Re: secure binding
Re: secure binding
- Subject: Re: secure binding
- From: Chuck Hill <email@hidden>
- Date: Tue, 4 May 2010 12:00:04 -0700
On May 4, 2010, at 9:53 AM, Cheong Hee Ng wrote:
I mentioned about the approaches as once I discussed with close
contact who run serious application e.g. internet banking, advised
the switching should be avoided. It may induce some problems due to
secured http switching or someone could make a mistake and thus
exposed the confidentiality risks, if i could recall. May be it
just too pessimistic.
You need to check the headers on each page that should be SSL
protected to ensure that access was from an https URL. If not,
redirect to the https version or show an error message. Otherwise,
yes, the user could access the secure parts in an unencrypted manner.
Chuck
Any way, appreciate your explanation about the binding. Just
curious how much apache configuration is affected, e.g. is redirect
good enough.
Cheers
Cheong Hee
On Tue, May 4, 2010 at 6:14 PM, David Griffith <email@hidden
> wrote:
Hi Cheong,
Yes that's what it does. Regarding which is the better practice, I
don't think it makes a huge difference but it might depend a bit on
what you are doing. For example, I am using one app but parts of
that app (like where the client logs in and gives account details
etc.) uses SSL security. So when the client clicks any link to go
to that page, it has the binding secure=true and when they click it
the URL that they are directed to is automatically changed to
https://. If they click a link to go back to the home page etc. it
usually has secure=false and returns to standard http://.
Regards,
David.
On May 4, 2010, at 11:48 AM, Cheong Hee wrote:
Is the component binding secure=true supposed to switch the url from
http -> https, and then by clicking on the component with binding
secure=false it will switch it back from https -> http?
If so, what will be the better practice : one secure app and one non-
secure app, or one app to switch secure/non-secure?
Sorry for interruption and don't mean to hijack..
Cheers
Cheong Hee
----- Original Message ----- From: "David Griffith" <email@hidden
>
To: "WebObjects-Dev Mailing List List" <webobjects-
email@hidden>
Sent: Tuesday, May 04, 2010 5:12 PM
Subject: Re: secure binding
Hi Chuck,
Yes, am using 5.4.3 and Wonder. It does look like an Apache issue,
I was wondering if it could be that. I'll ask the server guys to
have a look and see if they can change it.
Thanks all for your comments,
Regards,
David.
On May 4, 2010, at 3:20 AM, Chuck Hill wrote:
On May 3, 2010, at 2:26 PM, David Griffith wrote:
> Hi all,
>
> When you click certain buttons on my website, I want a secure URL
returned. I have set the secure=true binding and the page does get
returned using the https:// url instead of http:// but I have a
question. It's not so much of a problem as an inconsistency.
I recall that being a bug in earlier 5.4 versions, is it not fixed
in 5.4.3? Are you using Wonder? I think that was fixed somewhere.
> If you go to the website http://www.mydomain.com and click around
the non-secure area, it will show the URL always as http://www.mydomain.com
. As soon as it goes to a secure URL, it displays as https://mydomain.com
(without the www in front).
>
> Does anyone know where this is generated from?
I'd guess from the virtual host in Apache. Possibly with an
incorrect DNS record somewhere.
> It is clearly setting the value from somewhere. Perhaps it has
something to do with my adaptor URL? In the JavaMonitor page is
says to specify the full URL to the adaptor but I have always just
used /app/WebObjects as I use the same adaptor for various apps
running on different domains. Would it be related to that?
I'd doubt it.
> I would just like it to come back with https://www.mydomain.com
instead as once it changes to the URL with the www, it stays that way.
>
> Any insight would be appreciated :)
Check the Apache config, then check the headers coming into your
application.
Chuck
--
Chuck Hill Senior Consultant / VP Development
Practical WebObjects - for developers who want to increase their
overall knowledge of WebObjects or who are trying to solve specific
problems.
http://www.global-village.net/products/practical_webobjects
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
--
Chuck Hill Senior Consultant / VP Development
Practical WebObjects - for developers who want to increase their
overall knowledge of WebObjects or who are trying to solve specific
problems.
http://www.global-village.net/products/practical_webobjects
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden