Menu
▾
▴
Re: [Dynapi-Help] secure http - SOLUTION
|
From: Leif W <war...@us...> - 2004-05-05 21:59:04
|
----- Original Message -----
From: "Doug Melvin" <do...@cr...>
To: <dyn...@li...>
Sent: Wednesday, May 05, 2004 2:18 PM
Subject: Re: [Dynapi-Help] secure http - SOLUTION
> Maybe a good question to ask the client.. I know I will NVER enter
personall
> information unless the little yellow lock is there...
Yeah, good points, and same here. But I was just thinking in terms of
the robustness of the lib, but maybe I think I open up a can of whoopass
on a bug but it's just a can of worms. ;-) Still, it'd be nice to
handle any protocol. But looking at the code, it seems like it should
work.
> Oh an Leif.. when did you start feeling obsolete? :-)
I think sometime after my 25th birthday (couple years ago). ;-)
> For me it was when I couldn't convince my co-worksers that COBOL has
no
> native
> array type... hehe
I don't even know COBOL, they didn't teach it at the school where I
first learned a little coding (C/asm/Scheme/Prolog). Hehe, sorry to put
another nail in your coffin. But the same school doesn't even teach C
as the beginning course, they use Java. D'oh! Ugh, too much dogma, I
liked a language that's flexible and purposely breakable. Makes coding
more fun and debugging more interesting!
> system.out.println("doug")
echo <<<WHERE
Am I?
WHERE;
> ----- Original Message -----
> From: "Leif W" <war...@us...>
> To: <dyn...@li...>
> Sent: Wednesday, May 05, 2004 1:11 PM
> Subject: Re: [Dynapi-Help] secure http - SOLUTION
>
>
> > Cool,
> >
> > That's what I was thinking (well I was thinking the old
document.href,
> > but that's pre-DOM I think, so I may showing my obsolete knowledge).
> > ;-)
> >
> > I'd like to test this for robustness before committing. Let's take
a
> > while to think through the combinations where this may or may not
work,
> > i.e. http page pulling https data from the same or a different
server,
> > for instance if page images and static content don't need to be
> > encrypted, just the dynamic content fetched by the remote script?
It
> > doesn't work for different protocol types, unless you manually
modify
> > those lines and add your protocol, using a switch statement or
> > something. It should just use whatever protocol the file was
requested
> > with if there's a complete URI, or else fallback to the protocol of
the
> > page it being called from. Also to take into account are the port
> > numbers. Another non-standard configuration of my server is to use
> > alternative port numbers to differentiate unique secure hosts with a
> > single IP by using a unique IP:port pair.
> >
> > I figure while we're looking at it and fixing a bug for one
condition,
> > why not take on the larger problem revealed, and formulate a
generalized
> > improvement for as many cases as we can. 90% of the work is
figuring
> > out what's going on. Why address it later when I've forgotten
> > everything. ;-) Of course, I keep getting sidetracked with
things...
> > If you have the momentum, go ahead and fix it, otherwise I'll get to
it
> > as soon as I can, and you can keep using your patch and drop in a
> > replacement later if you want. :-)
> >
> > Leif
> >
> > ----- Original Message -----
> > From: "Jeremy Wanamaker" <je...@ma...>
> > To: <dyn...@li...>
> > Sent: Wednesday, May 05, 2004 12:14 PM
> > Subject: Re: [Dynapi-Help] secure http - SOLUTION
> >
> >
> > > Here's my solution for anyone who may be interested. It works with
> > both
> > > secure and non-secure servers. In ioelement.js and the function
> > _doRequest
> > > it should read as follows starting on line 225
> > >
> > > if (url.indexOf('http')!=0) {
> > > var urlP = (this.doc.URL.indexOf('https') == 0) ?
> > 'https://'
> > > : 'http://';
> > > if (url.substr(0,1)=='/') url =
> > > urlP+dynapi.frame.document.domain+url;
> > > else url = dynapi.documentPath+url;
> > > }
> > >
> > > Jeremy
> > >
> > > ----- Original Message -----
> > > From: "Jeremy Wanamaker" <je...@ma...>
> > > To: <dyn...@li...>
> > > Sent: Wednesday, May 05, 2004 12:00 PM
> > > Subject: Re: [Dynapi-Help] secure http
> > >
> > >
> > > > Right. So if you call ioelement.post(handler, data, function)
with
> > handler
> > > > set to a relative URL, this line expands it out to the full URI.
> > What I'm
> > > > thinking is that you could use the DOM to get something like
> > this.doc.URL
> > > > (not sure if this is the best place to check) and check if the
> > prefix is
> > > > http or https and then prepend the result to the url vaiable in
> > > _doRequest.
> > > >
> > > > I'm gonna try that here on my local copy. It may be worth
putting in
> > the
> > > > CVS, although I don't think it's been updated since Nov.
> > > >
> > > > Jeremy
> > > >
> > > > ----- Original Message -----
> > > > From: "Leif W" <war...@us...>
> > > > To: <dyn...@li...>
> > > > Sent: Wednesday, May 05, 2004 11:04 AM
> > > > Subject: Re: [Dynapi-Help] secure http
> > > >
> > > >
> > > > > To get the protocol name you'll need to look at the full URI
> > > > > (http://site/path/file.html) and not just the URL
> > (/path/file.html). At
> > > > > that point in the script, it is making decisions without
enough
> > > > > information, based only on the URL. So, it's got to be pulled
> > from
> > > > > elsewhere. As I said before, I never really modified the
> > ioelement.js
> > > > > (except some other minor thing), so I haven't got a good sense
of
> > what
> > > > > goes on in there, yet.
> > > > >
> > > > > Leif
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Jeremy Wanamaker" <je...@ma...>
> > > > > To: <dyn...@li...>
> > > > > Sent: Wednesday, May 05, 2004 10:52 AM
> > > > > Subject: Re: [Dynapi-Help] secure http
> > > > >
> > > > >
> > > > > > Ok, I tried changing that http to https in ioelement.js and
it
> > worked.
> > > > > > Sorry, I should have tried it before I wrote that last
email.
> > > > > >
> > > > > > What I'm wondering now is if there is a way to differentiate
> > between
> > > > > > secure/non-secure connections so that the appropriate prefix
> > > > > (http/https)
> > > > > > could be attached at
> > > > > >
> > > > > > if (url.substr(0,1)=='/') url =
> > > > > 'http://'+dynapi.frame.document.domain+url;
> > > > > >
> > > > > > and you wouldn't have to run separate copies of dynapi for
> > secure and
> > > > > > non-secure servers.
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Jeremy Wanamaker" <je...@ma...>
> > > > > > To: <dyn...@li...>
> > > > > > Sent: Wednesday, May 05, 2004 10:26 AM
> > > > > > Subject: Re: [Dynapi-Help] secure http
> > > > > >
> > > > > >
> > > > > > > Leif,
> > > > > > >
> > > > > > > What you have described is exactly what I am trying to do.
> > > > > > >
> > > > > > > > script over HTTPS to get data from a MySQL server. I've
> > used
> > > > > ioelement
> > > > > > > > to talk to both Perl and PHP scripts, over HTTPS. But
in my
> > case,
> > > > > all
> > > > > > > > these servers are running on the same mahine and I have
> > total
> > > > > control
> > > > > > >
> > > > > > > Because Mozilla crashes, I'm having a difficult time
debugging
> > the
> > > > > error.
> > > > > > > IE's script debugger says it's crashing in
> > _monitorTransactions in
> > > > > > > ioelement.js. at the following if statement:
> > > > > > >
> > > > > > > elm=this.getScope(r[4]);
> > > > > > > if(elm && elm.document &&
!elm.document._tranState){
> > > > > > >
> > > > > > > So I'm assuming the getScope function on the previous line
is
> > > > > returning a
> > > > > > > null value. I'm not sure why this would be, and maybe I'm
way
> > off
> > > > > base.
