Anybody using https combined with custom domain

Showing 1-6 of 6 messages
Anybody using https combined with custom domain Emanuele Ziglioli 5/24/12 6:44 PM
Does anyone have experience using https on appspot.com for
authentication and senstive data, combined with a custom domain for
the frontend?
They mention it here: https://developers.google.com/appengine/docs/java/config/webxml#Secure_URLs

I wonder whether anyone has succeeded in doing so with Vosao
Re: Anybody using https combined with custom domain lucio piccoli 5/24/12 6:50 PM
i used the https on the appspot domain rather than my domain.
clunky but it works.

-lp--
regards

-Lucio Piccoli

Director
------------------------------

Re: Anybody using https combined with custom domain Emanuele Ziglioli 5/24/12 7:14 PM
yeah, on *.appspot.com it should work. I registered ages ago to be a
trusted server for https on custom domains and never got a reply.
I guess it'd be complicated to send an authentication request to the
appspot.com domain from a custom domain, due to the same origin
policy.


On May 25, 1:50 pm, lucio piccoli <lu...@asteriski.com> wrote:
> i used the https on the appspot domain rather than my domain.
> clunky but it works.
>
> -lp
>
> On 25 May 2012 11:44, Emanuele Ziglioli <theb...@emanueleziglioli.it> wrote:
>
> > Does anyone have experience using https on appspot.com for
> > authentication and senstive data, combined with a custom domain for
> > the frontend?
> > They mention it here:
> >https://developers.google.com/appengine/docs/java/config/webxml#Secur...
Re: Anybody using https combined with custom domain Emanuele Ziglioli 5/28/12 10:48 PM
Hi everyone,

I'm making good progress using Cors, see example:
http://www.sirtrackdata.com/ssltestpage

I'm just learning while doing, here: http://www.html5rocks.com/en/tutorials/cors/
will keep you posted

On May 25, 2:14 pm, Emanuele Ziglioli <theb...@emanueleziglioli.it>
wrote:
Re: Anybody using https combined with custom domain Emanuele Ziglioli 5/30/12 6:57 PM
I've found this "Cors" filter, let's see if it works with Vosao's
authentication over JSON-RPC:
http://software.dzhuvinov.com/cors-filter.html

The tricky bit I suspect is whether cookies will work on IE and other
browsers.

Just to clarify what I'm trying to do: I want to be able to use an https://
connection to an *.appspot.com domain from a website loaded using http://
with a custom domain.
It won't be a completely secure solution but at least it would be some
improvement on the current authentication mechanism.

Emanuele

On May 29, 5:48 pm, Emanuele Ziglioli <theb...@emanueleziglioli.it>
wrote:
Re: Anybody using https combined with custom domain Emanuele Ziglioli 6/4/12 10:33 PM
An update, I've succeeded in doing this:
- load a page off a custom domain
- send a vosao authentication request to the appspot domain via https
- get the cookie from that request and use it for subsequent requests
to the https domain

The client code is at http://www.sirtrackdata.com/ssltestpage

I should write a blog post but anyway here are the main points.
Sever: I've used the Cors filter (http://software.dzhuvinov.com/cors-
filter.html
) to enable requests from http domain into the https
appspot domain. With a twist: I still wanted to process requests to
the http domain from browsers that don't support Cors yet. So my
filter maps secure requests to the subdomain /secure/ and I secure
that with https:

  <filter>
    <filter-name>CORS</filter-name>
    <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-
class>
  </filter>

  <security-constraint>
      <web-resource-collection>
            <url-pattern>/secure/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
  </security-constraint>

      public RewrittenRequestWrapper(HttpServletRequest request) {
          super(request);
          newURI = request.getRequestURI().split("/secure")[1];
          newServletPath = request.getServletPath().split("/secure")
[1];
      }

Those are all the changes required on the server, on the client it's
more complicated.

First Vosao has to open an RPC connection to the https domain:
        Vosao.browserSupportsCors = function(){
            if ("withCredentials" in new XMLHttpRequest())
                return true;
            else
                if (typeof XDomainRequest == "object")
                    return true;
                else
                    return false;
        };

        Vosao.serverUrl = function(){
            var url = '/json-rpc/';
            if (Vosao.browserSupportsCors()) {
                url = "https://...appspot.com/secure" + url;
            }
            return url;
        }

        Vosao.createJSONRpc = function(){
...
                Vosao.jsonrpcInitialized = true;
            }, Vosao.serverUrl());


There's also a change required in the jabsorb library:

JSONRpcClient.httpObjectName = "XMLHttpRequest";
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {
  xhr.withCredentials = true;
}

Unfortunately this flag makes it crash on Firefox and haven't tried to
set it for the ActiveX object that is created instead for IE.

Anyway, I've got this far and learned a few things.
Currently if you use Vosao to log into the https domain you're still
not logged into the http domain so page requests will not have the
vosao-session cookie.
I'm going to investigate whether I can set that cookie manually and
therefore authenticate only once over https.

Feel free to contact me if you want to help to develop this further
(here or on twitter @ZiglioNZ).

On May 31, 1:57 pm, Emanuele Ziglioli <theb...@emanueleziglioli.it>
wrote: