I would like to create a relative link that switches the current protocol from http to https. The last place I worked had something set up on the server so that you could make that happen, but I don't remember much about it and I never knew how it worked.
The rationale for this is that I wouldn't need to hardcode server names in files that need to move in between production and development environments.
Is there a way for this to work in IIS 6.0?
Edit:
I am using .NET, but the "link" I'm creating will not be dynamically generated. If you really want the nitty gritty details, I am using a redirect macro in Umbraco that requires a URL to be passed in.
Here's a simple solution in VB.NET:
Imports System.Web.HttpContext
Public Shared Sub SetSSL(Optional ByVal bEnable As Boolean = False)
If bEnable Then
If Not Current.Request.IsSecureConnection Then
Dim strHTTPS As String = "https://www.mysite.com"
Current.Response.Clear()
Current.Response.Status = "301 Moved Permanently"
Current.Response.AddHeader("Location", strHTTPS & Current.Request.RawUrl)
Current.Response.End()
End If
Else
If Current.Request.IsSecureConnection Then
Dim strHTTP As String = "http://www.mysite.com"
Current.Response.Clear()
Current.Response.Status = "301 Moved Permanently"
Current.Response.AddHeader("Location", strHTTP & Current.Request.RawUrl)
Current.Response.End()
End If
End If
End Sub
Usage:
'Enable SSL
SetSSL(True)
'Disable SSL
SetSSL(False)
You could add this to the Page_Load of each of your pages. Or you could do something like I did and create a list of folders or pages that you want secured in your global.asax and set the SSL accordingly in the Application_BeginRequest method. And this will work with relative links and the HTTP or HTTPS status of a page will always be what you tell it to be in the code.
I have this code in place on several websites. But as an example, if you go to https://www.techinsurance.com you'll notice it automatically redirects to http because the home page doesn't need to be secured. And the reverse will happen if you try to hit a page that needs to be secured such as http://www.techinsurance.com/quote/login.aspx
You may notice that I'm using 301 (permanent) redirects. The side benefit here is that search engines will update their index based on a 301 redirect code.
Which language/framework are you using?
You should be able to create your own function in which you pass in the relative page and you deduce from the HttpRequest object and the Server object (again depending on the language or framework) what the host and URL are and then just simply redirect to that URL but with https as a prefix.
Here is a good CodeProject article on doing this by specifying certain directories and files that you want to use SSL. It will automatically switch these to and from https based on your needs.
I've use this for a project, and it works really well.
This is the same answer I gave here:
Yes you can. I recommend this free open source DLL that lets you designate which pages and folders need SSL and which don't:
http://www.codeproject.com/KB/web-security/WebPageSecurity_v2.aspx
So you can setup a page to be secure in your web.config like this:
<secureWebPages encryptedUri="www.example.com" unencryptedUri="www.example.com" mode="RemoteOnly" >
<files>
<add path="/MustBeSecure.aspx" secure="Secure" />
</files>
</secureWebPages>
We ended up buying ISAPI Rewrite to perform redirects at the web server level for certain URLs. That's not quite the answer I was looking for when I asked the question, but it's what works for us.
Related
I am trying out the Apache Shiro framework and I basically downloaded the setup from a project online. I managed to get it working but I am stuck at a really small issue. I want to make multiple JSF pages in my project to be accessed without any authorization.
The configuration currently looks something like:
authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
authc.loginUrl = /login.xhtml
roles.unauthorizedUrl = /login.xhtml
Now I would like to add one more page to roles.unnauthorizeddUrl i.e. signUp.xhtml
I tried
roles.unauthorizedUrl = /login.xhtml,/signUp.xhtml
but that doesnt work. Is there a way to declare multiple unauthorized URL's in the config.
The roles.unauthorizedUrl is the Url to which the user has to be redirected in case user tried to access the protected / unauthorized url. So you only add one such URL, otherwise ambiguity will be raised to the framework to which url to redirect.
If you want unprotect any url use the below config in [urls] section
/login.xhtml = anon
/sugnUp.xhtml = anon
I've scenario where i want open local web page (index.html) passing parameters in query which i can used in index.html but i'm having problem as it gives error as per below,
The system cannot find the file specified.
Vb.net Code
Dim url As String = ConfigurationManager.AppSettings("Url")
url = url & "?id=" & txtFilePath.Text
//Url example
"C:\Program Files\Products\Bella\index.html?id=232"
Process.Start(url)
i do not completely understand your question but i will try.
I do not know what the value of "Url" is, neither what the txtFilePath.text is supposed to be. but if you are trying to open a URL like
localhost/index.html?id=example
in a browser, you should use that as the first parameter.
Process.Start("IExplore.exe", url)
If you are trying to get the server to read the parameter you put into the URL, i do not know if you can make html-pages get parameters like that, maybe PHP or something else? But that should not make a difference at all for launching the browser and stuff, just a heads-up :)
But if you just want to open a static html file in a browser-window, you are, as far as i know, out of luck with passing parameters, but you SHOULD test for the existence of your file, so you are completely sure it exists in that path.
File.Exists(url)
EDIT:
Since your url is "C:\Program Files\Products\Bella\index.html?id=232" i do not believe you could pass parameters, i think it will try to find a file with the extension ".html?id=232", which obviously does not exist.
