I need to be able to open up an external URL in my website with out revealing it to my users (both in the browser and in the source). I do not want them to be able to copy the URL and edit the query string to their liking. Is there a way to open the URL in an iframe, or something of the like, and hide/mask its source?
This is an asp.net 2.0 website.
Could you do the following:
Accept parameters from the user.
Have a webpage or backend process which uses this to download the PDF to a temporary store.
Then stream this to the client, so they don't know about the URL where the PDF is generated? (or just stream directly, without downloading temporarily.)
This way users would never know about the other site, and it should be much more secure.
This could also use some validation/authentication so users are unable to alter the parameters passed to retrieve other users' PDFs.
No. If you are having the clients machine do something (i.e, point their browser to a web page), you can not keep that information from them.
You can render that page server side in a flash widget or some other container but you can't do it on the clients machine.
Best bet: You can make a server-side XMLHTTP request, grab the response and feed in back into your page using AJAX.
You could possibly do it server side by:
Opening a network connection to the
site you want
Obtaining the HTML from a HTML/Get request on the
URL
Inserting it into your page on the server side
That would probably slow down your page load considerably though, and could come coupled with legal issues.
I had a similar problem myself a while ago and did something along these lines (C# .NET 2.0);
public void StreamURLContents(string URL)
{
WebRequest req = WebRequest.Create(URL);
using (HttpWebResponse resp = (HttpWebResponse)req.GetResponse())
using (Stream dataStream = resp.GetResponseStream())
using (StreamReader reader = new StreamReader(dataStream))
{
string currentLine = reader.ReadLine();
while (currentLine != null)
{
Response.Write(currentLine);
currentLine = reader.ReadLine();
}
}
}
You would have to tailor the writing of the HTML to suit your particular application obviously, and you'd break all of the relative links in the target site (image URLs, CSS links etc.), but if you're only after simple text HTML and want your web app to grab it server-side, then this is a good way to go.
You can make a one-time URL by doing the following:
Store a GUID in a database
Allow the client to request the GUID via hyperlink or other means. The GUID is used in the URL as the fake page; example: http://www.company.com/foo/abc-123-efg-456.aspx
Use URL Rewriting to capture and inspect all requests to the directory "foo" and redirect to your handler.
Confirm the GUID is valid, then mark it as "expired" in the database
Send the appropriate data (a PDF?) to the client as the response to the request.
Any subsequent requests to the same URL fail.
Related
I have a ServerResource object that is running within a component. Its purpose is to act in many ways like a basic HTTP server. It uses a Representation to acquire a file and return the file's contents to a browser.
The active function for this application is provided below:
public Representation showPage()
{
Representation rep = null;
if(fileName != null)
{
File path = new File("pages/" + fileName);
rep = new FileRepresentation(path,MediaType.ALL);
}
return(rep);
}
Note that "fileName" is the name of an HTML file (or index.html) which was previously passed in as an attribute. The files that this application serves are all in a subdirectory called "pages" as shown in the code. The idea is that a browser sends an HTTP request for an HTML file, and the server returns that file's contents in the same way that Apache would.
Note also that the restlet application is deployed as a JSE application. I am using Restlet 2.1.
An interesting problem occurs when accessing the application. Sometimes, when the request comes from a Firefox browser, the server simply does not send a response at all. The log output shows the request coming in, but the server sinply does not respond, not even with a 404. The browser waits for a response for a time, then times out.
When using Internet Explorer, sometimes the browser times out due to not receiving a response from the server, but sometimes the server also returns a 304 response. My research into this response indicates that it should not be returned at all -- especially if the HTML files have no- caching tags included.
Is there something in the code that is causing these non- responses??? Is there something missing that is causing the ServerResource object to handle responses so unreliably? Or have I found a bug in Restlet's response mechanisms?
Someone please advise...
I'm using Response.Redirect to serve media files, but don't want people to see the direct url to the files nor the subdomain (host). Is it possible to fake a 'get', and hide host and referer?
Use a Server.Transfer to transfer the request processing to another page.
When you use the Transfer method, the state information for all the
built-in objects are included in the transfer. This means that any
variables or objects that have been assigned a value in session or
application scope are maintained. In addition, all of the current
contents for the Request collections are available to the .asp file
that is receiving the transfer.
Server.Transfer acts as an efficient replacement for the
Response.Redirect method. Response.Redirect specifies to the browser
to request a different page. Because a redirect forces a new page
request, the browser makes two requests to the Web server, so the Web
server handles an extra request. IIS 5.0 introduced a new function,
Server.Transfer, which transfers execution to a different ASP page on
the server. This avoids the extra request, resulting in better overall
system performance, as well as a better user experience.
Since the browser doesn't make another request, the url is totally hidden from the browser, but it still gets the file that will be served by your redirect url.
What you want is not possible - for a simple reason: To have the client download the file directly from another source, you need to communicate the information about the location to the client in some way: If the client doesn't know the location, it can't download from there.
Whatever you try in the way of obfuscation, if it is decodable for the client browser, it is decodable for a human being armed with firebug.
