Solved

SSL certificate in ajax and jquery

Posted on 2014-01-15
17
5,439 Views
Last Modified: 2014-01-26
hi Experts,

i have a site that works on http (httpd) and has a login page. this login page communicate

with ajax and send login request throw https to a Rest on Jboss, this rest is checking the

user and password and return authentication.

the problem is the ajax request is not working on SSL and it works only if i enter manually

throw the browser to the https to get the Jboss home page and i am  getting this page
 
after adding the certificate to the browser. (warning to install the certificate and i am proceed)

the question is how i can force the browser to display this warning in my login page?

i have try to use hidden iframe as you have suggest in another topic/question also

try the php suggestion But they don't work?

http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28292846.html

i have ask many programmers that i know and works with but no body has an idea, what i

 should do!

please help

thanks a lot.
0
Comment
Question by:weissman
  • 8
  • 5
  • 3
  • +1
17 Comments
 
LVL 58

Expert Comment

by:Gary
Comment Utility
What is your ajax code?  Are you specifying https:// where you are calling the URL?
Ajax is no different than your browser requesting the same page so there is no reason why it wouldn't work
0
 

Author Comment

by:weissman
Comment Utility
hi cathal,

yes i specify the https inside rest.getFullUrl() , here is the ajax code:
  \$.ajax({   		
     url : rest.getFullUrl()+"/?",
	 type: 'GET',
	 dataType : 'jsonp',
	 data : {
				Authorization : auth
			},
	crossDomain:true,
	 async: false,
	 jsonpCallback: 'jsonCallback',
	
   success : function(data, status) {
          // do stuff here
		  var t= JSON.stringify(data);
          \$("#status").val(data.STATUS);          
      },
      error : function(xhr, status, error) {
           // do stuff here
		   var data = jQueryJSON(xhr.responseText);
           \$("#status").val('');      
      },
      complete: function(xhr,status){
              submitFrm();                                       
						}                  	 
 });

Open in new window


i don't thing the problem in the ajax call (i have test it locally with http and it works fine), i have try as a test an html page with an iframe pointing to the https site but it is displaying me the page inside the iframe without some images . also the brwoser is not notifying me about the certificate , so again my question
is how i can force the browser to display this warning.

note: the http login page is on httpd site and the https is on jboss so i am pointing to
another machine here to check the authentication.

do you have a sample that works  (doesn't need to be in ajax only html fine)

thanks a lot
0
 
LVL 58

Expert Comment

by:Gary
Comment Utility
Just before this
 \$.ajax({               
     url : rest.getFullUrl()+"/?",


Add
alert(rest.getFullUrl())

and report back what it says.
0
 
LVL 34

Expert Comment

by:gr8gonzo
Comment Utility
AJAX cannot communicate with a page outside of the current domain. So if you are looking at https://www.domainA.com and your script tries to send an AJAX call to https://www.domainB.com/etc/etc.... then it will fail by default because it is cross-domain scripting and is not allowed by default.

Iframes and browsers and such will have no problems visiting another page on a different domain, because that is what they are meant to do.

That said, there are ways to get around the security restrictions for cross-domain scripting, so let us know if that's what is happening.

That said, if you're going to use a self-signed certificate for development, then you should add that certificate to your trusted roots and restart your browsers (all of them). That should allow you to get past security warnings and eliminate that as a problem.
0
 

Author Comment

by:weissman
Comment Utility
hi Cathal,

alert(rest.getFullUrl())

here is the result: https://172.17.174.8:443/mgmt/access/auth

this is the url of the rest inside jboss

rest.init('$host');
auth = rest.getAuthData(user,password);
 // getAuthData -> return "Basic "+Base64.encode(userName+":"+password);

i didn't include it above.

thanks for help
0
 

Author Comment

by:weissman
Comment Utility
hi gr8gonzo,

what you mean by  add that certificate to your trusted roots , am i doing it manually like in
this :
http://www.youtube.com/watch?v=2k581jcWk9M

why i need to do this and what happend if i buy a trusted certificate? do i still need to add it manually ? adding it to every client machine will be head-ache

why i cannot do it from javascript/php/perl

thanks
0
 
LVL 58

Expert Comment

by:Gary
Comment Utility
D'oh
gr8gonzo has pointed out the elephant in the room

Why can you not just run the page in HTTPS to start with then you will not have a problem?
0
 
LVL 34

Expert Comment

by:gr8gonzo
Comment Utility
1. Self-signed certificates are fine for development purposes, when you only have you (and maybe a few others) as the development team. If you're planning on building a public service, you'll need to eventually buy a full certificate for the production version so that people don't get those warnings. Using a self-signed certificate during development can make that process easier and make sure that everything works as it will with a full certificate.

2. You cannot automatically add certificates to computers from Javascript/PHP/Perl because that would create major security problems. An evil user could add his / her own certificates to your machine and appear as if he/she was trusted. So when you add a self-signed certificate, you have to do it individually.

