Set realm username/password

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Set realm username/password

maxwellk2
Mac OS X
Lasso 8.1 (upgrading to 8.6)

OK, uncle, I'm just not familiar enough with how HTTP realm authentication works - even after spending all day with Google and Nabble.

I'm in the middle of updating an involved Lasso site, the first phase is updating the public facing website and a later phase will be updating the protected customer website. The new public site design has a username/password form at the top of each page that will be used for customer login. My problem is (for the time being) the existing customer website will continue to use Lasso's realm-based user authentication. I can't quite figure out how to pass the username/password into the HTTP header so that when a user fills out the form on the public site and gets to the customer pages they aren't presented with the browser's realm authentication dialog and have to type in credentials yet again.

I tried including the username:password in the URL a la...

        http://[Action_Param('login')]:[Action_Param('password')]@example.com/customer-site.lasso

…but IE no longer supports this syntax and I'd prefer not exposing the user's credentials anyway. Is there an alternate way to manipulate and pre-populate the realm authentication or am I missing the point?

Thanks,
Max
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Set realm username/password

stevepiercy
First of all, anything transmitted over HTTP can be seen by
everyone between the client's web browser and your server, and
is probably logged as well, all in clear text.  All logins
should use HTTPS, unless you are on a private, secure and
trusted network (even then, I wouldn't trust using HTTP).
http://httpd.apache.org/docs/2.2/howto/auth.html

Realm authentication lacks features that sessions provide.  How
do you logout using realms?  You quit the browser.

Unless you know how to write *nix scripts or have some other
tools to manage users and groups within the realm, using realms
quickly becomes difficult to maintain.

The argument for using realms for authentication instead of
sessions in Lasso is a difficult one to win.  You may have a
specific use case where it is necessary, but for most web
applications it is better to use sessions.

--steve


On 7/26/11 at 11:05 PM, [hidden email] (Maxwell Klein) pronounced:

>Mac OS X
>Lasso 8.1 (upgrading to 8.6)
>
>OK, uncle, I'm just not familiar enough with how HTTP realm
>authentication works - even after spending all day with Google
>and Nabble.
>
>I'm in the middle of updating an involved Lasso site, the first
>phase is updating the public facing website and a later phase
>will be updating the protected customer website. The new public
>site design has a username/password form at the top of each
>page that will be used for customer login. My problem is (for
>the time being) the existing customer website will continue to
>use Lasso's realm-based user authentication. I can't quite
>figure out how to pass the username/password into the HTTP
>header so that when a user fills out the form on the public
>site and gets to the customer pages they aren't presented with
>the browser's realm authentication dialog and have to type in
>credentials yet again.
>
>I tried including the username:password in the URL a la...
>
>
>http://[Action_Param('login')]:[Action_Param('password')]@example.com/customer-site.
>lasso
>
>…but IE no longer supports this syntax and I'd prefer not
>exposing the user's credentials anyway. Is there an alternate
>way to manipulate and pre-populate the realm authentication or
>am I missing the point?
>
>Thanks,
>Max
>#############################################################
>This message is sent to you because you are subscribed to
>the mailing list Lasso
>[hidden email]
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
-- --
Steve Piercy               Web Site Builder              
Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Set realm username/password

Marc Vos
In reply to this post by maxwellk2
There is the 'auth_custom' tag which you can pass a tag to handle un/pw, also via the http://un:pw@... method. We use it like this, for example: auth_custom(-AuthTag='zz_auth_check', -AuthTagParams=array(-group='zz_sys'), -realm='GDTG Logistics'); and we have a 3rd-party site which sends the un/pw in the URL.

But, if the un/pw do not match, it pops up the standard http-login dialog, but you might be able to change that.

- -
Marc

On 27 Jul, 2011,at 08:05 AM, Maxwell Klein <[hidden email]> wrote:

Mac OS X
Lasso 8.1 (upgrading to 8.6)

OK, uncle, I'm just not familiar enough with how HTTP realm authentication works - even after spending all day with Google and Nabble.

I'm in the middle of updating an involved Lasso site, the first phase is updating the public facing website and a later phase will be updating the protected customer website. The new public site design has a username/password form at the top of each page that will be used for customer login. My problem is (for the time being) the existing customer website will continue to use Lasso's realm-based user authentication. I can't quite figure out how to pass the username/password into the HTTP header so that when a user fills out the form on the public site and gets to the customer pages they aren't presented with the browser's realm authentication dialog and have to type in credentials yet again.

I tried including the username:password in the URL a la..

http://[Action_Param('login')]:[Action_Param('password')]@example.com/customer-site.lasso

…but IE no longer supports this syntax and I'd prefer not exposing the user's credentials anyway. Is there an alternate way to manipulate and pre-populate the realm authentication or am I missing the point?

Thanks,
Max
#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to <[hidden email]>
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Set realm username/password

maxwellk2
In reply to this post by stevepiercy
Agreed on all points Steve, this site was built way back when and is being moved to session based authentication in the next rev. Just trying to avoid a partial overhaul to get this one username/password login form to work.

Marc, I'll have a look again at Auth_Custom, I stared at it for a while but couldn't figure out how to work around IE not allowing the http://un:pw@ method.

The issue is that I'm using Client_Username and Client_Password scattered around the site both for authentication and in Inlines to limit found record sets. Maybe not an ideal setup but this was one of my first Lasso projects many many years ago. So I was looking for a way to circumvent the browser realm auth dialog and cram in the un/pw provided via a custom form. As usual the workaround works in all browsers except IE.

Thankfully the client is still with me and keen on supporting a rebuild.

Thanks for the helps guys,
Max


On Jul 27, 2011, at 2:24 AM, Steve Piercy - Web Site Builder wrote:

> First of all, anything transmitted over HTTP can be seen by everyone between the client's web browser and your server, and is probably logged as well, all in clear text.  All logins should use HTTPS, unless you are on a private, secure and trusted network (even then, I wouldn't trust using HTTP).
> http://httpd.apache.org/docs/2.2/howto/auth.html
>
> Realm authentication lacks features that sessions provide.  How do you logout using realms?  You quit the browser.
>
> Unless you know how to write *nix scripts or have some other tools to manage users and groups within the realm, using realms quickly becomes difficult to maintain.
>
> The argument for using realms for authentication instead of sessions in Lasso is a difficult one to win.  You may have a specific use case where it is necessary, but for most web applications it is better to use sessions.
>
> --steve
>
>
> On 7/26/11 at 11:05 PM, [hidden email] (Maxwell Klein) pronounced:
>
>> Mac OS X
>> Lasso 8.1 (upgrading to 8.6)
>>
>> OK, uncle, I'm just not familiar enough with how HTTP realm authentication works - even after spending all day with Google and Nabble.
>>
>> I'm in the middle of updating an involved Lasso site, the first phase is updating the public facing website and a later phase will be updating the protected customer website. The new public site design has a username/password form at the top of each page that will be used for customer login. My problem is (for the time being) the existing customer website will continue to use Lasso's realm-based user authentication. I can't quite figure out how to pass the username/password into the HTTP header so that when a user fills out the form on the public site and gets to the customer pages they aren't presented with the browser's realm authentication dialog and have to type in credentials yet again.
>>
>> I tried including the username:password in the URL a la...
>>
>>
>> http://[Action_Param('login')]:[Action_Param('password')]@example.com/customer-site.
>> lasso
>>
>> …but IE no longer supports this syntax and I'd prefer not exposing the user's credentials anyway. Is there an alternate way to manipulate and pre-populate the realm authentication or am I missing the point?
>>
>> Thanks,
>> Max
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso
>> [hidden email]
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy               Web Site Builder               Soquel, CA
> <[hidden email]>                  <http://www.StevePiercy.com/>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Set realm username/password

Marc Vos
The way we handle un:pw is via special code in at_begin, and should load before everything else, so I put it in file named 'atbegin_01_passivelogin.lasso' in LassoStartup. Bil made this for us and here it is:

[

/*

Passive Login

Looks for requests containing params -username and -password, then uses those to auto-login the user via HTTP Authentication,
then redirects to the page.  Note that the HTTP Auth is done against the original url without the original params, then is hit
again when the user is redirected to the page WITH the params.  The redirect is a GET, so it won't do a POST.

BE SURE TO CONFIGURE WHERE jQUERY IS LOCATED!

