An update, I've succeeded in doing this:
- load a page off a custom domain
- send a vosao authentication request to the appspot domain via https
- get the cookie from that request and use it for subsequent requests
to the https domain
The client code is at
http://www.sirtrackdata.com/ssltestpage
I should write a blog post but anyway here are the main points.
Sever: I've used the Cors filter (
http://software.dzhuvinov.com/cors-
filter.html) to enable requests from http domain into the https
appspot domain. With a twist: I still wanted to process requests to
the http domain from browsers that don't support Cors yet. So my
filter maps secure requests to the subdomain /secure/ and I secure
that with https:
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-
class>
</filter>
<security-constraint>
<web-resource-collection>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
public RewrittenRequestWrapper(HttpServletRequest request) {
super(request);
newURI = request.getRequestURI().split("/secure")[1];
newServletPath = request.getServletPath().split("/secure")
[1];
}
Those are all the changes required on the server, on the client it's
more complicated.
First Vosao has to open an RPC connection to the https domain:
Vosao.browserSupportsCors = function(){
if ("withCredentials" in new XMLHttpRequest())
return true;
else
if (typeof XDomainRequest == "object")
return true;
else
return false;
};
Vosao.serverUrl = function(){
var url = '/json-rpc/';
if (Vosao.browserSupportsCors()) {
url = "https://...
appspot.com/secure" + url;
}
return url;
}
Vosao.createJSONRpc = function(){
...
Vosao.jsonrpcInitialized = true;
}, Vosao.serverUrl());
There's also a change required in the jabsorb library:
JSONRpcClient.httpObjectName = "XMLHttpRequest";
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {
xhr.withCredentials = true;
}
Unfortunately this flag makes it crash on Firefox and haven't tried to
set it for the ActiveX object that is created instead for IE.
Anyway, I've got this far and learned a few things.
Currently if you use Vosao to log into the https domain you're still
not logged into the http domain so page requests will not have the
vosao-session cookie.
I'm going to investigate whether I can set that cookie manually and
therefore authenticate only once over https.
Feel free to contact me if you want to help to develop this further
(here or on twitter @ZiglioNZ).
On May 31, 1:57 pm, Emanuele Ziglioli <
theb...@emanueleziglioli.it>
wrote: