I have been trying this for quite some time and with no avail. Would someone point me to the right direction.
I have a simple suitelet
the suitelet dumps a html in the response by reading a file
The html has a button. On ajax call of that button, a restlet gets called and a request is sent.
This is working great with Login and internal calls. However, I want the suitelet to be available without login and also the restlet.
When I do that, I get CORS error and using jsonp when I relsolve that, I get 401 Unauthorized
Tried Outh and NLAuth, no avail.
Will really appreciate any help or pointers.
If the info isn't sensitive you can call the suitelet from the domain of your website. If you have enabled https on the site then that'll just work
e.g. https://forms.na3.netsuite.com/app/site... becomes http://example.com/app/site...
If you are using SCA then you can also just do this by calling a .ss service function. The nice thing about that is that you can set the role on the .ss file and have better control of your resources without just making the customer center role capable of seeing everything. Same issue with https though.
If the info is sensitive you can get around the issue on most browsers by embedding an iframe at the https:// forms etc and using the onMessage operation to transfer info from the non-secure to the secure. (see https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage)
It's certainly possible to call a RESTlet from a Suitelet but it sounds like your issue is more how to call the Suitelet securely.
Related
I am making one website in which the form is submitted using jQuery ajax. I have taken care of most of the security majors like HTTPS, session cookie, encryption etc.
Hence I have minimised the possibility of outside person sniffing or modify my data transfer.
But there can be a valid registered user who wants to play havoc by using Chrome inspect element. He can for example create a for loop in which is calls my jQuery ajax post call.
Can this be possible? How can I avoid this? I am unable to find a better alternative & resort once again to basic form post instead of ajax.
Thanks.
Anything you present client side can be messed with. A user will always be able to modify your front end code, and do what they want with it. This is why you need server side validation.
If you are worried about a repeating post call, it sounds like you are worried about a DOS attack I guess?
Your server configuration should be set up to detect frequent requests from the same user and deny service to it.
I have an ASP.NET MVC4 sub web application added in to an existing ASP.NET WebForm web site. the whole website is using forms authentication.
In my MVC4 client side, I use Backbone.js for building the application, and the client application is most likely a SPA.
Everything works fine, but after session timeout my application does not redirect to log-in page.
I tried the error callback on Collection.fetch method, it was triggered (which is good) when trying to fetch after session time out.
However, the response status code is 200 (OK) with response content is the log-in page content.
So, my question is, in error handler how do I know whether the callback is triggered by session timeout or any other unexpected error?
If determined, how should I do to let Backbone redirect page to log-in page while referring current page?
Here is something what Phil Haack had blogged about
Exceprts from the post :
Possible Solutions
I’m going to cover a few possible solutions I’ve seen around the web and then present the one that I prefer. It’s not that these other solutions are wrong, but they are only correct in some cases.
Remove Forms Authentication
If you don’t need FormsAuth, one simple solution is to remove the forms authentication module as this post suggests. This is a great solution if you’re sole purpose is to use ASP.NET to host a Web API service and you don’t need forms authentication. But it’s not a great solution if your app is both a web application and a web service.
Register an HttpModule to convert Redirects to 401
This blog post suggests registering an HTTP Module that converts any 302 request to a 401. There are two problems with this approach. The first is that it breaks the case where the redirect is legitimate and not the result of FormsAuth. The second is that it requires manual configuration of an HttpModule.
Install-Package MembershipService.Mvc
My colleague, Steve Sanderson, has an even better approach with his MembershipService.Mvc and MembershipService.WebForms NuGet packages. These packages expose ASP.NET Membership as a service that you can call from multiple devices.
Some more info from comment of this blog
We had the same problem. But what we did, was to hook to AuthenticateRequest (just like you did) and we also checked the request to see if it's ajax or not (again, just like what you did). But at this point, we simply returned a JSON like {location: 'http://www.domain.com/path-to-login-page'} and we simply ended response in that method with HTTP code 200. This way, jQuery still gets a JSON result. But if the result has a "location" property, we simply do a client-side redirect to login page. That's our way and it works like a charm.
