Authentication and NSURLConnection sendSynchronousRequest
I¹m writing a simple demo application showing how to use some Exchange Web
Services (EWS) features in Cocoa. I am a total Cocoa n00b but have most of
the app and UI working, thanks to a lot of google-fu and my now-worn copy of
Hillegas' 3rd ed. I¹m having trouble authenticating to the actual EWS
server, though.
For simplicity¹s sake, I want to use sendSynchronousRequest. The docs say
that it has OEminimal support¹ for authentication. I¹m letting the user
provide their credentials, then storing them in an NSURLCredential. I then
add the NSURLCredential to the shared credential storage and define an
NSURLProtectionSpace with the FQDN of the EWS server.
When I actually call sendSynchronousRequest, I get an error if the EWS
server is using a self-signed certificate (as most probably will be). I did
some digging and it looks like one way to fix this is to override
allowsAnyHTTPSCertificateForHost so that it allows any certificate. I know
this is a bad idea from a security standpoint, but I'm OK with it in demo
code, suitably flagged. However, I'm doing something wrong when I override.
If I just stick this code
@implementation NSURLRequest(NSHTTPURLRequest)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
return YES;
}
@end
At the end of one of my .m files, the code builds, though I get warnings
that some other methods aren't implemented. The program then gives me an
NSURLDomainError -1203, the description for which doesn't tell me anything
useful.
So, the actual questions:
1. Is there a safer or better-supported way for me to get a look at the
returned certificate besides overriding allowsAnyHTTPSCertificateForHost?
2. What am I doing wrong in my override attempt?
3. What does -1203 really *mean*?
Cheers,
-Paul
___
Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com
This email sent to [EMAIL PROTECTED]
Re: Authentication and NSURLConnection sendSynchronousRequest
On 12 Jun '08, at 8:35 AM, Paul E. Robichaux wrote:
@implementation NSURLRequest(NSHTTPURLRequest)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
return YES;
}
@end
At the end of one of my .m files, the code builds, though I get
warnings
that some other methods aren't implemented. The program then gives
me an
NSURLDomainError -1203
I'm suspicious of that technique, since category methods really aren't
allowed to override existing methods; I think the effects are
undefined. It's the kind of thing that I could imagine breaking
under the rewritten Obj-C runtime in 10.5.
1. Is there a safer or better-supported way for me to get a look at
the
returned certificate besides overriding
allowsAnyHTTPSCertificateForHost?
Well, this message from Marcel Borsten
http://www.cocoabuilder.com/archive/message/cocoa/2008/3/4/200382
mentions another method:
+ (void)setAllowsAnyHTTPSCertificate:(BOOL)fp8 forHost:(id)fp12;
So it looks as though you could just call
[NSURLConnection setAllowsAnyHTTPSCertificate: YES forHost: myHost];
You would just have to paste the @interface block (but NOT the
@implementation) from that email into your code, so the compiler
recognizes the existence of that method.
A better solution is to insert the cert into the keychain and mark it
as trusted; but that isn't easy. If the user can get a .cer file of
the server's cert, s/he can double-click it to add it to the keychain,
then locate it in Keychain Access and mark it as trusted.
Programmatically, it involves some twisty little APIs; I'd recommend
using the higher-level wrappers in the open-source Keychain.framework
(it's on sourceforge.)
3. What does -1203 really *mean*?
From NSURLError.h:
NSURLErrorServerCertificateHasUnknownRoot = -1203,
—Jens
smime.p7s
Description: S/MIME cryptographic signature
___
Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com
This email sent to [EMAIL PROTECTED]
Re: Authentication and NSURLConnection sendSynchronousRequest
On 6/12/08 12:44 PM, Jens Alfke [EMAIL PROTECTED] wrote:
On 12 Jun '08, at 8:35 AM, Paul E. Robichaux wrote:
@implementation NSURLRequest(NSHTTPURLRequest)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
return YES;
}
@end
At the end of one of my .m files, the code builds, though I get
warnings
that some other methods aren't implemented. The program then gives
me an
NSURLDomainError -1203
I'm suspicious of that technique, since category methods really aren't
allowed to override existing methods; I think the effects are
undefined. It's the kind of thing that I could imagine breaking
under the rewritten Obj-C runtime in 10.5.
