Hi Tobias, Am 21.05.2007 um 08:43 schrieb Tobias Koller (GERMO GmbH):
> i’m trying to use a Tomcat and the qooxdoo-Java-RPC-Backend. > > I created the qooxdoo.war file and put it into the webinf-Dir. > > > > And the sample-RPC_1-Demo works fine. > > But when I try to make an async-call to the qooxdoo.test-Service > (http://localhost:8080/qooxdoo/.qxrpc) > > From my application(http://localhost:8080/mytest ) then I get a > message like :”alert(“access denied: please check the headers”) or > something like this. > > When I put my application into the http://localhost:8080/qooxdoo- > folder than it works. > > > > The Tomcat installation is c:/… and my “mytest”-App is on “H:/…”. > Could this be a problem? No, the problem are security checks on the server. By default, the backend checks whether calls to it come from the same web application containing the HTML page (in your case http:// localhost:8080/qooxdoo). This check is performed for security reasons (to prevent cross site attacks from a foreign application and/or domain). You can relax this check in the web.xml of the application that is being called (in your case the "qooxdoo" application, not the "mytest" application): <servlet> <servlet-name>rpc</servlet-name> <servlet-class>net.sf.qooxdoo.rpc.RpcServlet</servlet-class> <init-param> <param-name>referrerCheck</param-name> <param-value>public</param-value> </init-param> </servlet> There are several possible values for "referrerCheck". "public" means that all calls are accepted from anywhere. Take a look at the class comment of the RpcServlet class for more details (http:// qooxdoo.svn.sourceforge.net/viewvc/qooxdoo/trunk/qooxdoo/backend/java/ rpc/net/sf/qooxdoo/rpc/RpcServlet.java?revision=5893&view=markup). Be warned that you should only relax the check during development! Deploying a production application like this means that other pages opened in the same browser could steal the current session and interact with your server. For more details, google for Cross Site Request Forgery. > What could be the problem? > > I tried to set crossDomain(true) and async… You only need to set crossDomain(true) if you are truly calling methods from a page loaded in a different domain. In your case, both applications are on localhost, so you shouldn't need cross domain calls. However, things are different when you load the client page via a file:// URL. Then you have to set crossDomain(true) and use async calls only. > I created my http://localhost:8080/mytest by using a new “<context … > crossContext=’true’” element in tomcats server.xml-file. Regarding the qooxdoo RPC, the server.xml entries are meaningless. Regards, Andreas ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ qooxdoo-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
