Anybody using https combined with custom domain
167 views
Skip to first unread message
Emanuele Ziglioli
May 24, 2012, 9:44:21 PM5/24/12
to Vosao CMS Development
Does anyone have experience using https on appspot.com for
authentication and senstive data, combined with a custom domain for
the frontend?
They mention it here: https://developers.google.com/appengine/docs/java/config/webxml#Secure_URLs
I wonder whether anyone has succeeded in doing so with Vosao
authentication and senstive data, combined with a custom domain for
the frontend?
They mention it here: https://developers.google.com/appengine/docs/java/config/webxml#Secure_URLs
I wonder whether anyone has succeeded in doing so with Vosao
lucio piccoli
May 24, 2012, 9:50:33 PM5/24/12
to vosao-cms-...@googlegroups.com
i used the https on the appspot domain rather than my domain.
clunky but it works.
-lp
Emanuele Ziglioli
May 24, 2012, 10:14:37 PM5/24/12
to Vosao CMS Development
yeah, on *.appspot.com it should work. I registered ages ago to be a
trusted server for https on custom domains and never got a reply.
I guess it'd be complicated to send an authentication request to the
appspot.com domain from a custom domain, due to the same origin
policy.
On May 25, 1:50 pm, lucio piccoli <lu...@asteriski.com> wrote:
> i used the https on the appspot domain rather than my domain.
> clunky but it works.
>
> -lp
>
trusted server for https on custom domains and never got a reply.
I guess it'd be complicated to send an authentication request to the
appspot.com domain from a custom domain, due to the same origin
policy.
On May 25, 1:50 pm, lucio piccoli <lu...@asteriski.com> wrote:
> i used the https on the appspot domain rather than my domain.
> clunky but it works.
>
> -lp
>
> On 25 May 2012 11:44, Emanuele Ziglioli <theb...@emanueleziglioli.it> wrote:
>
> > Does anyone have experience using https on appspot.com for
> > authentication and senstive data, combined with a custom domain for
> > the frontend?
> > They mention it here:
> >https://developers.google.com/appengine/docs/java/config/webxml#Secur...
>
> > Does anyone have experience using https on appspot.com for
> > authentication and senstive data, combined with a custom domain for
> > the frontend?
> > They mention it here:
Emanuele Ziglioli
May 29, 2012, 1:48:06 AM5/29/12
to Vosao CMS Development
Hi everyone,
I'm making good progress using Cors, see example:
http://www.sirtrackdata.com/ssltestpage
I'm just learning while doing, here: http://www.html5rocks.com/en/tutorials/cors/
will keep you posted
On May 25, 2:14 pm, Emanuele Ziglioli <theb...@emanueleziglioli.it>
wrote:
I'm making good progress using Cors, see example:
http://www.sirtrackdata.com/ssltestpage
I'm just learning while doing, here: http://www.html5rocks.com/en/tutorials/cors/
will keep you posted
On May 25, 2:14 pm, Emanuele Ziglioli <theb...@emanueleziglioli.it>
wrote:
Emanuele Ziglioli
May 30, 2012, 9:57:22 PM5/30/12
to Vosao CMS Development
I've found this "Cors" filter, let's see if it works with Vosao's
authentication over JSON-RPC:
http://software.dzhuvinov.com/cors-filter.html
The tricky bit I suspect is whether cookies will work on IE and other
browsers.
Just to clarify what I'm trying to do: I want to be able to use an https://
connection to an *.appspot.com domain from a website loaded using http://
with a custom domain.
It won't be a completely secure solution but at least it would be some
improvement on the current authentication mechanism.
Emanuele
On May 29, 5:48 pm, Emanuele Ziglioli <theb...@emanueleziglioli.it>
wrote:
authentication over JSON-RPC:
http://software.dzhuvinov.com/cors-filter.html
The tricky bit I suspect is whether cookies will work on IE and other
browsers.
Just to clarify what I'm trying to do: I want to be able to use an https://
connection to an *.appspot.com domain from a website loaded using http://
with a custom domain.
It won't be a completely secure solution but at least it would be some
improvement on the current authentication mechanism.
Emanuele
On May 29, 5:48 pm, Emanuele Ziglioli <theb...@emanueleziglioli.it>
wrote:
Emanuele Ziglioli
Jun 5, 2012, 1:33:42 AM6/5/12
to Vosao CMS Development
An update, I've succeeded in doing this:
- load a page off a custom domain
- send a vosao authentication request to the appspot domain via https
- get the cookie from that request and use it for subsequent requests
to the https domain
The client code is at http://www.sirtrackdata.com/ssltestpage
I should write a blog post but anyway here are the main points.
Sever: I've used the Cors filter (http://software.dzhuvinov.com/cors-
filter.html) to enable requests from http domain into the https
appspot domain. With a twist: I still wanted to process requests to
the http domain from browsers that don't support Cors yet. So my
filter maps secure requests to the subdomain /secure/ and I secure
that with https:
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-
class>
</filter>
<security-constraint>
<web-resource-collection>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
public RewrittenRequestWrapper(HttpServletRequest request) {
super(request);
newURI = request.getRequestURI().split("/secure")[1];
newServletPath = request.getServletPath().split("/secure")
[1];
}
Those are all the changes required on the server, on the client it's
more complicated.
First Vosao has to open an RPC connection to the https domain:
Vosao.browserSupportsCors = function(){
if ("withCredentials" in new XMLHttpRequest())
return true;
else
if (typeof XDomainRequest == "object")
return true;
else
return false;
};
Vosao.serverUrl = function(){
var url = '/json-rpc/';
if (Vosao.browserSupportsCors()) {
url = "https://...appspot.com/secure" + url;
}
return url;
}
Vosao.createJSONRpc = function(){
...
Vosao.jsonrpcInitialized = true;
}, Vosao.serverUrl());
There's also a change required in the jabsorb library:
JSONRpcClient.httpObjectName = "XMLHttpRequest";
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {
xhr.withCredentials = true;
}
Unfortunately this flag makes it crash on Firefox and haven't tried to
set it for the ActiveX object that is created instead for IE.
Anyway, I've got this far and learned a few things.
Currently if you use Vosao to log into the https domain you're still
not logged into the http domain so page requests will not have the
vosao-session cookie.
I'm going to investigate whether I can set that cookie manually and
therefore authenticate only once over https.
Feel free to contact me if you want to help to develop this further
(here or on twitter @ZiglioNZ).
On May 31, 1:57 pm, Emanuele Ziglioli <theb...@emanueleziglioli.it>
wrote:
- load a page off a custom domain
- send a vosao authentication request to the appspot domain via https
- get the cookie from that request and use it for subsequent requests
to the https domain
The client code is at http://www.sirtrackdata.com/ssltestpage
I should write a blog post but anyway here are the main points.
Sever: I've used the Cors filter (http://software.dzhuvinov.com/cors-
filter.html) to enable requests from http domain into the https
appspot domain. With a twist: I still wanted to process requests to
the http domain from browsers that don't support Cors yet. So my
filter maps secure requests to the subdomain /secure/ and I secure
that with https:
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-
class>
</filter>
<security-constraint>
<web-resource-collection>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
public RewrittenRequestWrapper(HttpServletRequest request) {
super(request);
newURI = request.getRequestURI().split("/secure")[1];
newServletPath = request.getServletPath().split("/secure")
[1];
}
Those are all the changes required on the server, on the client it's
more complicated.
First Vosao has to open an RPC connection to the https domain:
Vosao.browserSupportsCors = function(){
if ("withCredentials" in new XMLHttpRequest())
return true;
else
if (typeof XDomainRequest == "object")
return true;
else
return false;
};
Vosao.serverUrl = function(){
var url = '/json-rpc/';
if (Vosao.browserSupportsCors()) {
url = "https://...appspot.com/secure" + url;
}
return url;
}
Vosao.createJSONRpc = function(){
...
Vosao.jsonrpcInitialized = true;
}, Vosao.serverUrl());
There's also a change required in the jabsorb library:
JSONRpcClient.httpObjectName = "XMLHttpRequest";
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {
xhr.withCredentials = true;
}
Unfortunately this flag makes it crash on Firefox and haven't tried to
set it for the ActiveX object that is created instead for IE.
Anyway, I've got this far and learned a few things.
Currently if you use Vosao to log into the https domain you're still
not logged into the http domain so page requests will not have the
vosao-session cookie.
I'm going to investigate whether I can set that cookie manually and
therefore authenticate only once over https.
Feel free to contact me if you want to help to develop this further
(here or on twitter @ZiglioNZ).
On May 31, 1:57 pm, Emanuele Ziglioli <theb...@emanueleziglioli.it>
wrote:
Reply all
Reply to author
Forward
0 new messages