Firstly, I have to admit I am new to Magento and PHP. I am writing the configuration for my custom module. I would like to allow entry of some information, then send that information to a servlet on my web server where it is processed and a response returned and displayed in the configuration gui in a read-only field.
I am getting my guidance from various web articles and by looking at other modules' code. A module that does something similar is the PayPal module. However, it brings up a new browser window where the user logs in and enters their details. I just want to send the data gathered and wait for the response.
In my system.xml file I specify a frontend_model. In that frontend_model, the _prepareLayout method sets the template to my template, and in that template I have an HTML button. I added an onClick event handler to that button which makes an AJAX call to my web site. Unsurprisingly (because of the same origin policy I assume) the AJAX call fails with a code of 0.
I guess what I should be doing is when the user clicks the button, the request including the data they have entered in the other fields, is sent to the Magento server, and the AJAX call to my web site is made from there? Or perhaps my approach is completely wrong and there is a more appropriate way to achieve this?
Thank you.
You're right about the same origin policy. The best approach here would be to have the button trigger an ajax call to a local magento based controller, which itself uses curl or some other http request library to forward on a request to your remote servlet and process the feedback.
Try searching here "JSONP" or google the same thing. Dependent of javascript library you are using there are pre-made components/plugins to achieve what you are after.
I've created a RESTful API that supports GET/POST/PUT/DELETE requests. Now I want my API to have a Javascript client library, and I thought to use JSONP to bypass the cross-domain policy. That works, but of course only for GET requests.
So I started thinking how to implement such a thing and at the same time trying to make it painless to use.
I thought to edit my API implementation and check every HTTP request. If it's a JSONP requests (it has a "callback" parameter in the querystring) I force every API method to be executed by a GET request, even if it should be called by other methods like POST or DELETE.
This is not a RESTful approach to the problem, but it works. What do you think?
Maybe another solution could be to dynamically generate an IFrame to send non-GET requests. Any tips?
There's some relevant points on a pretty similar question here...
JSONP Implications with true REST
The cross-domain restrictions are there for a reason ;-)
Jsonp allows you to expose a limited, safe, read-only view of the API to cross domain access - if you subvert that then you're potentially opening up a huge security hole - malicious websites can make destructive calls to your API simply by including an image with an href pointing to the right part of the API
Having your webapp expose certain functionality accessed through iframes, where all the ajax occurs within the context of your webapp's domain is definitely the safer choice. Even then you still need to take CSRF into consideration. (Take a look at Django's latest security announcement on the Django blog for a prime example - as of a release this week all javascript calls to a Django webapp must be CSRF validated by default)
The Iframe hack is not working anymore on recent browsers, do not use it anymore (source : http://jquery-howto.blogspot.de/2013/09/jquery-cross-domain-ajax-request.html)
I want to use mootools and SqueezBox class to handle a request to a RESTful service. I don't want to use any server-side script. I am using AJAX. I send a request to the following url using GET method.
http://www.idevcenter.com/api/v1/links/links-upcoming.json
but I receive a 404 error. Is it because cross-site scripting? here is my code:
SqueezeBox.initialize({handler:'url',ajaxOptions:{method:'GET'}});
$('a.modal').addEvent('click',function(e){
new Event(e).stop();
SqueezeBox.fromElement($('a.modal'));
});
In Firebug console, sometimes 'aborted' is shown and sometimes '404'.what is wrong with that?
XMLHttpRequest is subject to the Same Origin Policy; if the document your JavaScript is running within is not from the same origin as the service you're trying to call, the call will be disallowed for security reasons.
There is now a proposed standard for cross-origin resource sharing to address this. It may be that the service you're trying to use supports it; if so, using a browser that implements CORS (recent versions of Firefox and Chrome do, as do some others) may work. IE8 supports it but requires that you do extra work.
You cannot use XMLHttpRequest (that is, ordinary "ajax") to call a service on a server that is not in your domain.
You can, however, use the JSONP trick, which takes advantage of the fact that the browser will load Javascript from other domains. However, the service has to know that you're going to do that, and it has to understand the protocol. That particular service seems perfectly willing to give me a JSON response, but it doesn't pay attention when I give it a "callback" parameter. (I've tried both "callback" and "jsonp" and the JSON blob that comes back is the same, without a function call wrapper.)