Secured "pages"
49 views
Skip to first unread message
ereze
Dec 11, 2007, 7:42:11 AM12/11/07
to Google Web Toolkit
Hi,
Working with Struts on a web site we had the option to ingegrate a
package sslext that enabled us to specify if a page required https or
not.
Does GWT support such an equivalent that will enable us to secure some
of the requests like login, purchasing "pages" ?
- Erez
Working with Struts on a web site we had the option to ingegrate a
package sslext that enabled us to specify if a page required https or
not.
Does GWT support such an equivalent that will enable us to secure some
of the requests like login, purchasing "pages" ?
- Erez
Reinier Zwitserloot
Dec 11, 2007, 8:03:58 AM12/11/07
to Google Web Toolkit
SSL isn't a grab bag, that's not how it works. Either the entire site
is SSL, or none of it is, or you get mixed mode warnings which are,
from a usability standpoint, a death sentence.
GWT just generates some js and html files. If you serve those from
https, it still works. It's not part of the problem that GWT tries to
solve. It 'just works' with SSL.
is SSL, or none of it is, or you get mixed mode warnings which are,
from a usability standpoint, a death sentence.
GWT just generates some js and html files. If you serve those from
https, it still works. It's not part of the problem that GWT tries to
solve. It 'just works' with SSL.
ereze
Dec 11, 2007, 9:04:56 AM12/11/07
to Google Web Toolkit
Yes, but what happens if you just want to pop up a secured window for
entering secured creditcard information while the entire application
is not running on SSL ?
> > - Erez- Hide quoted text -
>
> - Show quoted text -
entering secured creditcard information while the entire application
is not running on SSL ?
>
> - Show quoted text -
Robert Hanson
Dec 11, 2007, 10:43:45 AM12/11/07
to Google-We...@googlegroups.com
Well, the worst case is that the user won't see the pop-up because it
will be blocked. For the best case they will get a nag message from
the browser saying that that the pop-up requires a secure connection.
Either way it has some usability issues.
will be blocked. For the best case they will get a nag message from
the browser saying that that the pop-up requires a secure connection.
Either way it has some usability issues.
It is just a pop-up though (as in new browser window, not as in popup
widget). You can do that if you want.
Reinier Zwitserloot
Dec 11, 2007, 12:22:11 PM12/11/07
to Google Web Toolkit
What Robert said. What you cannot do is make a secured AJAX call from
a non-secure website (e.g. call https://yourserver.com/creditCardAPI
in an AJAX/GWT-RPC call from a page served up from http://yourserver.com/)
- even if it would work (and in IE, it might), the user does not see,
notice, or in any way or form gets feedback on the fact that it's
https. HTTPS is a dual security mechanism, and it's utterly pointless
unless BOTH are present:
1) It secures communication between client and server, and
2) It tells the client the verified name OF the server. If the user
doesn't check this (or worse, can't), there's no point. https in
iframes is similarly stupid.
For example, let's say you submit some creditcard info on https://www.paypel.com/.
It can be totally https, that's not paypal, that's a scammer, and
he'll steal your money.
If you want to use https only for parts, then redirect the ENTIRE site
(using a JSNI call into window.location.href =) into a new page,
probably one that doesn't even use GWT, not much point for a standard
form submit. If you replace the entire docroot, you will get full
https WITH a lock icon and the URL in the browser window, and you do
not get any dual mode warnings (redirecting the entire page to https
is one of the few things that doesn't give you that warning).
Either way, GWT can't do anything about it by itself.
On Dec 11, 4:43 pm, "Robert Hanson" <iamroberthan...@gmail.com> wrote:
> Well, the worst case is that the user won't see the pop-up because it
> will be blocked. For the best case they will get a nag message from
> the browser saying that that the pop-up requires a secure connection.
> Either way it has some usability issues.
>
> It is just a pop-up though (as in new browser window, not as in popup
> widget). You can do that if you want.
>
> Robhttp://roberthanson.name
a non-secure website (e.g. call https://yourserver.com/creditCardAPI
in an AJAX/GWT-RPC call from a page served up from http://yourserver.com/)
- even if it would work (and in IE, it might), the user does not see,
notice, or in any way or form gets feedback on the fact that it's
https. HTTPS is a dual security mechanism, and it's utterly pointless
unless BOTH are present:
1) It secures communication between client and server, and
2) It tells the client the verified name OF the server. If the user
doesn't check this (or worse, can't), there's no point. https in
iframes is similarly stupid.
For example, let's say you submit some creditcard info on https://www.paypel.com/.
It can be totally https, that's not paypal, that's a scammer, and
he'll steal your money.
If you want to use https only for parts, then redirect the ENTIRE site
(using a JSNI call into window.location.href =) into a new page,
probably one that doesn't even use GWT, not much point for a standard
form submit. If you replace the entire docroot, you will get full
https WITH a lock icon and the URL in the browser window, and you do
not get any dual mode warnings (redirecting the entire page to https
is one of the few things that doesn't give you that warning).
Either way, GWT can't do anything about it by itself.
On Dec 11, 4:43 pm, "Robert Hanson" <iamroberthan...@gmail.com> wrote:
> Well, the worst case is that the user won't see the pop-up because it
> will be blocked. For the best case they will get a nag message from
> the browser saying that that the pop-up requires a secure connection.
> Either way it has some usability issues.
>
> It is just a pop-up though (as in new browser window, not as in popup
> widget). You can do that if you want.
>
Reply all
Reply to author
Forward
0 new messages