Claudio
Newbie
Posts: 8
|
 |
« on: December 05, 2013, 06:16:44 PM » |
|
Hello,
I did a simple rtc-based app, that basically is an httpserver with two dataproviders linked.
All is running well, but recently a customer implemented an architecture with:
(A) (B) (C)
- client browser > app server > rtc application (mine)
To make a long story short, (A) makes a call to (C) through (B), but probably (C) thinks (or is told to)
that it should reply to (A) (it appears as some sort of triangulation attack in effect), and denies the request.
I was told that I should implement something like this to relax security checks (Java, but just an example):
public class CrossOriginResourceSharingFilter implements ContainerResponseFilter {
@Override
public ContainerResponse filter(ContainerRequest request, ContainerResponse response) {
response.getHttpHeaders().putSingle("Access-Control-Allow-Origin", "*");
response.getHttpHeaders().putSingle("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
response.getHttpHeaders().putSingle("Access-Control-Allow-Headers", "content-type");
response.getHttpHeaders().putSingle("Access-Control-Allow-Headers", "X-Requested-With");
return response;
}
}
I cannot be more specific since I am not in office as of now. Thanks !
Claudio
|
|
|
|
|
Logged
|
|
|
|
Kevin Powick
RTC Expired
Posts: 87
|
|
« Reply #1 on: December 05, 2013, 06:27:10 PM » |
|
It sounds like the situation you've encountered is a security feature known as CORS: Cross-Origin Resource Sharing. https://en.wikipedia.org/wiki/Cross-Origin_Resource_SharingEverything you need to know is on the linked page, above, but just to emphasize, I would not have your RTC data provider return the header Access-Control-Allow-Origin: * |
|
|
|
|
Logged
|
Linux is only free if your time is worthless
|
|
|
Claudio
Newbie
Posts: 8
|
|
« Reply #2 on: December 05, 2013, 06:33:44 PM » |
|
Thanks, Kevin.
However, my services are not exposed to the Intenet, so, are you able to tell me what should I do (in rtc jargon) to permit these calls ?
I am totally lost.
Thank you in advance
Claudio
|
|
|
|
|
Logged
|
|
|
|
|
D.Tkalcec (RTC)
|
|
« Reply #3 on: December 05, 2013, 06:37:31 PM » |
|
If you mean that none of your DataProviders recognize this as a valid request, the problem could also be that the AppServer is sending requests with a "HTTP://" prefix in the URI, which isn't what one would normally do when talking to a Web Server. If that is the problem, then setting FixupRequest.RemovePrefix:=True on the TRtcHttpServer component should solve it and give you a clean Request.FileName to work with.
And if you are using RTC Sessions and want to loosen up the way Session IDs are linked to incoming IP addresses, use the OpenSession method with sesNoLock parameter. The default paramere is sesFwdLock, which works with Web Clients as well as Web Proxies, but might not work with custom Servers which don't send the X-FORWARDED-FOR header value in their HTTP requests.
If the problem is related to something else, then I need more information.
To start with, you should log all requests which don't get accepted by your Server. This can easily be done by implementing the OnRequestNotAccepted event on the TRtcHttpServer component. If you want, you can also log requests which do get accepted by implementing the OnRequestAccepted event. The absolute minimum you should write to a LOG file are the TRtcDataServer(Sender).Request.URI and TRtcDataServer(Sender).Request.HeaderText properties.
Best Regards,
Danijel Tkalcec
|
|
|
|
|
Logged
|
|
|
|
Claudio
Newbie
Posts: 8
|
|
« Reply #4 on: December 05, 2013, 06:53:29 PM » |
|
Hello Danijel,
Thank You all for your quick responses.
Tomorrow morning I will implement logs and will let you know.
(P.S.: no, I'm not using sessions)
Claudio
|
|
|
|
|
Logged
|
|
|
|
|
D.Tkalcec (RTC)
|
|
« Reply #5 on: December 05, 2013, 07:06:07 PM » |
|
If the connection is being dropped by the Client or the 3rd-party App Server, because one of them expects to receive speciflc HTTP header values in your response, and the example you have posted above would work from Java, then you can use the code below to prepare the response header in your RTC Server before you start using the "Write" method and send the response out:
var Srv:TRtcDataServer absolute Sender;
begin
if Srv.Request.Complete then
begin
// prepare required HTTP response header parameters
Srv.Response['Access-Control-Allow-Origin']:='*';
Srv.Response['Access-Control-Allow-Methods']:='GET, POST, PUT, DELETE';
Srv.Response['Access-Control-Allow-Headers']:='X-Requested-With';
// Here, you can start using Srv.Write to send the content out ...
...
end;
end;
Best Regards,
Danijel Tkalcec
|
|
|
|
|
Logged
|
|
|
|
Claudio
Newbie
Posts: 8
|
|
« Reply #6 on: December 06, 2013, 12:51:31 PM » |
|
This is *exactly* the information I was searching for, and now it works. Thanks a million. Claudio if Srv.Request.Complete then
begin
// prepare required HTTP response header parameters
Srv.Response['Access-Control-Allow-Origin']:='*';
Srv.Response['Access-Control-Allow-Methods']:='GET, POST, PUT, DELETE';
Srv.Response['Access-Control-Allow-Headers']:='X-Requested-With';
// Here, you can start using Srv.Write to send the content out ...
...
end;
|
|
|
|
|
Logged
|
|
|
|
|
