > > Subject: [Dynapi-Help] secure http
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > Is anyone aware of a way to get DynAPI 3 working with
> a
> > > > secure
> > > > > > > http
> > > > > > > > > server?
> > > > > > > > > >
> > > > > > > > > > Thanks,
> > > > > > > > > >
> > > > > > > > > > Jeremy
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > -------------------------------------------------------
> > > > > > > > > This SF.Net email is sponsored by: Oracle 10g
> > > > > > > > > Get certified on the hottest thing ever to hit the
> market...
> > > > Oracle
> > > > > > > 10g.
> > > > > > > > > Take an Oracle 10g class now, and we'll give you the
> exam
> > > > FREE.
> > > > > > > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > > > > > > _______________________________________________
> > > > > > > > > Dynapi-Help mailing list
> > > > > > > > > Dyn...@li...
> > > > > > > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > -------------------------------------------------------
> > > > > > > > This SF.Net email is sponsored by: Oracle 10g
> > > > > > > > Get certified on the hottest thing ever to hit the
> market...
> > > > Oracle
> > > > > > > 10g.
> > > > > > > > Take an Oracle 10g class now, and we'll give you the exam
> FREE.
> > > > > > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > > > > > _______________________________________________
> > > > > > > > Dynapi-Help mailing list
> > > > > > > > Dyn...@li...
> > > > > > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > -------------------------------------------------------
> > > > > > > This SF.Net email is sponsored by: Oracle 10g
> > > > > > > Get certified on the hottest thing ever to hit the market...
> > > > Oracle 10g.
> > > > >
> > > > > > > Take an Oracle 10g class now, and we'll give you the exam
> FREE.
> > > > > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > > > > _______________________________________________
> > > > > > > Dynapi-Help mailing list
> > > > > > > Dyn...@li...
> > > > > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > -------------------------------------------------------
> > > > > > This SF.Net email is sponsored by: Oracle 10g
> > > > > > Get certified on the hottest thing ever to hit the market...
> Oracle
> > > > 10g.
> > > > > > Take an Oracle 10g class now, and we'll give you the exam
> FREE.
> > > > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > > > _______________________________________________
> > > > > > Dynapi-Help mailing list
> > > > > > Dyn...@li...
> > > > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > -------------------------------------------------------
> > > > > This SF.Net email is sponsored by: Oracle 10g
> > > > > Get certified on the hottest thing ever to hit the market...
> Oracle
> > > > 10g.
> > > > > Take an Oracle 10g class now, and we'll give you the exam FREE.
> > > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > > _______________________________________________
> > > > > Dynapi-Help mailing list
> > > > > Dyn...@li...
> > > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > > -------------------------------------------------------
> > > > This SF.Net email is sponsored by: Oracle 10g
> > > > Get certified on the hottest thing ever to hit the market...
> Oracle 10g.
> > > > Take an Oracle 10g class now, and we'll give you the exam FREE.
> > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > _______________________________________________
> > > > Dynapi-Help mailing list
> > > > Dyn...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.Net email is sponsored by Sleepycat Software
> > > Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
> > > deliver higher performing products faster, at low TCO.
> > > http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> > > _______________________________________________
> > > Dynapi-Help mailing list
> > > Dyn...@li...
> > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by Sleepycat Software
> > Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
> > deliver higher performing products faster, at low TCO.
> > http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> > _______________________________________________
> > Dynapi-Help mailing list
> > Dyn...@li...
> > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> >
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Sleepycat Software
> Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
> deliver higher performing products faster, at low TCO.
> http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> _______________________________________________
> Dynapi-Help mailing list
> Dyn...@li...
> https://lists.sourceforge.net/lists/listinfo/dynapi-help
>

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.677 / Virus Database: 439 - Release Date: 5/4/2004