[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

SSL certificate in ajax and jquery

Posted on 2014-01-15
17
Medium Priority
?
6,914 Views
Last Modified: 2014-01-26
hi Experts,

i have a site that works on http (httpd) and has a login page. this login page communicate

with ajax and send login request throw https to a Rest on Jboss, this rest is checking the

user and password and return authentication.

the problem is the ajax request is not working on SSL and it works only if i enter manually

throw the browser to the https to get the Jboss home page and i am  getting this page
 
after adding the certificate to the browser. (warning to install the certificate and i am proceed)

the question is how i can force the browser to display this warning in my login page?

i have try to use hidden iframe as you have suggest in another topic/question also

try the php suggestion But they don't work?

http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28292846.html

i have ask many programmers that i know and works with but no body has an idea, what i

 should do!

please help

thanks a lot.
0
Comment
Question by:weissman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 3
  • +1
17 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 39783778
What is your ajax code?  Are you specifying https:// where you are calling the URL?
Ajax is no different than your browser requesting the same page so there is no reason why it wouldn't work
0
 

Author Comment

by:weissman
ID: 39784675
hi cathal,

yes i specify the https inside rest.getFullUrl() , here is the ajax code:
  \$.ajax({   		
     url : rest.getFullUrl()+"/?",
	 type: 'GET',
	 dataType : 'jsonp',
	 data : {
				Authorization : auth
			},
	crossDomain:true,
	 async: false,
	 jsonpCallback: 'jsonCallback',
	
   success : function(data, status) {
          // do stuff here
		  var t= JSON.stringify(data);
          \$("#status").val(data.STATUS);          
      },
      error : function(xhr, status, error) {
           // do stuff here
		   var data = jQueryJSON(xhr.responseText);
           \$("#status").val('');      
      },
      complete: function(xhr,status){
              submitFrm();                                       
						}                  	 
 });

Open in new window


i don't thing the problem in the ajax call (i have test it locally with http and it works fine), i have try as a test an html page with an iframe pointing to the https site but it is displaying me the page inside the iframe without some images . also the brwoser is not notifying me about the certificate , so again my question
is how i can force the browser to display this warning.

note: the http login page is on httpd site and the https is on jboss so i am pointing to
another machine here to check the authentication.

do you have a sample that works  (doesn't need to be in ajax only html fine)

thanks a lot
0
 
LVL 58

Expert Comment

by:Gary
ID: 39785427
Just before this
 \$.ajax({               
     url : rest.getFullUrl()+"/?",


Add
alert(rest.getFullUrl())

and report back what it says.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 35

Expert Comment

by:gr8gonzo
ID: 39785664
AJAX cannot communicate with a page outside of the current domain. So if you are looking at https://www.domainA.com and your script tries to send an AJAX call to https://www.domainB.com/etc/etc.... then it will fail by default because it is cross-domain scripting and is not allowed by default.

Iframes and browsers and such will have no problems visiting another page on a different domain, because that is what they are meant to do.

That said, there are ways to get around the security restrictions for cross-domain scripting, so let us know if that's what is happening.

That said, if you're going to use a self-signed certificate for development, then you should add that certificate to your trusted roots and restart your browsers (all of them). That should allow you to get past security warnings and eliminate that as a problem.
0
 

Author Comment

by:weissman
ID: 39785960
hi Cathal,

alert(rest.getFullUrl())

here is the result: https://172.17.174.8:443/mgmt/access/auth

this is the url of the rest inside jboss

rest.init('$host');
auth = rest.getAuthData(user,password);
 // getAuthData -> return "Basic "+Base64.encode(userName+":"+password);

i didn't include it above.

thanks for help
0
 

Author Comment

by:weissman
ID: 39785996
hi gr8gonzo,

what you mean by  add that certificate to your trusted roots , am i doing it manually like in
this :
http://www.youtube.com/watch?v=2k581jcWk9M

why i need to do this and what happend if i buy a trusted certificate? do i still need to add it manually ? adding it to every client machine will be head-ache

why i cannot do it from javascript/php/perl

thanks
0
 
LVL 58

Expert Comment

by:Gary
ID: 39786038
D'oh
gr8gonzo has pointed out the elephant in the room

Why can you not just run the page in HTTPS to start with then you will not have a problem?
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 39786345
1. Self-signed certificates are fine for development purposes, when you only have you (and maybe a few others) as the development team. If you're planning on building a public service, you'll need to eventually buy a full certificate for the production version so that people don't get those warnings. Using a self-signed certificate during development can make that process easier and make sure that everything works as it will with a full certificate.

2. You cannot automatically add certificates to computers from Javascript/PHP/Perl because that would create major security problems. An evil user could add his / her own certificates to your machine and appear as if he/she was trusted. So when you add a self-signed certificate, you have to do it individually.

