TL;DR: How to configure JmolApplet to fetch required molecule file (.jmol or .jmz) via UA (browser) instead of directly connecting to the given URL? This is required because the server is configured to only serve the file if a valid session is available and session is identified by secure HttpOnly cookie known only by the UA and the server. Connection is done via SSL.
Long version: I'm building a web service that (among other things) allows users to save and distribute molecules as .jmol (or .jmz) files. The intent is to automatically show such molecules embedded within web page content if requested by the author of the page. However, the page content and molecule is not public and as such, the whole service will be protected by SSL connection and session cookie. Steps to reproduce the problem: (1) Place Jmol 13.0.1 files on the server. Configure server to serve these files publicly. (2) Place "molecule.jmol" on the server and configure the server only to share the file to selected authenticated users. (3) An user comes by and logins to the server and gets HttpOnly secure cookie "session-id" with an UUID v4 contents identifying the session. The session will timeout automatically unless another request is done within 30 minutes. (4) User loads a web page (only served to selected authenticated users) that includes JmolApplet with a script that says 'load FILES "/path/to/molecule.jmol"'. Expected result: The JmolApplet should proceed to request file "/path/to/molecule.jmol" through the UA (User Agent, a.k.a web browser) and the UA should pass the "session-id" cookie over SSL connection to the server and receive the required molecule file. The received file would then be available to JmolApplet and it would rendered successfully. Actual result: The JmolApplet sends HTTP GET request directly to the server (UA string is "Java/1.6.0_33") and cannot obviously send the correct "session-id" cookie because it's only available to the UA (HttpOnly flag prevents the cookie from being visible to the JavaScript and secure flag prevents the cookie from leaking to non-encrypted connection). As a result, the server will deny the request. (Technically the service will hibernate the request and provide HTTP 303 redirect to the login screen that contains id of the hibernated request which would be returned to after successful login is completed. JmolApplet cannot obviously complete the login without the user's credentials.) Is it possible to configure JmolApplet to fetch the required files through the UA (web browser) instead of directly trying to connect the server? I can use non-signed applet version for the features I need. -- Mikko ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users