I'm using HTML+JQuery as UI, Spring-Roo to generate service layer which contains Json object string conversion. It works well for us like the following sample code:
#RequestMapping(headers = "Accept=application/json")
#ResponseBody
public ResponseEntity<String> ArticleController.listJson() {
HttpHeaders headers = new HttpHeaders();
headers.add("Content-Type", "application/json; charset=utf-8");
List<Article> result = Article.findAllArticles();
return new ResponseEntity<String>(Article.toJsonArray(result), headers, HttpStatus.OK);
}
but after several sample pages developed, I have some questions:
1) We want to use Spring-Security as Access Control module, is that OK for this framework? How can server knows it is the same session request from the browser?
2) Instead of jsp server technology, pure HTML + JQuery is really OK? Because I see many Ajax code injected in the html, and many of them cannot be reused. As we know server technologies have the template that can maximizing the reusage of code. I'm worrying about the develop difficulty and maintenance efforts.
PS: Why we decided using HTML+JQuery+Json is because we directly get HTML+CSS from Art designer,
and we have plan to support different client besides browser, so Json might be a good choice.
Thanks.
1) We want to use Spring-Security as Access Control module, [...] How can server knows it is the same session request from the browser?
First the session must be somehow established on the server side. Use standard Spring Security login screen or call spring_security_login using ajax. In return the server will send a cookie with JSESSIONID. This cookie sent with every subsequent request (including AJAX requests) so the server knows which user calls REST methods. This is completely transparent.
Also when you logout (by calling j_spring_security_logout) the session as well as cookies are destroyed.
We are using this approach successfully (more over, due to historical reasons we are calling soap services from JavaScript!) and it works really well.
2) [...]pure HTML + JQuery is really OK? Because I see many Ajax code injected in the html, and many of them cannot be reused. [...]
True separation of concerns is the king. Keep JavaScript in one place (.js) file and HTML in other place (.html). They should never be mixed. Also keep your JavaScript code layered and stay away from DOM manipulations as much as possible (e.g. use client-side templating engines).
Moreover there is nothing preventing you from generating HTML during build so that common HTML snippets like headers and footers are included in every page.
What is the difference between "Request" and "Response" terminologies in ASP.net?
I am using ASP.net 3.5.
Suppose I have to make somebody understand about these terms. What should i say ?
The Request is what a web client sends to the web server. The Response is what the web server sends - well, in response. Both are defined in the HTTP specification. (How they are structured, what information and meta data they include, etc.)
ASP.Net encapsulates these concepts in respective classes to make them programmatically accessible.
Edit: Specific examples as requested in the comments:
Request.QueryString
If you have a URL like the following:
http://www.host.com/Page.aspx?name=Henry&lastName=Ford
The part after the ? is the query string. (name=Henry&lastName=Ford <= The query string)
This is one common way to pass arguments to the server as part of the Request. In your server code you can access these arguments by using Request.QueryString:
string name = Request.QueryString["name"];
string lastName = Request.QueryString["lastName"];
Response.Redirect
Your server received a Request for a page and you want to redirect to another location. With the Response.Redirect() method, you add a specific piece of information to the Response that causes the browser to immediately go to this other page.
// This tells the browser to load google
Response.Redirect("http://www.google.com");
There is a IIS (Internet Information Services) Server.. In ASP.Net, you can Request for data from the server, and what the server sends you is a Response
Basically I need to serve files from a location that requires windows authentication. Instead of having my client's deal with it directly, I would like to implement a process so that they can simply download the files as if they were on my server, after they have logged in to my system, of course. Here is what I have so far, which doesn't seem to work correctly:
// Create the request
WebRequest request = HttpWebRequest.Create(button.CommandArgument);
request.Credentials = new NetworkCredential(_username,_password);
// Get the response
WebResponse response = request.GetResponse();
StreamReader responseStream = new StreamReader( response.GetResponseStream());
// Send the response directly to output
Response.ContentEncoding = responseStream.CurrentEncoding;
Response.ContentType = request.ContentType;
Response.Write(responseStream.ReadToEnd());
Response.End();
When I try this I am able to view the file, but something is wrong with the encoding or the content type and, for example, a PDF will contain 16 blank pages (Instead of 16 pages of text).
Any idea what am I missing?
Feel free to change the title of this question if there is a better way of phrasing this question
Update:
Tried the two responses below but with no luck. I now think that the content type and encoding are OK, but maybe the authentication is failing? The content-length is a lot smaller than it actually should be... Am I using the wrong method for Windows Authentication?
Depending on how/what you have. I would do a few things.
Response.Clear() first of all to remove anything that might have been rendered.
I would then add a header, with content-disposition set and send it down as an actual attachment, rather than just writing it to the user.
It looks like you're sending the wrong content type in your last code block. You're sending the type of the user's original request instead of the content type of the file that you've retrieved. Change this:
Response.ContentType = request.ContentType;
to:
Response.ContentType = response.ContentType;
If your problem is related to network credentials, you may want to try a different approach. If you grant HTTP access to the identity that the web site's application pool is using, you can avoid having to specify the username/password credentials in the request. This also gives you the added benefit of not needing to store the password somewhere.