> > > > > > The
> > > > > > > only other thing I'm wondering about is if the following
lines
> > are
> > > > > causing
> > > > > > a
> > > > > > > problem in _doRequest
> > > > > > >
> > > > > > > if (url.indexOf('http')!=0) {
> > > > > > > if (url.substr(0,1)=='/') url =
> > > > > > > 'http://'+dynapi.frame.document.domain+url;
> > > > > > > else url = dynapi.documentPath+url;
> > > > > > > }
> > > > > > >
> > > > > > > Did you have to change these lines to set the url variable
to
> > start
> > > > > with
> > > > > > > https rather than http?
> > > > > > >
> > > > > > > Thanks for your help.
> > > > > > >
> > > > > > > Jeremy
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > From: "Leif W" <war...@us...>
> > > > > > > To: <dyn...@li...>
> > > > > > > Sent: Monday, May 03, 2004 11:22 AM
> > > > > > > Subject: Re: [Dynapi-Help] secure http
> > > > > > >
> > > > > > >
> > > > > > > > Hmm, not sure about that one. But the first part makes
> > sense: you
> > > > > don't
> > > > > > > > want to start loading insecure data over a secure
> > connection,
> > > > > because
> > > > > > > > then the data that is loaded is not going to be
transmitted
> > > > > securely,
> > > > > > > > giving the false impression to the user that the entire
> > session is
> > > > > > > > secure. The second part, about the browser going into a
> > loop and
> > > > > giving
> > > > > > > > an application error, seems like a bug a Doug suggested,
but
> > I
> > > > > have no
> > > > > > > > idea.
> > > > > > > >
> > > > > > > > How are you calling this PHP script? Is there any
reason
> > you
> > > > > can't use
> > > > > > > > a secure URL to the PHP script in the JS code?
> > > > > > > > https://domain.dom/sql.php Then, you are just talking
HTTP
> > over a
> > > > > > > > secure connection, and the browser won't know or care
what
> > the PHP
> > > > > > > > script does insecurely while talking to the database
(which
> > could
> > > > > be
> > > > > > > > another point of concern from the security view). I use
a
> > plain
> > > > > PHP
> > > > > > > > script over HTTPS to get data from a MySQL server. I've
> > used
> > > > > ioelement
> > > > > > > > to talk to both Perl and PHP scripts, over HTTPS. But
in my
> > case,
> > > > > all
> > > > > > > > these servers are running on the same mahine and I have
> > total
> > > > > control
> > > > > > > > over it, so I know it's configured to work the way I
expect.
> > I
> > > > > haven't
> > > > > > > > tried having the initial web page on one HTTPS server,
and
> > calling
> > > > > the
> > > > > > > > PHP from a separate HTTP/HTTPS server, which may be what
> > you're
> > > > > doing.
> > > > > > > >
> > > > > > > > If you have control over the database machine, and it's
a
> > UNIX
> > > > > box, you
> > > > > > > > can install a program that enables SSL connections to
> > arbitrary
> > > > > server
> > > > > > > > programs, with no modification to the server. Two such
> > programs I
> > > > > am
> > > > > > > > aware of (both use OpenSSL) are stunnel and sslwrap.
I'm
> > using
> > > > > stunnel
> > > > > > > > for SWAT (Samba Web Administration Tool), which doesn't
use
> > > > > Apache, it
> > > > > > > > has it's own web server functionality, but specifically
for
> > the
> > > > > task at
> > > > > > > > hand.
