[web2py] Re: Issue 1961; redirect, response.headers and CAS
Will do it tonight. CAS CORS compliancy is important. On Tuesday, 12 August 2014 03:05:27 UTC-5, Remco Boerma wrote: > > Thanks Massimo, > > Concerning https://code.google.com/p/web2py/issues/detail?id=1961&can=1 > > The CAS structure uses redirect() internally. Can you update the call in the > CAS code to send the request.headers? That's why i proposed a change on all > redirect calls. This allows the CAS to be CORS compliant if the user provides > the proper headers on the controller level > > With kind regards. > > Remco > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Issue 1961; redirect, response.headers and CAS
Looking into this but I need your help. We cannot preserve all the headers because some of them may contain sensitive information that should not be sent cross domain (for example session cookies). So the question is, which headers should be preserved by which redirects: There are two redirects in gluon/contrib/login_methods/cas_auth.py There are two redirects in gluon/tools.py in Auth allow_access. Do you know which ones need the headers? Which headers? On Tuesday, 12 August 2014 03:05:27 UTC-5, Remco Boerma wrote: > > Thanks Massimo, > > Concerning https://code.google.com/p/web2py/issues/detail?id=1961&can=1 > > The CAS structure uses redirect() internally. Can you update the call in the > CAS code to send the request.headers? That's why i proposed a change on all > redirect calls. This allows the CAS to be CORS compliant if the user provides > the proper headers on the controller level > > With kind regards. > > Remco > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Issue 1961; redirect, response.headers and CAS
Thanks Massimo, Well, with CORS it depends. I used these to get CORS working with at IE11 and Chrome (latest) response.headers['Access-Control-Allow-Origin'] response.headers['Access-Control-Allow-Methods'] response.headers['Access-Control-Allow-Headers'] Maybe something more dynamic like auth.cas_allowed_headers_on_redirect = ['Acces-Co...',...] though it would require more tuning and more work and less out of the box functionality. For what i have seen it needs these headers on every contact with the requesting browser, since the entire process is done using ajax that means all redirects would probably apply. And if not, probably you'll want to setup a structure to allow CORS on those redirects anyway. If you really need to know which redirects are used in my situation (i don't use the form based authentication obviously, so that might save me a few redirects) i can debug the lot and see what i can come up with. With kind regards. Op woensdag 13 augustus 2014 07:29:43 UTC+2 schreef Massimo Di Pierro: > > Looking into this but I need your help. We cannot preserve all the headers > because some of them may contain sensitive information that should not be > sent cross domain (for example session cookies). So the question is, which > headers should be preserved by which redirects: > > There are two redirects in gluon/contrib/login_methods/cas_auth.py > > There are two redirects in gluon/tools.py in Auth allow_access. > > Do you know which ones need the headers? Which headers? > > On Tuesday, 12 August 2014 03:05:27 UTC-5, Remco Boerma wrote: >> >> Thanks Massimo, >> >> Concerning https://code.google.com/p/web2py/issues/detail?id=1961&can=1 >> >> The CAS structure uses redirect() internally. Can you update the call in the >> CAS code to send the request.headers? That's why i proposed a change on all >> redirect calls. This allows the CAS to be CORS compliant if the user >> provides the proper headers on the controller level >> >> With kind regards. >> >> Remco >> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Issue 1961; redirect, response.headers and CAS
Can you point me to any documentation? On Wednesday, 13 August 2014 04:52:00 UTC-5, Remco Boerma wrote: > > Thanks Massimo, > > Well, with CORS it depends. I used these to get CORS working with at IE11 > and Chrome (latest) > > response.headers['Access-Control-Allow-Origin'] > response.headers['Access-Control-Allow-Methods'] > response.headers['Access-Control-Allow-Headers'] > > Maybe something more dynamic like > auth.cas_allowed_headers_on_redirect = ['Acces-Co...',...] > > though it would require more tuning and more work and less out of the box > functionality. > > For what i have seen it needs these headers on every contact with the > requesting browser, since the entire process is done using ajax that means > all redirects would probably apply. And if not, probably you'll want to > setup a structure to allow CORS on those redirects anyway. > If you really need to know which redirects are used in my situation (i > don't use the form based authentication obviously, so that might save me a > few redirects) i can debug the lot and see what i can come up with. > > With kind regards. > > Op woensdag 13 augustus 2014 07:29:43 UTC+2 schreef Massimo Di Pierro: >> >> Looking into this but I need your help. We cannot preserve all the >> headers because some of them may contain sensitive information that should >> not be sent cross domain (for example session cookies). So the question is, >> which headers should be preserved by which redirects: >> >> There are two redirects in gluon/contrib/login_methods/cas_auth.py >> >> There are two redirects in gluon/tools.py in Auth allow_access. >> >> Do you know which ones need the headers? Which headers? >> >> On Tuesday, 12 August 2014 03:05:27 UTC-5, Remco Boerma wrote: >>> >>> Thanks Massimo, >>> >>> Concerning https://code.google.com/p/web2py/issues/detail?id=1961&can=1 >>> >>> The CAS structure uses redirect() internally. Can you update the call in >>> the CAS code to send the request.headers? That's why i proposed a change on >>> all redirect calls. This allows the CAS to be CORS compliant if the user >>> provides the proper headers on the controller level >>> >>> With kind regards. >>> >>> Remco >>> >>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Issue 1961; redirect, response.headers and CAS
http://www.html5rocks.com/en/tutorials/cors/ http://www.w3.org/TR/cors/ https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS This is what you look for i think, it's what i've used and offers a lof of info. Op woensdag 13 augustus 2014 20:07:21 UTC+2 schreef Massimo Di Pierro: > > Can you point me to any documentation? > > On Wednesday, 13 August 2014 04:52:00 UTC-5, Remco Boerma wrote: >> >> Thanks Massimo, >> >> Well, with CORS it depends. I used these to get CORS working with at IE11 >> and Chrome (latest) >> >> response.headers['Access-Control-Allow-Origin'] >> response.headers['Access-Control-Allow-Methods'] >> response.headers['Access-Control-Allow-Headers'] >> >> Maybe something more dynamic like >> auth.cas_allowed_headers_on_redirect = ['Acces-Co...',...] >> >> though it would require more tuning and more work and less out of the box >> functionality. >> >> For what i have seen it needs these headers on every contact with the >> requesting browser, since the entire process is done using ajax that means >> all redirects would probably apply. And if not, probably you'll want to >> setup a structure to allow CORS on those redirects anyway. >> If you really need to know which redirects are used in my situation (i >> don't use the form based authentication obviously, so that might save me a >> few redirects) i can debug the lot and see what i can come up with. >> >> With kind regards. >> >> Op woensdag 13 augustus 2014 07:29:43 UTC+2 schreef Massimo Di Pierro: >>> >>> Looking into this but I need your help. We cannot preserve all the >>> headers because some of them may contain sensitive information that should >>> not be sent cross domain (for example session cookies). So the question is, >>> which headers should be preserved by which redirects: >>> >>> There are two redirects in gluon/contrib/login_methods/cas_auth.py >>> >>> There are two redirects in gluon/tools.py in Auth allow_access. >>> >>> Do you know which ones need the headers? Which headers? >>> >>> On Tuesday, 12 August 2014 03:05:27 UTC-5, Remco Boerma wrote: Thanks Massimo, Concerning https://code.google.com/p/web2py/issues/detail?id=1961&can=1 The CAS structure uses redirect() internally. Can you update the call in the CAS code to send the request.headers? That's why i proposed a change on all redirect calls. This allows the CAS to be CORS compliant if the user provides the proper headers on the controller level With kind regards. Remco -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