*/

define_atBegin({

if( lp_client_params->find('-skipPassiveLogin')->size == 0 || lp_client_param('-skipPassiveLogin') == 'false');
        if( lp_client_params->find('-username')->size);
                if( lp_client_params->find('-password')->size);

                        local('username') = lp_client_param('-username');
                        #username = string_findregexp(#username,-find='(?i)[a-z0-9~!@#$%^&*()_+=\\-`{};,.:?/]+');
                        if(#username->size);
                                #username = #username->get(1);
                        else;
                                #username = '';
                        /if;

                        local('password') = lp_client_param('-password');
                        #password = string_findregexp(#password,-find='(?i)[a-z0-9~!@#$%^&*()_+=\\-`{};,.:?/]+');
                        if(#password->size);
                                #password = #password->get(1);
                        else;
                                #password = '';
                        /if;

                        // remove -username and -password from the url
                        local('url') = lp_page_path->url(-fullargs);
                        #url = string_replaceregexp(#url,-find='(?i)\\-username=[^&]*&*',-replace='');
                        #url = string_replaceregexp(#url,-find='(?i)\\-password=[^&]*&*',-replace='');
                        #url->removetrailing('&');
                        #url->removetrailing('?');

                        local('oneurl') = lp_page_path->url(-fullargs) + '&-skipPassiveLogin=true';
                        #oneurl->replace('&','&amp;');

                        content_body = '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
                                <html>
                                        <head>
                                                <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
                                                <title>Auto Log-In</title>
                                                <script src="/libjs/jquery-1.2.3.pack.js" type="text/javascript"></script>
                                                <script language="JavaScript" type="text/javascript">
                                                        $(function(){
                                                                $.ajax({
                                                                        url: "' + response_filepath + '",
                                                                        cache: false,
                                                                        async: false,
                                                                        username: "' + #username + '",
                                                                        password: "' + #password + '",
                                                                        success: function(html){
                                                                                window.location="' + #url + '";
                                                                        },
                                                                        error: function(html){
                                                                                alert("Sorry, unable to log you in.");
                                                                                return false;
                                                                        }
                                                                });
                                                        });
                                                </script>
                                        </head>
                                        <body style="background: white;">
                                                <h1>Please wait...</h1>
                                                You are being authenticated.  Please turn on JavaScript if you see this message for longer than 30 seconds.<br><br>If JavaScript is unavailable, you can authenticate for a single page by going <a href="'+ #oneurl + '">here</a>.
                                        </body>
                                </html>';

                        abort;

                /if;
        /if;
/if;

});
]

On 27 jul. 2011, at 16:18, Maxwell Klein wrote:

> Agreed on all points Steve, this site was built way back when and is being moved to session based authentication in the next rev. Just trying to avoid a partial overhaul to get this one username/password login form to work.
>
> Marc, I'll have a look again at Auth_Custom, I stared at it for a while but couldn't figure out how to work around IE not allowing the http://un:pw@ method.
>
> The issue is that I'm using Client_Username and Client_Password scattered around the site both for authentication and in Inlines to limit found record sets. Maybe not an ideal setup but this was one of my first Lasso projects many many years ago. So I was looking for a way to circumvent the browser realm auth dialog and cram in the un/pw provided via a custom form. As usual the workaround works in all browsers except IE.
>
> Thankfully the client is still with me and keen on supporting a rebuild.
>
> Thanks for the helps guys,
> Max
>
>
> On Jul 27, 2011, at 2:24 AM, Steve Piercy - Web Site Builder wrote:
>
>> First of all, anything transmitted over HTTP can be seen by everyone between the client's web browser and your server, and is probably logged as well, all in clear text.  All logins should use HTTPS, unless you are on a private, secure and trusted network (even then, I wouldn't trust using HTTP).
>> http://httpd.apache.org/docs/2.2/howto/auth.html
>>
>> Realm authentication lacks features that sessions provide.  How do you logout using realms?  You quit the browser.
>>
>> Unless you know how to write *nix scripts or have some other tools to manage users and groups within the realm, using realms quickly becomes difficult to maintain.
>>
>> The argument for using realms for authentication instead of sessions in Lasso is a difficult one to win.  You may have a specific use case where it is necessary, but for most web applications it is better to use sessions.
>>
>> --steve
>>
>>
>> On 7/26/11 at 11:05 PM, [hidden email] (Maxwell Klein) pronounced:
>>
>>> Mac OS X
>>> Lasso 8.1 (upgrading to 8.6)
>>>
>>> OK, uncle, I'm just not familiar enough with how HTTP realm authentication works - even after spending all day with Google and Nabble.
>>>
>>> I'm in the middle of updating an involved Lasso site, the first phase is updating the public facing website and a later phase will be updating the protected customer website. The new public site design has a username/password form at the top of each page that will be used for customer login. My problem is (for the time being) the existing customer website will continue to use Lasso's realm-based user authentication. I can't quite figure out how to pass the username/password into the HTTP header so that when a user fills out the form on the public site and gets to the customer pages they aren't presented with the browser's realm authentication dialog and have to type in credentials yet again.
>>>
>>> I tried including the username:password in the URL a la...
>>>
>>>
>>> http://[Action_Param('login')]:[Action_Param('password')]@example.com/customer-site.
>>> lasso
>>>
>>> …but IE no longer supports this syntax and I'd prefer not exposing the user's credentials anyway. Is there an alternate way to manipulate and pre-populate the realm authentication or am I missing the point?
>>>
>>> Thanks,
>>> Max

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Set realm username/password

maxwellk2
WHOA, I don't quite understand how it works, and even less how I managed to get it implement, but that did it! Very much appreciated Marc and Bil. Where do I send the bourbon and cigars?

Thanks,
Max


On Jul 27, 2011, at 12:23 PM, Marc Vos wrote:

> The way we handle un:pw is via special code in at_begin, and should load before everything else, so I put it in file named 'atbegin_01_passivelogin.lasso' in LassoStartup. Bil made this for us and here it is:
>
> [
>
> /*
>
> Passive Login
>
> Looks for requests containing params -username and -password, then uses those to auto-login the user via HTTP Authentication,
> then redirects to the page.  Note that the HTTP Auth is done against the original url without the original params, then is hit
> again when the user is redirected to the page WITH the params.  The redirect is a GET, so it won't do a POST.
>
> BE SURE TO CONFIGURE WHERE jQUERY IS LOCATED!
>
> */
>
> define_atBegin({
>
> if( lp_client_params->find('-skipPassiveLogin')->size == 0 || lp_client_param('-skipPassiveLogin') == 'false');
> if( lp_client_params->find('-username')->size);
> if( lp_client_params->find('-password')->size);
>
> local('username') = lp_client_param('-username');
> #username = string_findregexp(#username,-find='(?i)[a-z0-9~!@#$%^&*()_+=\\-`{};,.:?/]+');
> if(#username->size);
> #username = #username->get(1);
> else;
> #username = '';
> /if;
>
> local('password') = lp_client_param('-password');
> #password = string_findregexp(#password,-find='(?i)[a-z0-9~!@#$%^&*()_+=\\-`{};,.:?/]+');
> if(#password->size);
> #password = #password->get(1);
> else;
> #password = '';
> /if;
>
> // remove -username and -password from the url
> local('url') = lp_page_path->url(-fullargs);
> #url = string_replaceregexp(#url,-find='(?i)\\-username=[^&]*&*',-replace='');
> #url = string_replaceregexp(#url,-find='(?i)\\-password=[^&]*&*',-replace='');
> #url->removetrailing('&');
> #url->removetrailing('?');
>
> local('oneurl') = lp_page_path->url(-fullargs) + '&-skipPassiveLogin=true';
> #oneurl->replace('&','&amp;');
>
> content_body = '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
> <title>Auto Log-In</title>
> <script src="/libjs/jquery-1.2.3.pack.js" type="text/javascript"></script>
> <script language="JavaScript" type="text/javascript">
> $(function(){
> $.ajax({
> url: "' + response_filepath + '",
> cache: false,
> async: false,
> username: "' + #username + '",
> password: "' + #password + '",
> success: function(html){
> window.location="' + #url + '";
> },
> error: function(html){
> alert("Sorry, unable to log you in.");
> return false;
> }
> });
> });
> </script>
> </head>
> <body style="background: white;">
> <h1>Please wait...</h1>
> You are being authenticated.  Please turn on JavaScript if you see this message for longer than 30 seconds.<br><br>If JavaScript is unavailable, you can authenticate for a single page by going <a href="'+ #oneurl + '">here</a>.
> </body>
> </html>';
>
> abort;
>
> /if;
> /if;
> /if;
>
> });
> ]
>
> On 27 jul. 2011, at 16:18, Maxwell Klein wrote:
>
>> Agreed on all points Steve, this site was built way back when and is being moved to session based authentication in the next rev. Just trying to avoid a partial overhaul to get this one username/password login form to work.
>>
>> Marc, I'll have a look again at Auth_Custom, I stared at it for a while but couldn't figure out how to work around IE not allowing the http://un:pw@ method.
>>
>> The issue is that I'm using Client_Username and Client_Password scattered around the site both for authentication and in Inlines to limit found record sets. Maybe not an ideal setup but this was one of my first Lasso projects many many years ago. So I was looking for a way to circumvent the browser realm auth dialog and cram in the un/pw provided via a custom form. As usual the workaround works in all browsers except IE.
>>
>> Thankfully the client is still with me and keen on supporting a rebuild.
>>
>> Thanks for the helps guys,
>> Max
>>
>>
>> On Jul 27, 2011, at 2:24 AM, Steve Piercy - Web Site Builder wrote:
>>
>>> First of all, anything transmitted over HTTP can be seen by everyone between the client's web browser and your server, and is probably logged as well, all in clear text.  All logins should use HTTPS, unless you are on a private, secure and trusted network (even then, I wouldn't trust using HTTP).
>>> http://httpd.apache.org/docs/2.2/howto/auth.html
>>>
>>> Realm authentication lacks features that sessions provide.  How do you logout using realms?  You quit the browser.
>>>
>>> Unless you know how to write *nix scripts or have some other tools to manage users and groups within the realm, using realms quickly becomes difficult to maintain.
>>>
>>> The argument for using realms for authentication instead of sessions in Lasso is a difficult one to win.  You may have a specific use case where it is necessary, but for most web applications it is better to use sessions.
>>>
>>> --steve
>>>
>>>
>>> On 7/26/11 at 11:05 PM, [hidden email] (Maxwell Klein) pronounced:
>>>
>>>> Mac OS X
>>>> Lasso 8.1 (upgrading to 8.6)
>>>>
>>>> OK, uncle, I'm just not familiar enough with how HTTP realm authentication works - even after spending all day with Google and Nabble.
>>>>
>>>> I'm in the middle of updating an involved Lasso site, the first phase is updating the public facing website and a later phase will be updating the protected customer website. The new public site design has a username/password form at the top of each page that will be used for customer login. My problem is (for the time being) the existing customer website will continue to use Lasso's realm-based user authentication. I can't quite figure out how to pass the username/password into the HTTP header so that when a user fills out the form on the public site and gets to the customer pages they aren't presented with the browser's realm authentication dialog and have to type in credentials yet again.
>>>>
>>>> I tried including the username:password in the URL a la...
>>>>
>>>>
>>>> http://[Action_Param('login')]:[Action_Param('password')]@example.com/customer-site.
>>>> lasso
>>>>
>>>> …but IE no longer supports this syntax and I'd prefer not exposing the user's credentials anyway. Is there an alternate way to manipulate and pre-populate the realm authentication or am I missing the point?
>>>>
>>>> Thanks,
>>>> Max
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Set realm username/password

Bil Corry-3
Haha, yeah, that was a fun one.  It uses XHR to do the HTTP Auth on behalf of the user, then redirects once it's finished to the main page.


- Bil

Maxwell Klein wrote on 7/27/2011 1:56 PM:

> WHOA, I don't quite understand how it works, and even less how I managed to get it implement, but that did it! Very much appreciated Marc and Bil. Where do I send the bourbon and cigars?
>
> Thanks,
> Max
>
>
> On Jul 27, 2011, at 12:23 PM, Marc Vos wrote:
>
>> The way we handle un:pw is via special code in at_begin, and should load before everything else, so I put it in file named 'atbegin_01_passivelogin.lasso' in LassoStartup. Bil made this for us and here it is:
>>
>> [
>>
>> /*
>>
>> Passive Login
>>
>> Looks for requests containing params -username and -password, then uses those to auto-login the user via HTTP Authentication,
>> then redirects to the page.  Note that the HTTP Auth is done against the original url without the original params, then is hit
>> again when the user is redirected to the page WITH the params.  The redirect is a GET, so it won't do a POST.
>>
>> BE SURE TO CONFIGURE WHERE jQUERY IS LOCATED!
>>
>> */
>>
>> define_atBegin({
>>
>> if( lp_client_params->find('-skipPassiveLogin')->size == 0 || lp_client_param('-skipPassiveLogin') == 'false');
>> if( lp_client_params->find('-username')->size);
>> if( lp_client_params->find('-password')->size);
>>
>> local('username') = lp_client_param('-username');
>> #username = string_findregexp(#username,-find='(?i)[a-z0-9~!@#$%^&*()_+=\\-`{};,.:?/]+');
>> if(#username->size);
>> #username = #username->get(1);
>> else;
>> #username = '';
>> /if;
>>
>> local('password') = lp_client_param('-password');
>> #password = string_findregexp(#password,-find='(?i)[a-z0-9~!@#$%^&*()_+=\\-`{};,.:?/]+');
>> if(#password->size);
>> #password = #password->get(1);
>> else;
>> #password = '';
>> /if;
>>
>> // remove -username and -password from the url
>> local('url') = lp_page_path->url(-fullargs);
>> #url = string_replaceregexp(#url,-find='(?i)\\-username=[^&]*&*',-replace='');
>> #url = string_replaceregexp(#url,-find='(?i)\\-password=[^&]*&*',-replace='');
>> #url->removetrailing('&');
>> #url->removetrailing('?');
>>
>> local('oneurl') = lp_page_path->url(-fullargs) + '&-skipPassiveLogin=true';
>> #oneurl->replace('&','&amp;');
>>
>> content_body = '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
>> <html>
>> <head>
>> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
>> <title>Auto Log-In</title>
>> <script src="/libjs/jquery-1.2.3.pack.js" type="text/javascript"></script>
>> <script language="JavaScript" type="text/javascript">
>> $(function(){
>> $.ajax({
>> url: "' + response_filepath + '",
>> cache: false,
>> async: false,
>> username: "' + #username + '",
>> password: "' + #password + '",
>> success: function(html){
>> window.location="' + #url + '";
>> },
>> error: function(html){
>> alert("Sorry, unable to log you in.");
>> return false;
>> }
>> });
>> });
>> </script>
>> </head>
>> <body style="background: white;">
>> <h1>Please wait...</h1>
>> You are being authenticated.  Please turn on JavaScript if you see this message for longer than 30 seconds.<br><br>If JavaScript is unavailable, you can authenticate for a single page by going<a href="'+ #oneurl + '">here</a>.
>> </body>
>> </html>';
>>
>> abort;
>>
>> /if;
>> /if;
>> /if;
>>
>> });
>> ]
>>
>> On 27 jul. 2011, at 16:18, Maxwell Klein wrote:
>>
>>> Agreed on all points Steve, this site was built way back when and is being moved to session based authentication in the next rev. Just trying to avoid a partial overhaul to get this one username/password login form to work.
>>>