It seems there are two issues:
First:
I think the reason for the error is you need to have "file://" before the URL (as Mych mentioned in the comments) in order to access a local web page. Many browsers will automatically assume the URL should have "http://" unless you specify that it's a local file.
Depending on your browser it may add more forward slashes, but two should be sufficient to get Process.Start to recognize it.
So your URL should look like this:
"file://C:\Program Files\Products\Bella\index.html?id=232"
Second:
As far as passing a parameter to the URL the best way I have found (as jakobS suggested) you would have to use:
Process.Start("IExplore.exe", url)
'or
Process.Start("Chrome.exe", url)
or whichever browser you prefer.
So you could modify your code this way:
Dim url As String = ConfigurationManager.AppSettings("Url")
url = url & "?id=" & txtFilePath.Text
'Add "file://" to the beginning of the url.
url = "file://" & url
Process.Start("IExplore.exe", url)
That should get rid of your error and load the page with your parameters.
Hope it helps!
I have a web site with some static web pages (webSiteA), which has a link to another web application (webAppB).
webAppB must know if the client was redirected from webSiteA. What are my options here?
One option I am thinking about is to create the link with a query string on webSiteA, and webAppB can check for that.
webSiteA is just a static html web site created using some web designer, and will be in http.
I guess the webAppB can also check for the last URL and check the IP for webSiteA, or by using referrer.
Are there any other options that may be considered a better way to do this? How safe is either of the methods above? How easy is it to spoof these?
The basic option is to use the referer.
You say website A is static and you don't need to enforce strong security. In this case the referer is also the only option.
If you need a proof that the user visited site A, you can do something like this :
Put a link like
/redirect.php?url=http://site-b/...
In this file you add a parameter to the URL that uniquely identifies the client, as for example :
http://site-b/...?t=identifier
where identifier can be something like
$identifier = md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $secret_string);
On website B you check if the identifier corresponds to the client's footprint. You have a proof that cannot be falsified.
I am unable to load an iWidget externally on the communities page
This is my widget def:
<widgetDef defId="qmiWidget" primaryWidget="false" modes="view fullpage edit search"
url="http://questionmine.com/app1/widgets/index/publishProject_iWidget"/>
But it replaces the http and tries to load it internally
"NetworkError: 403 Forbidden - https://connectionsww.demos.ibm.com/communities/ajaxProxy/http/questionmine.com/app1/widgets/index/publishProject_iWidget"
Any idea how can I do this ?
Since your widget resides on another domain, you have to configure the "Ajax Proxy" to allow this.
Take a look at this here:
http://www-10.lotus.com/ldd/lcwiki.nsf/xpDocViewer.xsp?lookupName=IBM+Connections+4.5+Documentation#action=openDocument&res_title=Configuring_the_AJAX_proxy_ic45&content=pdcontent
For testing purposes (ONLY testing) it would be safe to allow "*" but for a production environment it is strongly advised to be more specific, in your case something like "questionmine.com/app1/*"
You can even configure specific proxy rules per application (Communities, Profiles, Homepage,...)
http://www-10.lotus.com/ldd/lcwiki.nsf/xpDocViewer.xsp?lookupName=IBM+Connections+4.5+Documentation#action=openDocument&res_title=Configuring_the_AJAX_proxy_for_a_specific_application_ic45&content=pdcontent
BTW: If you ever tried to enable feeds in a community, the same applies. Without further configuration, only same-domain feeds would be allowed.
for developement reasons (working with facebook-connect) i put the connect iframe in an iframe. on that way i am able to work on the connect-thing independent of my ip and don't have to develop on the live-server.
the iframe holding the connect-button iframe is on my server, accessing the same db-server as the developer version (developer version is running on localhsot).
as far as good ... BUT
how can i let the parent site know, that the user has connected, so that i get his profile-picture displayd as reaction to this?
how can i react in generally on an action/event/JS in an iframe? is there a way?
can the iframe post data to the parent site? like a time-stamp and fb_userid?
if the iframe stuff doesn't work ...
i thougt of saving the ip to the fb_userid (to db) and check matches ... but i don't like this idea.
You can pass variables to frames using query string format through src attribute of the iframe, eg:
<iframe src="mysite.com?var=test"............>
Well thanks to #Sarfraz Ahmed, your post was the inspiration for my solution:
With the src of the iframe, I send the current session id as GET parameter.
<iframe src="http://www.online_host.com/scriptxy.php?id_session=<?=session_id()?>"></iframe>
Then the script in the iframe makes a callback after some action, like
<script>
location.href="http://localhost/localscript.php?id_session=<?=$_REQUEST['id_session']?>¶meters_here=something";
</script>
It should be noticed, that the GET parameters name has not to be "sessionid", or "sessid", because this is not allowed with the most apache installations.
In PHP localscript.php, you do something like:
session_id($_REQUEST['id_session']);
session_regenerate_id();
$_SESSION['param1'] = $_REQUEST['param1'];
...
Now you can access the sessiondata in your current locally running PHP. Together with a triggered AJAX request interval this works good enough for development.
The thing is, i'm using CodeIgniter (with PostgreSQL and the session-plugin ecko) and getting a memory problem in the PostgreSQL driver script, which i didn't figure out until now.