3. Again, it sounds like the main problem is cross-domain scripting. Your web page is at domainA.com (or IP address A), and your AJAX is going to domainB.com (or IP address B). If this what is happening, then let us know. If you're not, then it's likely the SSL problem (which can be fixed in development by adding your self-signed cert to your trusted roots).
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:weissman
Comment Utility
hi gr8gonzo,

yes it exactly the situation, like you said my web page is at domainA and the ajax in the login page of domainA is going to check authenticatin (user/password) with domainB.

so what i  can do in this situation?

what happened if i make my domainA (appache-httpd) also secure/ssl, i suppose it will not
help also!

thanks a lot
0
 
LVL 34

Expert Comment

by:gr8gonzo
Comment Utility
Cross-domain AJAX is a security risk, so it's disabled by default. If allowed, then domain B would be in danger from pages on domain A, so it is up to domain B to grant permissions so that domain A can do it. On domain B, you have to add a HTTP header to the pages:

Access-Control-Allow-Origin: http://domainA/

For example, if domainB were using PHP, you could use the header() function to do this.

If you do not have any control over domain B, then you are out of luck.

If you are open to using server-side languages on domain A, then you can have a server-side script on domainA talk to domainB on your behalf (because server-to-server communication is still possible). The main issue with this is that domain A cannot set any cookies for domain B, so if you're on domain A and trying to log into domain B, then the browser won't be able to get the login / session cookies for domain B.

The only way to really log into domain B from domain A in a way that will work is to use an iframe. You can set up a form on domain A that posts to domain B but uses a hidden iframe to do it. The browser will do all the normal work as if you were on domain B. The downside to this is that Javascript cannot communicate between the parent document and child iframe without some changes on domain B to (again) grant permissions to domain A. So the parent page would not be able to see the login results.

It's a little hard to describe, but that's just generally how it works. Unfortunately, you are fighting against a security measure that also protects you every day. What you want to do uses the same technology that a hacker would use to try and steal your passwords or attack your web site, so while it might be inconvenient for people who want to use it for legitimate purposes, this security restriction does help you.

If you do have control over domain B, then this shouldn't be a problem.

Also, it doesn't matter if it's HTTPS or HTTP. Cross-domain scripting is forbidden either way, so the security doesn't change anything.
0
 
LVL 34

Expert Comment

by:gr8gonzo
Comment Utility
By the way, the "Access-Control-Allow-Origin" header trick is called CORS (Cross Origin Resource Sharing) and is supported in MOST browsers today, with a few exceptions. Here's a wikipedia article that might help understand:

http://en.wikipedia.org/wiki/Cross-origin_resource_sharing

Again, bear in mind that even if you got cross-domain scripting to work, you may still have problems with passing cookies back from domain B.
0
 

Author Comment

by:weissman
Comment Utility
many thanks for your help,

i have think about your question again ,i am not 100% sure that i have two domains,
 
i am not experts in domain and i need to consult with other workers who know better ,

But i will try to describe the issue again... the server(jboss) and the web(apache) is on the

same machine.

i am sure i have controls on the jboss which is the server who has all the business logic

and Database..

The apache is a web site which act like view module and it is working on http.

So when the user enter for example:

 http://localhost:8080 he will get to apache/web view

and if he enter:

 https//:localhost:443 he will get to Jboss home page.

 i will try to give more details tomorrow about the domains, but i think that the

apache web site is independent from the server.

i am appreciate your help.

thanks a lot
0
 
LVL 34

Accepted Solution

by:
gr8gonzo earned 500 total points
Comment Utility
That is good news. So basically all you should need to do is update code in JBOSS to allow for CORS to work. If you google for: jboss cors, then you should find a solution that someone has already written and tested.
0
 

Author Comment

by:weissman
Comment Utility
thanks :)

i  have read the article from Wikipedia it seem possible i will try to take your advice

and google cors...

i will update you tomorow


thanks a lot.
0
 
LVL 16

Expert Comment

by:hankknight
Comment Utility
When using AJAX it is always best to use URLs that are relative to the domain but do not include the domain.

For example, use:
/x/y/z/page.jsp

Open in new window

Instead of
https://example.com/x/y/z/page.jsp

Open in new window

0
 

Author Comment

by:weissman
Comment Utility
hi All,

i have do a workaround and build a new login page inside the Jboss , it is a trick

but it is enough for me now.

i hope i could find better solution in future ...

thanks a lot
0
 

Author Closing Comment

by:weissman
Comment Utility
thanks you all
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Introduction Knockoutjs (Knockout) is a JavaScript framework (Model View ViewModel or MVVM framework).   The main ideology behind Knockout is to control from JavaScript how a page looks whilst creating an engaging user experience in the least …
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now