>>> Marc, I'll have a look again at Auth_Custom, I stared at it for a while but couldn't figure out how to work around IE not allowing the http://un:pw@ method.
>>>
>>> The issue is that I'm using Client_Username and Client_Password scattered around the site both for authentication and in Inlines to limit found record sets. Maybe not an ideal setup but this was one of my first Lasso projects many many years ago. So I was looking for a way to circumvent the browser realm auth dialog and cram in the un/pw provided via a custom form. As usual the workaround works in all browsers except IE.
>>>
>>> Thankfully the client is still with me and keen on supporting a rebuild.
>>>
>>> Thanks for the helps guys,
>>> Max
>>>
>>>
>>> On Jul 27, 2011, at 2:24 AM, Steve Piercy - Web Site Builder wrote:
>>>
>>>> First of all, anything transmitted over HTTP can be seen by everyone between the client's web browser and your server, and is probably logged as well, all in clear text.  All logins should use HTTPS, unless you are on a private, secure and trusted network (even then, I wouldn't trust using HTTP).
>>>> http://httpd.apache.org/docs/2.2/howto/auth.html
>>>>
>>>> Realm authentication lacks features that sessions provide.  How do you logout using realms?  You quit the browser.
>>>>
>>>> Unless you know how to write *nix scripts or have some other tools to manage users and groups within the realm, using realms quickly becomes difficult to maintain.
>>>>
>>>> The argument for using realms for authentication instead of sessions in Lasso is a difficult one to win.  You may have a specific use case where it is necessary, but for most web applications it is better to use sessions.
>>>>
>>>> --steve
>>>>
>>>>
>>>> On 7/26/11 at 11:05 PM, [hidden email] (Maxwell Klein) pronounced:
>>>>
>>>>> Mac OS X
>>>>> Lasso 8.1 (upgrading to 8.6)
>>>>>
>>>>> OK, uncle, I'm just not familiar enough with how HTTP realm authentication works - even after spending all day with Google and Nabble.
>>>>>
>>>>> I'm in the middle of updating an involved Lasso site, the first phase is updating the public facing website and a later phase will be updating the protected customer website. The new public site design has a username/password form at the top of each page that will be used for customer login. My problem is (for the time being) the existing customer website will continue to use Lasso's realm-based user authentication. I can't quite figure out how to pass the username/password into the HTTP header so that when a user fills out the form on the public site and gets to the customer pages they aren't presented with the browser's realm authentication dialog and have to type in credentials yet again.
>>>>>
>>>>> I tried including the username:password in the URL a la...
>>>>>
>>>>>
>>>>> http://[Action_Param('login')]:[Action_Param('password')]@example.com/customer-site.
>>>>> lasso
>>>>>
>>>>> …but IE no longer supports this syntax and I'd prefer not exposing the user's credentials anyway. Is there an alternate way to manipulate and pre-populate the realm authentication or am I missing the point?
>>>>>
>>>>> Thanks,
>>>>> Max
> #############################################################
> This message is sent to you because you are subscribed to
>    the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to:<[hidden email]>
> Send administrative queries to<[hidden email]>
>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Set realm username/password

