I have a website in which I would like to embed the share using an iframe. The problem is how do prevent the user having to login (in the iframe). They are already authenticated at this point.
The parent application which is generating the iframe is on the same server/domain as the Alfresco install.
The parent application has its own authentication, but instead of storing its own passwords it queries Alfresco via REST.
There are two ways, i think:
The first is to provide token (you shoud have one in your parent app) to Share in iFrame, so use some javascript;
The second one is to use portlets, have a look for example at liferay wiki, at least document library should be accessible.
If you are using php, (Wordpress, joomla, etc) then this can be useful.
First of all you need to configure the share-security-config to allow put share content into an iframe configure iframe.
<config evaluator="string-compare" condition="SecurityHeadersPolicy">
<headers>
<header>
<name>X-Frame-Options</name>
<value>ALLOW-FROM https://www.x.com</value>
<!--or just allow all-->
<!--<enabled>false</enabled>-->
</header>
Then Configuring external authentication and last pass the header using that Configuring Alfresco Share to use an external SSO.
Related
I am building a very simple Meteor app with the following situation: there are some static files in the backend (images, audio, video) that I need to include in my page, but I only want authenticated users to be able to access them. How can I do this?
I suspect I might be able to do this using routers but I haven't managed to get that running using the official documentation (or any other resource for that matter). If somebody could point me in the right direction I would be thankful.
It depends on how secure you needed.
You may want to just hide/show the link then you can put those files in public folder and add some logic to the front-end to show/hide the files based on user's authentication state.
If you need it more secure then you you need to put those files behide APIs. You can use DDP apis (Meteor method or pub/sub) or you may use webapp to create api.
There are mainly 2 ways to do it:
obfuscate source urls
Only show to signed in users.
a) meteor-files: https://github.com/veliovgroup/Meteor-Files for overall file security.
b) CDN signed urls: root url remains the same but it requires a signature for every download/view. You can look at things like Instagram, FB etc.
Put images in pages on routes for only logged in users. If delivered from CDN, add policies to match your referrer/origin to disallow embedding of your images on other websites.
I want to embed external content on a website in an iframe. I can only load internal websites and external are undefined.
How can I enable CORS in Intershop 7.7 and load an external URL in an iframe or data dialog?
There is nothing special in using iframes in Intershop compared to another platform. Simply put in your ISML:
<iframe src="https://example.com">
</iframe>
Of course this may not succeed to load as you noticed. Some servers include the X-Frame-Options header with value e.g. SAMEORIGIN which instructs the browser that they don't want to be framed on other sites. This may be used to prevent clickjacking attacks. You may use Firebug or any appropriate tool to monitor for such errors during the frame load. An iframe may also not load if you mix http/s traffic.
If you want to programatically access content from an iframe on a different domain, you may use the Web Messaging API (window.postMessage and the onmessage event) to communicate between the page and the included iframe.
In summary:
you can't simply frame any site (maybe your 'internal' site permits that);
this question is not relevant for the Intershop technology stack;
This should be possible with the content security policy support since version 7.6.
Please check the documentation of appserver.properties file. The keys intershop.response.content-security-policy. should help.
I'm trying to write an AIR application to be deployed on a mobile device.
I have an HTTPS website that I go to and log in using a browser. I can view things in my account, etc.
I want to use my AIR app instead of the HTTPS website. Can I "wrap" or "skin" an html site using AIR?
So I'm looking at StageWebView, URLRequest, URLLoader.
I need to POST things like username, password, and other things.
How can I do it?
See ExternalInterface on AS3 reference that you can use to call Javascript-functions on your site.
You can show HTML content with mx:HTML
If all you need to do is POST or GET, look into HTTPService
You might wanna have a look at the StageWebViewBridge, it has some extended features compared to the default StageWebView
http://code.google.com/p/stagewebviewbridge/
We wanted to use it in a project but ended up in implementing the URL based communication on our own. BUt you should give it a try, mabye it works for you.
I made a blog widget in flex. I need manipulate cookie in my widget which is added to my user's blog. But under some circumstance, some blog hosts forbid accessing to javascript, so i can not access cookie in flex by externalInterface. Does anyone know how to access cookie in this context? thanks.
You need to set allowScriptAccess to "*" in your embed code. Unfortunately, you cannot allow access on a per domain basis, so it's all or nothing. However, the owner of the blog might not want to grant this privilege, in which case you just cannot count on having access to Javascript from your swf.
PS: If you are allowed to serve a swf from the same domain with granted access to Javascript, you might be able to use it as proxy for sending the data retrieved with javascript to the swf served from the other domain. Not sure if this is the best idea, though.
My answer is, you can't access browser cookies from the Flash Player. The ExternalInterface usage is kind of a hack.
Based on the error, it sounds like your SWF is being served from a different domain than the web page that contains it. Is that true? If so, that is the cause of the error. Isn't that the same sort of approach that "Cross Site Scripting" exploits use?
You can allow JavaScript to access it's HTML wrapper from a different domain by specifying the allowScriptAccess to always in the SWF embed code. More info in the Adobe docs.
You can try adding a crossdomain.xml file to the main site, although I did not think that would have an effect because I'm pretty sure that ExternalInterface usage is not a crossdomain.xml checking case.
I'm curious as to where the cookie is coming from. If your Flex application is creating the cookie via a SharedObject then you don't need javascript to access it. If the cookie is coming from another application/source then to my knowledge, the only real way to access it is via the javascript externalinterface method.
Imagine you have a large number of video files stored on a server, and a Flex app which lets users play those videos they have access to. How can you best set this up? Wouldn't the Flex app just be sent the name of the video to play... in which case couldn't someone else write another flex app if they knew the file names? Can Flex play videos hosted on other sites? Is there some clever piece on the server I'm missing, which sits between the Flex video player and the files?
Ask users to log-in with a username and password - you can use OpenID if you want.
Update:
Set the crossdomain.xml of your server in such a way that only Flash movies from your domain can access content from there.
You can write a server-side script (in PHP or something else) that serves the file only if your user is allowed to see it (how to determine that you'll have to come up with yourself). This is a bit of a performance hit, although not so much if you use PHP's readfile().
Can Flex play videos hosted on other sites?
Your crossdomain.xml can control this. e.g. myvideoserver.com/crossdomain.xml would contain entries based on who you want to grant access to, like myflexserver.com. Then just ripping off your main flex application wouldn't give them access to your video files.