Calling it a technique is being very generous :) I was suspicious of it as
well. I'm still at the try-things-without-knowing-what-they-actually-do
stage of my Cocoa career, so I decided to give it a whirl.
1. Is there a safer or better-supported way for me to get a look at
the
returned certificate besides overriding
allowsAnyHTTPSCertificateForHost?
Well, this message from Marcel Borsten
http://www.cocoabuilder.com/archive/message/cocoa/2008/3/4/200382
mentions another method:
+ (void)setAllowsAnyHTTPSCertificate:(BOOL)fp8 forHost:(id)fp12;
So it looks as though you could just call
[NSURLConnection setAllowsAnyHTTPSCertificate: YES forHost: myHost];
After doing that, I now get a compiler warning that there's a duplicate
interface defined for NSURLRequest(NSHTTPURLRequest), and at runtime when I
call the routine I get errors in my log:
+[NSURLConnection setAllowsAnyHTTPSCertificate:forHost:]: unrecognized
selector sent to class 0xa02645a0
A better solution is to insert the cert into the keychain and mark it
as trusted; but that isn't easy. If the user can get a .cer file of
the server's cert, s/he can double-click it to add it to the keychain,
then locate it in Keychain Access and mark it as trusted.
Programmatically, it involves some twisty little APIs; I'd recommend
using the higher-level wrappers in the open-source Keychain.framework
(it's on sourceforge.)
For the purpose of this sample, this approach is overkill. You're right,
though, that this would be a much better solution.
3. What does -1203 really *mean*?
From NSURLError.h:
NSURLErrorServerCertificateHasUnknownRoot = -1203,
Aha! Thanks for the pointer.
___
Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com
This email sent to [EMAIL PROTECTED]
Re: Authentication and NSURLConnection sendSynchronousRequest
On 12 Jun '08, at 10:35 AM, Paul E. Robichaux wrote: After doing that, I now get a compiler warning that there's a duplicate interface defined for NSURLRequest(NSHTTPURLRequest), You can get around that by changing the category name (the part in parentheses) to anything different. and at runtime when I call the routine I get errors in my log: +[NSURLConnection setAllowsAnyHTTPSCertificate:forHost:]: unrecognized selector sent to class 0xa02645a0 Hm, that means that method isn't actually implemented in NSURLConnection. I guess it's left for subclasses to implement. In that case, try creating a subclass of NSURLConnection, containing nothing but the +allowsAny... method you used to have, and then call +sendSynchronousRequest:... on the subclass. —Jens smime.p7s Description: S/MIME cryptographic signature ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
Re: Authentication and NSURLConnection sendSynchronousRequest
On 6/12/08 2:18 PM, Jens Alfke [EMAIL PROTECTED] wrote: On 12 Jun '08, at 10:35 AM, Paul E. Robichaux wrote: After doing that, I now get a compiler warning that there's a duplicate interface defined for NSURLRequest(NSHTTPURLRequest), You can get around that by changing the category name (the part in parentheses) to anything different. So *that's* what that's for. Thanks! and at runtime when I call the routine I get errors in my log: +[NSURLConnection setAllowsAnyHTTPSCertificate:forHost:]: unrecognized selector sent to class 0xa02645a0 Hm, that means that method isn't actually implemented in NSURLConnection. A little further digging revealed http://www.cocoabuilder.com/archive/message/cocoa/2007/5/19/183405, which claims that the method's implemented on NSURLRequest. Sure enough, when I define it there, my app is now failing with NSURLErrorUserCancelledAuthentication, which is a step in the right direction :) ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