Bil Corry-3
In reply to this post by stevepiercy
Steve Piercy - Web Site Builder wrote on 7/27/2011 2:24 AM:
> First of all, anything transmitted over HTTP can be seen by everyone between the client's web browser and your server, and is probably logged as well, all in clear text. All logins should use HTTPS, unless you are on a private, secure and trusted network (even then, I wouldn't trust using HTTP).
> http://httpd.apache.org/docs/2.2/howto/auth.html

Good advice, authentication should  always be over HTTPS.


> Realm authentication lacks features that sessions provide. How do you logout using realms? You quit the browser.

You can logout users using JavaScript, here's a demo:

        http://www.corry.biz/logout_demo/


> Unless you know how to write *nix scripts or have some other tools to manage users and groups within the realm, using realms quickly becomes difficult to maintain.

Marc already posted the hook in auth_custom you can use to custom roll your own backend for validating users via HTTP Auth.  We needed it and it didn't exist, so I modified auth_custom to do it, then donated the changes back to the Lasso community.

If there's interest, perhaps I can find time to create a skeleton auth system using HTTP Auth that doesn't rely on Lasso Security to manage it.


- Bil
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Set realm username/password

Adam de Zoete-2
On Tue Aug  2 09:49:26 2011, Bil Corry wrote:
>
> You can logout users using JavaScript, here's a demo:
>
> http://www.corry.biz/logout_demo/
>

FYI, this demo didn't work for me on Safari 5.1 Mac, it seems to
permanently keep me logged in. It's working in Firefox, but with Safari
the "Please wait" screen never appears.

Adam


#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Set realm username/password

Bil Corry-3
Adam de Zoete wrote on 8/2/2011 2:07 AM:
> On Tue Aug 2 09:49:26 2011, Bil Corry wrote:
>>
>> You can logout users using JavaScript, here's a demo:
>>
>> http://www.corry.biz/logout_demo/
>>
>
> FYI, this demo didn't work for me on Safari 5.1 Mac, it seems to permanently keep me logged in. It's working in Firefox, but with Safari the "Please wait" screen never appears.

I wrote the demo years ago and it has always worked in Firefox and Internet Explorer.  That makes me think Safari is non-compliant in some way.


- Bil
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>