> > > > > > > >
> > > > > > > > Leif
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "Jeremy Wanamaker" <je...@ma...>
> > > > > > > > To: <dyn...@li...>
> > > > > > > > Sent: Monday, May 03, 2004 9:47 AM
> > > > > > > > Subject: Re: [Dynapi-Help] secure http
> > > > > > > >
> > > > > > > >
> > > > > > > > > Sorry, I should have been more specific in my original
> > email. I
> > > > > am
> > > > > > > > using
> > > > > > > > > Dynapi 3 with ioelement.js to get data from a database
via
> > php
> > > > > > > > scripts. It
> > > > > > > > > works fine when it's running over http (port 80). When
I
> > switch
> > > > > to
> > > > > > > > https
> > > > > > > > > (port 443), Mozilla gives me the following warning:
> > > > > > > > >
> > > > > > > > > Although this page is encrypted, the information you
have
> > > > > entered is
> > > > > > > > to be
> > > > > > > > > sent over an unencrypted connection and could easily
be
> > read by
> > > > > a
> > > > > > > > third
> > > > > > > > > party.
> > > > > > > > >
> > > > > > > > > It asks me if wish to continue.... I click yes and
then
> > mozilla
> > > > > goes
> > > > > > > > into a
> > > > > > > > > loop and gets an application error. Any idea on how I
can
> > fix
> > > > > this. I
> > > > > > > > really
> > > > > > > > > need to be able to use secure http for my application.
> > > > > > > > >
> > > > > > > > > Jeremy
> > > > > > > > >
> > > > > > > > > ----- Original Message -----
> > > > > > > > > From: "Leif W" <war...@us...>
> > > > > > > > > To: <dyn...@li...>
> > > > > > > > > Sent: Friday, April 30, 2004 10:08 PM
> > > > > > > > > Subject: Re: [Dynapi-Help] secure http
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > Work in what way? It should work fine in a general
> > sense.
> > > > > The
> > > > > > > > browser
> > > > > > > > > > handles the connection to the server. The server
does
> > not
> > > > > care what
> > > > > > > > the
> > > > > > > > > > file contents are, they are just static javascript
> > files. The
> > > > > > > > browser
> > > > > > > > > > handles running the JavaScript, the server has no
part
> > in this
> > > > > > > > process.
> > > > > > > > > > I have a local copy of CVS with some of my
tinkerings in
> > it,
> > > > > so it's
> > > > > > > > a
> > > > > > > > > > "dirty" copy of the CVS, but it's 99.99% untouched.
You
> > can
> > > > > see it
> > > > > > > > at
> > > > > > > > > > http://dynapi.kicks-ass.net/ , and you'll see, it
> > > > > automatically
> > > > > > > > > > redirects to the secure site. I did most of my work
> > with
> > > > > IOElement
> > > > > > > > and
> > > > > > > > > > SODA here.
> > > > > > > > > >
> > > > > > > > > > :D Ohh yeah, the site is down right now, as I'm
> > modifying
> > > > > some
> > > > > > > > Apache
> > > > > > > > > > config settings, to get more details in my log
files,
> > and I
> > > > > kind of
> > > > > > > > shut
> > > > > > > > > > the site off and started modifying some live files
so I
> > can't
> > > > > turn
> > > > > > > > it
> > > > > > > > > > back up until the configs are finished. Should be
> > tonight or
> > > > > > > > tomorrow,
> > > > > > > > > > once I am able to finish.
> > > > > > > > > >
> > > > > > > > > > In any case, what are you trying now and what isn't
> > working?
> > > > > > > > > >
> > > > > > > > > > Leif
> > > > > > > > > >
> > > > > > > > > > ----- Original Message -----
> > > > > > > > > > From: "Jeremy Wanamaker" <je...@ma...>
> > > > > > > > > > To: <dyn...@li...>
> > > > > > > > > > Sent: Friday, April 30, 2004 3:35 PM
> > > > > > > > > > Subject: [Dynapi-Help] secure http
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > Is anyone aware of a way to get DynAPI 3 working
with
> > a
> > > > > secure
> > > > > > > > http
> > > > > > > > > > server?
> > > > > > > > > > >
> > > > > > > > > > > Thanks,
> > > > > > > > > > >
> > > > > > > > > > > Jeremy
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> -------------------------------------------------------
> > > > > > > > > > This SF.Net email is sponsored by: Oracle 10g
> > > > > > > > > > Get certified on the hottest thing ever to hit the
> > market...