3. Again, it sounds like the main problem is cross-domain scripting. Your web page is at domainA.com (or IP address A), and your AJAX is going to domainB.com (or IP address B). If this what is happening, then let us know. If you're not, then it's likely the SSL problem (which can be fixed in development by adding your self-signed cert to your trusted roots).
0
 

Author Comment

by:weissman
ID: 39790950
hi gr8gonzo,

yes it exactly the situation, like you said my web page is at domainA and the ajax in the login page of domainA is going to check authenticatin (user/password) with domainB.

so what i  can do in this situation?

what happened if i make my domainA (appache-httpd) also secure/ssl, i suppose it will not
help also!

thanks a lot
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 39791074
Cross-domain AJAX is a security risk, so it's disabled by default. If allowed, then domain B would be in danger from pages on domain A, so it is up to domain B to grant permissions so that domain A can do it. On domain B, you have to add a HTTP header to the pages:

Access-Control-Allow-Origin: http://domainA/

For example, if domainB were using PHP, you could use the header() function to do this.

If you do not have any control over domain B, then you are out of luck.

If you are open to using server-side languages on domain A, then you can have a server-side script on domainA talk to domainB on your behalf (because server-to-server communication is still possible). The main issue with this is that domain A cannot set any cookies for domain B, so if you're on domain A and trying to log into domain B, then the browser won't be able to get the login / session cookies for domain B.

The only way to really log into domain B from domain A in a way that will work is to use an iframe. You can set up a form on domain A that posts to domain B but uses a hidden iframe to do it. The browser will do all the normal work as if you were on domain B. The downside to this is that Javascript cannot communicate between the parent document and child iframe without some changes on domain B to (again) grant permissions to domain A. So the parent page would not be able to see the login results.

It's a little hard to describe, but that's just generally how it works. Unfortunately, you are fighting against a security measure that also protects you every day. What you want to do uses the same technology that a hacker would use to try and steal your passwords or attack your web site, so while it might be inconvenient for people who want to use it for legitimate purposes, this security restriction does help you.

If you do have control over domain B, then this shouldn't be a problem.

Also, it doesn't matter if it's HTTPS or HTTP. Cross-domain scripting is forbidden either way, so the security doesn't change anything.
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 39791081
By the way, the "Access-Control-Allow-Origin" header trick is called CORS (Cross Origin Resource Sharing) and is supported in MOST browsers today, with a few exceptions. Here's a wikipedia article that might help understand:

http://en.wikipedia.org/wiki/Cross-origin_resource_sharing

Again, bear in mind that even if you got cross-domain scripting to work, you may still have problems with passing cookies back from domain B.
0
 

Author Comment

by:weissman
ID: 39791157
many thanks for your help,

i have think about your question again ,i am not 100% sure that i have two domains,
 
i am not experts in domain and i need to consult with other workers who know better ,

But i will try to describe the issue again... the server(jboss) and the web(apache) is on the

same machine.

i am sure i have controls on the jboss which is the server who has all the business logic

and Database..

The apache is a web site which act like view module and it is working on http.

So when the user enter for example:

 http://localhost:8080 he will get to apache/web view

and if he enter:

 https//:localhost:443 he will get to Jboss home page.

 i will try to give more details tomorrow about the domains, but i think that the

apache web site is independent from the server.

i am appreciate your help.

thanks a lot
0
 
LVL 35

Accepted Solution

by:
gr8gonzo earned 2000 total points
ID: 39791194
That is good news. So basically all you should need to do is update code in JBOSS to allow for CORS to work. If you google for: jboss cors, then you should find a solution that someone has already written and tested.
0
 

Author Comment

by:weissman
ID: 39791207
thanks :)

i  have read the article from Wikipedia it seem possible i will try to take your advice

and google cors...

i will update you tomorow


thanks a lot.
0
 
LVL 16

Expert Comment

by:hankknight
ID: 39799991
When using AJAX it is always best to use URLs that are relative to the domain but do not include the domain.

For example, use:
/x/y/z/page.jsp

Open in new window

Instead of
https://example.com/x/y/z/page.jsp

Open in new window

0
 

Author Comment

by:weissman
ID: 39810031
hi All,

i have do a workaround and build a new login page inside the Jboss , it is a trick

but it is enough for me now.

i hope i could find better solution in future ...

thanks a lot
0
 

Author Closing Comment

by:weissman
ID: 39810040
thanks you all
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction If you're like most people, you have occasionally made a typographical error when you're entering information into an online form.  And to your consternation, the browser remembers the error, and offers to autocomplete your future entr…
This article discusses how to implement server side field validation and display customized error messages to the client.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question