Authentication and NSURLConnection sendSynchronousRequest
I¹m writing a simple demo application showing how to use some Exchange Web Services (EWS) features in Cocoa. I am a total Cocoa n00b but have most of the app and UI working, thanks to a lot of google-fu and my now-worn copy of Hillegas' 3rd ed. I¹m having trouble authenticating to the actual EWS server, though. For simplicity¹s sake, I want to use sendSynchronousRequest. The docs say that it has OEminimal support¹ for authentication. I¹m letting the user provide their credentials, then storing them in an NSURLCredential. I then add the NSURLCredential to the shared credential storage and define an NSURLProtectionSpace with the FQDN of the EWS server. When I actually call sendSynchronousRequest, I get an error if the EWS server is using a self-signed certificate (as most probably will be). I did some digging and it looks like one way to fix this is to override allowsAnyHTTPSCertificateForHost so that it allows any certificate. I know this is a bad idea from a security standpoint, but I'm OK with it in demo code, suitably flagged. However, I'm doing something wrong when I override. If I just stick this code @implementation NSURLRequest(NSHTTPURLRequest) + (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host { return YES; } @end At the end of one of my .m files, the code builds, though I get warnings that some other methods aren't implemented. The program then gives me an NSURLDomainError -1203, the description for which doesn't tell me anything useful. So, the actual questions: 1. Is there a safer or better-supported way for me to get a look at the returned certificate besides overriding allowsAnyHTTPSCertificateForHost? 2. What am I doing wrong in my override attempt? 3. What does -1203 really *mean*? Cheers, -Paul ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
Re: Authentication and NSURLConnection sendSynchronousRequest
On 12 Jun '08, at 8:35 AM, Paul E. Robichaux wrote: @implementation NSURLRequest(NSHTTPURLRequest) + (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host { return YES; } @end At the end of one of my .m files, the code builds, though I get warnings that some other methods aren't implemented. The program then gives me an NSURLDomainError -1203 I'm suspicious of that technique, since category methods really aren't allowed to override existing methods; I think the effects are undefined. It's the kind of thing that I could imagine breaking under the rewritten Obj-C runtime in 10.5. 1. Is there a safer or better-supported way for me to get a look at the returned certificate besides overriding allowsAnyHTTPSCertificateForHost? Well, this message from Marcel Borsten http://www.cocoabuilder.com/archive/message/cocoa/2008/3/4/200382 mentions another method: + (void)setAllowsAnyHTTPSCertificate:(BOOL)fp8 forHost:(id)fp12; So it looks as though you could just call [NSURLConnection setAllowsAnyHTTPSCertificate: YES forHost: myHost]; You would just have to paste the @interface block (but NOT the @implementation) from that email into your code, so the compiler recognizes the existence of that method. A better solution is to insert the cert into the keychain and mark it as trusted; but that isn't easy. If the user can get a .cer file of the server's cert, s/he can double-click it to add it to the keychain, then locate it in Keychain Access and mark it as trusted. Programmatically, it involves some twisty little APIs; I'd recommend using the higher-level wrappers in the open-source Keychain.framework (it's on sourceforge.) 3. What does -1203 really *mean*? From NSURLError.h: NSURLErrorServerCertificateHasUnknownRoot = -1203, —Jens smime.p7s Description: S/MIME cryptographic signature ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
Re: Authentication and NSURLConnection sendSynchronousRequest
On 6/12/08 12:44 PM, Jens Alfke [EMAIL PROTECTED] wrote: On 12 Jun '08, at 8:35 AM, Paul E. Robichaux wrote: @implementation NSURLRequest(NSHTTPURLRequest) + (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host { return YES; } @end At the end of one of my .m files, the code builds, though I get warnings that some other methods aren't implemented. The program then gives me an NSURLDomainError -1203 I'm suspicious of that technique, since category methods really aren't allowed to override existing methods; I think the effects are undefined. It's the kind of thing that I could imagine breaking under the rewritten Obj-C runtime in 10.5. Calling it a technique is being very generous :) I was suspicious of it as well. I'm still at the try-things-without-knowing-what-they-actually-do stage of my Cocoa career, so I decided to give it a whirl. 1. Is there a safer or better-supported way for me to get a look at the returned certificate besides overriding allowsAnyHTTPSCertificateForHost? Well, this message from Marcel Borsten http://www.cocoabuilder.com/archive/message/cocoa/2008/3/4/200382 mentions another method: + (void)setAllowsAnyHTTPSCertificate:(BOOL)fp8 forHost:(id)fp12; So it looks as though you could just call [NSURLConnection setAllowsAnyHTTPSCertificate: YES forHost: myHost]; After doing that, I now get a compiler warning that there's a duplicate interface defined for NSURLRequest(NSHTTPURLRequest), and at runtime when I call the routine I get errors in my log: +[NSURLConnection setAllowsAnyHTTPSCertificate:forHost:]: unrecognized selector sent to class 0xa02645a0 A better solution is to insert the cert into the keychain and mark it as trusted; but that isn't easy. If the user can get a .cer file of the server's cert, s/he can double-click it to add it to the keychain, then locate it in Keychain Access and mark it as trusted. Programmatically, it involves some twisty little APIs; I'd recommend using the higher-level wrappers in the open-source Keychain.framework (it's on sourceforge.) For the purpose of this sample, this approach is overkill. You're right, though, that this would be a much better solution. 3. What does -1203 really *mean*? From NSURLError.h: NSURLErrorServerCertificateHasUnknownRoot = -1203, Aha! Thanks for the pointer. ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
Re: Authentication and NSURLConnection sendSynchronousRequest
On 12 Jun '08, at 10:35 AM, Paul E. Robichaux wrote: After doing that, I now get a compiler warning that there's a duplicate interface defined for NSURLRequest(NSHTTPURLRequest), You can get around that by changing the category name (the part in parentheses) to anything different. and at runtime when I call the routine I get errors in my log: +[NSURLConnection setAllowsAnyHTTPSCertificate:forHost:]: unrecognized selector sent to class 0xa02645a0 Hm, that means that method isn't actually implemented in NSURLConnection. I guess it's left for subclasses to implement. In that case, try creating a subclass of NSURLConnection, containing nothing but the +allowsAny... method you used to have, and then call +sendSynchronousRequest:... on the subclass. —Jens smime.p7s Description: S/MIME cryptographic signature ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
Re: Authentication and NSURLConnection sendSynchronousRequest
On 6/12/08 2:18 PM, Jens Alfke [EMAIL PROTECTED] wrote: On 12 Jun '08, at 10:35 AM, Paul E. Robichaux wrote: After doing that, I now get a compiler warning that there's a duplicate interface defined for NSURLRequest(NSHTTPURLRequest), You can get around that by changing the category name (the part in parentheses) to anything different. So *that's* what that's for. Thanks! and at runtime when I call the routine I get errors in my log: +[NSURLConnection setAllowsAnyHTTPSCertificate:forHost:]: unrecognized selector sent to class 0xa02645a0 Hm, that means that method isn't actually implemented in NSURLConnection. A little further digging revealed http://www.cocoabuilder.com/archive/message/cocoa/2007/5/19/183405, which claims that the method's implemented on NSURLRequest. Sure enough, when I define it there, my app is now failing with NSURLErrorUserCancelledAuthentication, which is a step in the right direction :) ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]