[Acegisecurity-developer] How do I avoid the IE redirect warning dialog?
Hi, First let me say that I'm thoroughly impressed with the work you guys have done in designing and coding the Acegi Security Framework. Thank you (from all of us) for all that hard work. I've implemented a web app using it but have a question regarding the ChannelProcessingFilter and how it redirects back to HTTP. As I'm sure you're already aware, if IE is already in a HTTPS page, when it receives a response.sendRedirect() to a non-secure resource, by default it gives that dialog box "You are about to be redirected to a non-secure page". Of course this can be turned off via a setting in the user's browser, but we're not going to go and ask thousands of users using IE to change this setting. Most of them can't anyways due to IT control. I've seen workarounds to this where instead of a sendRedirect(http://abc.com/non-secureURL), the server sends back a https redirect and in that page there's a small piece of _javascript_ that does a refresh of the browser to the non-secure URL. As it is right now your ChannelProcessingFilter is just doing a simple sendRedirect(). Have you guys ran across this issue? or should I implement my own filter which extends yours and just changes this behavior to write a tiny little page with the _javascript_ I mentioned to do the redirecting? Much appreciated. Joseph
Re: [Acegisecurity-developer] How do I avoid the IE redirect warning dialog?
Joseph Schmoley wrote: First let me say that I'm thoroughly impressed with the work you guys have done in designing and coding the Acegi Security Framework. Thank you (from all of us) for all that hard work. I've implemented a web app using it but have a question regarding the ChannelProcessingFilter and how it redirects back to HTTP. As I'm sure you're already aware, if IE is already in a HTTPS page, when it receives a response.sendRedirect() to a non-secure resource, by default it gives that dialog box "You are about to be redirected to a non-secure page". Of course this can be turned off via a setting in the user's browser, but we're not going to go and ask thousands of users using IE to change this setting. Most of them can't anyways due to IT control. I've seen workarounds to this where instead of a sendRedirect(http://abc.com/non-secureURL), the server sends back a https redirect and in that page there's a small piece of javascript that does a refresh of the browser to the non-secure URL. As it is right now your ChannelProcessingFilter is just doing a simple sendRedirect(). Have you guys ran across this issue? or should I implement my own filter which extends yours and just changes this behavior to write a tiny little page with the javascript I mentioned to do the redirecting? Hi Joseph I haven't run across this issue, but what you say is correct. The handlers for changing the channel being used are completely pluggable. See for example the Contacts sample application. A fragment of its XML follows: So you can simply write a replacement insecureChannelProcessor to achieve your goal. Then wire it up in your application context. HTH Ben --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] How do I avoid the IE redirect warning dialog?
Ben, I took a look at InsecureChannelProcessor and there's no response.sendRedirect() happening in there. It's delegating those types of calls to the entryPoint.commence() methods. So I guess it's the RetryWithHttpEntryPoint that I need to extend and provide my own commence() implementation, right? I just want to be sure I'm getting this right. When a URI has determined to be non-secure by the ChannelSecurity component is it delegating the task of determining whether or not to redirect to the ChannelProcessors? Thanks again, Joseph - Original Message - From: Ben Alex To: [EMAIL PROTECTED] Sent: Monday, June 21, 2004 7:30 PM Subject: Re: [Acegisecurity-developer] How do I avoid the IE redirect warning dialog? Joseph Schmoley wrote:> First let me say that I'm thoroughly impressed with the work you guys > have done in designing and coding the Acegi Security Framework. Thank > you (from all of us) for all that hard work. I've implemented a web > app using it but have a question regarding the ChannelProcessingFilter > and how it redirects back to HTTP.> > As I'm sure you're already aware, if IE is already in a HTTPS page, > when it receives a response.sendRedirect() to a non-secure resource, > by default it gives that dialog box "You are about to be redirected to > a non-secure page". Of course this can be turned off via a setting in > the user's browser, but we're not going to go and ask thousands of > users using IE to change this setting. Most of them can't anyways due > to IT control.> > I've seen workarounds to this where instead of a > sendRedirect(http://abc.com/non-secureURL), the server sends back a > https redirect and in that page there's a small piece of > _javascript_ that does a refresh of the browser to the non-secure URL.> > As it is right now your ChannelProcessingFilter is just doing a > simple sendRedirect(). Have you guys ran across this issue? or > should I implement my own filter which extends yours and just changes > this behavior to write a tiny little page with the _javascript_ I > mentioned to do the redirecting?> Hi JosephI haven't run across this issue, but what you say is correct.The handlers for changing the channel being used are completely pluggable. See for example the Contacts sample application. A fragment of its XML follows: class="net.sf.acegisecurity.securechannel.ChannelDecisionManagerImpl"> class="net.sf.acegisecurity.securechannel.SecureChannelProcessor"/> class="net.sf.acegisecurity.securechannel.InsecureChannelProcessor"/>So you can simply write a replacement insecureChannelProcessor to achieve your goal. Then wire it up in your application context.HTHBen---This SF.Net email sponsored by Black Hat Briefings & Training.Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com___Acegisecurity-developer mailing list[EMAIL PROTECTED]https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] How do I avoid the IE redirect warning dialog?
Joseph Schmoley wrote: I took a look at InsecureChannelProcessor and there's no response.sendRedirect() happening in there. It's delegating those types of calls to the entryPoint.commence() methods. So I guess it's the RetryWithHttpEntryPoint that I need to extend and provide my own commence() implementation, right? I just want to be sure I'm getting this right. When a URI has determined to be non-secure by the ChannelSecurity component is it delegating the task of determining whether or not to redirect to the ChannelProcessors? Hi Joseph If you're trying to ensure HTTP requests are redirected to a HTTPS destination, this is performed by the SecureChannelProcessor. SecureChannelProcessor is a ChannelProcessor implementation. The other ChannelProcessor implementation, InsecureChannelProcessor, ensures HTTPS requests are redirected to a HTTP destination. The list of ChannelProcessors is called by the ChannelDecisionManagerImpl. SecureChannelProcessor, if it detects HTTPS is not in use, will by default call RetryWithHttpsEntryPoint. So you need to write a JavaScriptRetryWithHttpsEntryPoint, and then SecureChannelProcessor.setEntryPoint(JavaScriptRetryWithHttpsEntryPoint) in your application context. Best regards Ben --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] How do I avoid the IE redirect warning dialog?
Ok Ben, I understand now. Except for one minor point... It's exactly the other way around from what you suggest. The problem isn't from HTTP to HTTPS, it's from HTTPS to HTTP. So I'd have to write a _javascript_RetryWithHttpEntryPoint.java and wire it in. I'll go ahead and do that. Do you want me to submit it to you guys for inclusion into CVS? There has to be many others who've run into this issue as well. Joseph - Original Message - From: Ben Alex To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 3:22 PM Subject: Re: [Acegisecurity-developer] How do I avoid the IE redirect warning dialog? Joseph Schmoley wrote:> I took a look at InsecureChannelProcessor and there's no > response.sendRedirect() happening in there. It's delegating those > types of calls to the entryPoint.commence() methods. So I guess it's > the RetryWithHttpEntryPoint that I need to extend and provide my own > commence() implementation, right?> > I just want to be sure I'm getting this right. When a URI has > determined to be non-secure by the ChannelSecurity component is it > delegating the task of determining whether or not to redirect to the > ChannelProcessors?> Hi JosephIf you're trying to ensure HTTP requests are redirected to a HTTPS destination, this is performed by the SecureChannelProcessor. SecureChannelProcessor is a ChannelProcessor implementation. The other ChannelProcessor implementation, InsecureChannelProcessor, ensures HTTPS requests are redirected to a HTTP destination. The list of ChannelProcessors is called by the ChannelDecisionManagerImpl.SecureChannelProcessor, if it detects HTTPS is not in use, will by default call RetryWithHttpsEntryPoint. So you need to write a _javascript_RetryWithHttpsEntryPoint, and then SecureChannelProcessor.setEntryPoint(_javascript_RetryWithHttpsEntryPoint) in your application context.Best regardsBen---This SF.Net email sponsored by Black Hat Briefings & Training.Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com___Acegisecurity-developer mailing list[EMAIL PROTECTED]https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] How do I avoid the IE redirect warning dialog?
Joseph Schmoley wrote: Ok Ben, I understand now. Except for one minor point... It's exactly the other way around from what you suggest. The problem isn't from HTTP to HTTPS, it's from HTTPS to HTTP. So I'd have to write a JavaScriptRetryWithHttpEntryPoint.java and wire it in. I'll go ahead and do that. Do you want me to submit it to you guys for inclusion into CVS? There has to be many others who've run into this issue as well. Hi Joseph That would be excellent. Thanks Ben --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
