Flex 4.5 RemoteObject and AMFPHP over SSL with self-signed certificate - apache-flex

I'm trying to connect to AMFPHP over SSL (self-signed) from a Flex 4.5 application.
Will this work? Or do I need an authority-signed certificate?
Will it silently fail or prompt user like it does in browser?
How do I need to edit the services-config.xml file for this to work?
Thank you.

I've done this before, and it works fine The one thing I'd suggest is that you make your page that houses the SWF on the same domain/cert, then the browser will prompt the user to accept the certificate before they even see the SWF. Once the cert is manually accepted, the AMFPHP stuff works fine. The default services-config should work fine but you can edit it to accept ONLY ssl connections for more security. The only IE issue I can remember off the top of my head is that there's a checkbox if your server sends the wrong caching header (no-cache) I think, IE will simply show a redx. This is resolved by changing a checkbox in IE.
I've never tried doing the client page on HTTP and the services on HTTPS but I imagine you might run into more issues that way.

Related

firefox - how to clear http / https cache?

I've recently completely switched to Firefox Developer Edition but I have a problem I've not been able to handle yet on FF.
I'm a web developer so it happened to me to have several subdomains which corresponds to a test env of a live website.
exemple : http://local.example.com is my local for https://www.example.com
As it's a common problem to have modules licensed for a domain and its subdomains, I have to process this way to have a correct development environment (with the same modules than the live env).
My problem is the following : if I go to https://www.example.com Firefox will remember that it accessed it in https and will force my local to https://local.example.com instead of http://local.example.com (and of course the https on my local is not configured)
Cleaning the browser cache does not help (it solved the problem on chrome).
Changing the ttl of the dns to 0 in Firefox config did not help.
Restarting the browser does not help neither.
In the developer panel settings, i checked "disable http cache when dev tools is open", it did not worked.
At the moment, I have to work on my local in a private window, which is not very practical.
Does anybody knows how I can flush this cache in Firefox ?
Even better : is there a way to disable this cache ? As I'm using the developer edition, that would be awesome to be able to disable it at least on this version.
Thanks!
Since the root domain seems to affect the other domains, it may seem you are using HSTS to make sure all requests are https.
You have 3 solutions to fix this:
Exclude subdomains on the main HTST header
The simplest solution for you and all other developers working on your site may be removing the includeSubDomains on the HTST header on your main domain. (But beware that this decreases security if you actually use other subdomains)
Use a private window
HTST domains are not shared by to a private window for privacy reasons
Get an free SSL certificate for local.example.com
Temporary redirect the global local.example.com domain to your computer, and use letsencrypt to get a certificate for your pc

SSL doesn't work for PassBook on iPhones

We built a passbook server on ASP.NET and it worked perfect in Dev. environment (without SSL certificate).
Passes that were generated could be seen on iPhone (in dev. mode) and on Mac.
Then we bought an SSL from Thawte (just for the domain) and added the certificate to IIS.
Of course, domain name is associated with the same IP address.
So now, when a link to the pass is generated on our server, normal iPhone can't download it, saying "Can't download the file".
If I click the same link in Safari on Mac, it is opened, when click it from Chrome - file is downloaded.
We've tried whatever was possible - enabling SSL 2.0, then SSL 3.0 on the server. We also trued disabling all SSL and enabling all TLS instead - no luck.
The aspnet passbook server is configured using the following.
SSL 2 (disabled)
SSL 3 (disabled)
TLS 1.0 (enabled)
TLS 1.1 (enabled)
TLS 1.2 (enabled)
here is the ssl test result: http://clip2net.com/s/3lUpIiq
seems pretty configured correctly.
the pass can be viewed/run to any mac safari browsers, downloads pretty well on non-safari browsers, but not on iphones.
it just says, cannot download the file. we have been trying to search the internet for possible answers but no luck.
the thing is that the browsers including mac safari recognizes well the certificate installed on the aspnet passbook server. but it seems iphones does not recognize the certificate.
Please advise what else could be done?
Thanks!
Does the webServiceUrl have 'https'? If not, it needs to (see https://developer.apple.com/library/ios/documentation/UserExperience/Reference/PassKit_Bundle/Chapters/TopLevel.html#//apple_ref/doc/uid/TP40012026-CH2-SW3).
Other than that, you should be able to view the error from Passbook in the console window in XCode.
We found out what the error was, when we tried to debug it on a MAC with XCode. What it showed was the pass was missing some required fields, in our case, the icon/logo image, and second was the pass registration endpoint had some errors.
We tried to fix these issues including our pass registration endpoint. After that, all went well and has been working smoothly.
Depending on the pass type, there must be required fields that must be met, else, the pass won't install correctly on production mode.
Many thanks!

Website on IIS different than on Apache

I developed a website and published it on a LAN computer running IIS 6.0 all through my testing phase to make sure it looked correct and worked with all browsers. I heavily used CSS for my layout, a small amount of javascript and ASP only for Server Side Includes. The layout was tested in Chrome, Firefox, Opera, IE8 and Safari. All working as intended.
When I went to upload my completed website onto my domains host, the website came out looking completely different as well as the css drop-down menu not working. The following URL shows the differences (sorry both screen caps are combined because of link limit on SO):
Pic
After investigating a little bit, I discovered that hosting site runs Apache as their server. I also ran the ASP command Request.ServerVariables("SERVER_PROTOCOL") on both hosts and discovered that my IIS testing host returned SERVER_PROTOCOL: HTTP/1.1 while the Apache host returns SERVER_PROTOCOL: HTTP/1.0
I am somewhat stuck on where to go from here. Is this difference in server protocols causing my css to be interpreted incorrectly on the Apache server? Can I do anything about it considering my domain hosted server is out of my control? Am I completely off track and should look elsewhere?
CSS is interpreted by the browser, not the web server. The problem probably has to do with the way your hosting provider supports ASP sites (if it supports that at all).
This smells like wrong file references.
Are you sure the live server is not just getting a fatal error and aborting the execution of the page?
Have you checked your error log in your host control panel?
there could be some \ (backslash) instead of / (slash) in some path definition. IIS interprets backslash or slash in the same way (Apache doesn't).

Credentials prompt for an aspx page configured for anonymous authentication

From Flex we call a Upload.aspx page which is configured for anonymous authentication. Most of the time, it works like a charm, but once in a while, the browser does prompt a enter credentials popup...
The whole site is configured for Windows Authentication, but some pages and folders are set to use anonymous authentication. This is done using the location tag in web.config.
What could be the reason for this?
UPDATE:
Only happening in Internet Explorer... they should deport it.
If you use FireFox with FireBug, open up the Net panel, it will show you the request making the permissions request. If you cancel it, it will show an access denied in red, and that will easily help you hunt the issue down.
Maybe it's because a file (image, css, etc.) is being referenced that doesn't exist?
A couple of things I would check out:
Are there any images/other files that are added to your page using the FQDN? If so, are any of these pointing to an external site or staging site that might require credentials?
Is it possible that someone has removed permissions from the application pool credentials on the web server for some specific file or files the site is requesting?
Is the site load balanced or part of a farm? It could be that one or many servers are configured incorrectly, and the rest are ok. Then if by chance you hit the bad servers, you could get the prompt.

Authentication dialog when running with Visual Studio web server

When using Visual Studio's built in web server, every time I make a page request the standard login box pops up and asks for credentials. It doesn't work if I actually put in my credentials, so I just have to hit cancel 5 times so it will go away.
When I run the application through IIS (locally or on test server) it works just fine (no login box comes up).
Anyone know how to fix this or have any idea what might be causing it?
I assume you mean JavaScript alert box-looking login dialog, right? This dialog pops up when you make a request to a portion of website where anonymous access is disabled from IIS. It is different from ASP.NET authentication.
Do you have some portion of web site protected? Or are you making any HTTP request to external sites, like images and etc?
If your page looks ok after hitting cancel multiple times, it must be one of those HTTP request to protected file like images, css, js or whatever.
I'd look in Fiddler or Firebug to see if any request is failed when you hit cancel in that login dialog.
I'd also try clearing cache/authenticated session on the page that runs on IIS to see if it actually shows you that login dialog.
I had this same issue. However, my solution was different and the issue seemed different as well.
I had been working on a ASP.NET 2.0 web application, using VS 2008. Everything was working fine with the built-in IIS server. I hadn't opened this project for about a week and then when I chose "View in browser" in VS, I was prompted for my windows login creds. This project never did this before, so I was a bit baffled. I checked all the web.config settings and everything seemed fine. My project settings seemed correct as well. I decided to test the project by opening this same project in VS on a separate dev box on my network using a network path. I again chose "View in browser" and it worked fine. No logon prompt.
This told me that the issue wasn't with the actual web project itself, rather my dev environment. I checked all my browser settings as suggested above, and they were correct. I then compared my project settings while I had the same project (same physical files) opened in both dev boxes. I noticed a difference...
Under the Start Option in the Property Pages, the Web Server was set to use the Default Web server in both cases. However, on the box that was asking for my creds, the NTLM Authentication checkbox was selected. I unselected this and it resolved the issue.
I'm not sure how this was possible since I was opening the same project files, and would assume the project settings would be exactly the same. And the fact it was working fine a week ago really perplexed me. I chalked it up to an issue with VS 2008 on the box with the issue. I hope this helps anyone else that may be running into this issue.
This was because localhost was not in my trusted sites so it wouldn't do automatic NTLM authentication... I'm not sure why it was that way, but it was... adding localhost to the list fixed it.
In your project, there should be a vwd.webinfo file.
The following lines control authentication when debugging (in IISExpress). Set as follows to avoid all dialogs.
<VisualWebDeveloper>
<iisExpressSettings anonymousAuthentication="enabled" windowsAuthentication="disabled" useClassicPipelineMode="false"/>
</VisualWebDeveloper>
If windowsAuthentication="enabled" you may still get a dialog, even if anonymousAuthentication="enabled" :-)

Resources