> > > > > Oracle
> > > > > > > > 10g.
> > > > > > > > > > Take an Oracle 10g class now, and we'll give you the
> > exam
> > > > > FREE.
> > > > > > > > > >
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Dynapi-Help mailing list
> > > > > > > > > > Dyn...@li...
> > > > > > > > > >
https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> -------------------------------------------------------
> > > > > > > > > This SF.Net email is sponsored by: Oracle 10g
> > > > > > > > > Get certified on the hottest thing ever to hit the
> > market...
> > > > > Oracle
> > > > > > > > 10g.
> > > > > > > > > Take an Oracle 10g class now, and we'll give you the
exam
> > FREE.
> > > > > > > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > > > > > > _______________________________________________
> > > > > > > > > Dynapi-Help mailing list
> > > > > > > > > Dyn...@li...
> > > > > > > > >
https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > -------------------------------------------------------
> > > > > > > > This SF.Net email is sponsored by: Oracle 10g
> > > > > > > > Get certified on the hottest thing ever to hit the
market...
> > > > > Oracle 10g.
> > > > > >
> > > > > > > > Take an Oracle 10g class now, and we'll give you the
exam
> > FREE.
> > > > > > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > > > > > _______________________________________________
> > > > > > > > Dynapi-Help mailing list
> > > > > > > > Dyn...@li...
> > > > > > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > -------------------------------------------------------
> > > > > > > This SF.Net email is sponsored by: Oracle 10g
> > > > > > > Get certified on the hottest thing ever to hit the
market...
> > Oracle
> > > > > 10g.
> > > > > > > Take an Oracle 10g class now, and we'll give you the exam
> > FREE.
> > > > > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > > > > _______________________________________________
> > > > > > > Dynapi-Help mailing list
> > > > > > > Dyn...@li...
> > > > > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > -------------------------------------------------------
> > > > > > This SF.Net email is sponsored by: Oracle 10g
> > > > > > Get certified on the hottest thing ever to hit the market...
> > Oracle
> > > > > 10g.
> > > > > > Take an Oracle 10g class now, and we'll give you the exam
FREE.
> > > > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > > > _______________________________________________
> > > > > > Dynapi-Help mailing list
> > > > > > Dyn...@li...
> > > > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -------------------------------------------------------
> > > > > This SF.Net email is sponsored by: Oracle 10g
> > > > > Get certified on the hottest thing ever to hit the market...
> > Oracle 10g.
> > > > > Take an Oracle 10g class now, and we'll give you the exam
FREE.
> > > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > > _______________________________________________
> > > > > Dynapi-Help mailing list
> > > > > Dyn...@li...
> > > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > >
> > > >
> > > >
> > > >
> > > > -------------------------------------------------------
> > > > This SF.Net email is sponsored by Sleepycat Software
> > > > Learn developer strategies Cisco, Motorola, Ericsson & Lucent
use to
> > > > deliver higher performing products faster, at low TCO.
> > > > http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> > > > _______________________________________________
> > > > Dynapi-Help mailing list
> > > > Dyn...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.Net email is sponsored by Sleepycat Software
> > > Learn developer strategies Cisco, Motorola, Ericsson & Lucent use
to
> > > deliver higher performing products faster, at low TCO.
> > > http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> > > _______________________________________________
> > > Dynapi-Help mailing list
> > > Dyn...@li...
> > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > >
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by Sleepycat Software
> > Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
> > deliver higher performing products faster, at low TCO.
> > http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> > _______________________________________________
> > Dynapi-Help mailing list
> > Dyn...@li...
> > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> >
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.677 / Virus Database: 439 - Release Date: 5/4/2004
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Sleepycat Software
> Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
> deliver higher performing products faster, at low TCO.
> http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> _______________________________________________
> Dynapi-Help mailing list
> Dyn...@li...
> https://lists.sourceforge.net/lists/listinfo/dynapi-help
>
|
