I want to do history token rewriting. Don't know its possible or not.
e.g. If my application URL is http://localhost:8080/myapp/#login which contain 'login' as history token. Is it possible to rewrite the URL like http://localhost:8080/myapp/user/login.
Or is it possible to remove '#' from history token?
The # token has special meaning in an URL. The browser interprets everything before the # token as the page to load, and everything after the # as additional information for on the page. This means if something is changed in the URL after the # token, the webpage is not reloaded, but it does create a browser history item. GWT uses this to create new history items, while not reloading the page.
If you would rewrite the URL from #login to /user/login you would instruct the browser to reload the page, which means the whole GWT page is reloaded and all state information is reset. This is probably not what you want.
So the short answer is, although it's technically possible, it will change the behavior from a one page website to a multi-page website that reloads every time the history changes, and that's probably not something you want.
Related
I am working on web app in OutSystems 10.0. In the application, if I log out, it logs off. But when I click the browser back Button, it redirects to the Previous page (which should be displayed only after login). Any suggestions?
You probably need to have roles on the pages, if the pages have the role anonymous anyone can open it.
You're probably accessing the website via http and not https, so when you press back on the browser it will show you a cached version of the previous page.
Because it's the cached version, the session and roles are not checked.
As a recommendation, force the https protocol.
Following the link provided by #Abdulhakeem, they recommend the following:
Add a hidden input to the page - initialize it to some value (for example 'no') - so when the page is rendered by the server it always has a 'no'
Add a bit of Javascript to the page ready event to:
Check that value - if it's not what you'd expect from the server (in our case, <> 'no'), force refresh the page (see below)
If it is still set to what you'd expect from the server, change it (in our case to 'yes') and do nothing else
I recommend downloading the .oml provided in the post and reviewing how they actually implemented it.
if you can change to https, you can also in every action that is on the page that do changes on the database. check if you have permissions or you are logged. that way if the person tries to do back and do some action you can redirect it somewhere.
I have an application running in an iFrame that is embedded in a SharePoint site. The problem with this is navigation within the application does not result in a change in the SharePoint site URL. Therefore, if you were to refresh the overall page, you would be sent back to the default page of the application, not stay on the same page of the application. The reason this is an issue is sharing for social media. I have added a Facebook Share button to the application, but when it pulls the URL of the application which does not match or reference the URL of the overall site, so it just shares the application (which is not visually appealing and does not allow you to access the rest of the site).
Any body have any suggestions or know a place I can go for help? Thanks!
If I understand properly, the Facebook stuff is INSIDE the iframe?
If so, you can:
* Remove the iframe and integrate the application better with SharePoint, or
* Change the application so that it detects that it's running "alone" (with javascript etc), and if so redirect to the "big" application.
IF the Facebook stuff is in SharePoint, OUTSIDE of the iframe, you can write some javascript to update the URL in some way that matches the URL of the application. This requires that the SharePoint parent application and the iframe application run in the same domain - if they are not, this is not an option.
Note that changing the "parent" URL with JS will reload the page, UNLESS you only change the URL after the "#" part (so you can do something like:
"http://sharepoint/iframe.aspx?aa=11&bb=22#iframeUrl=http://uglyapplication/"
You'll also probably want to write JS to update your iframe accordingly if the user press "back"/"forward" etc in the browser, because changing the URL like above will still add a "step" to the browser history.
I have a facebook page tab iframe and would like to access the browser url in order to get the current facebook page url.
I know it's not possible to use a javascript that interacts with the parent frame because of browser security issues.
An approach that didn't work for all browsers was to read the HTTP_REFERER header from the request.
Is there a better way?
I hope this is impossible at all. Otherwise it will be a security issue, likely to be closed.
You should not write code depending on compromising other users.
It is not possible to get URL of a parent Frame due to cross-domain policy. And there is no way to get the information about page your application running on in client-side.
But on the server-side you can reconstruct the Page URL using details passed in signed_request. For Page Tab Applications it contains page:
A JSON object containing the page id string, the liked boolean (set to true if the user has liked the page, false if not) and the admin boolean (set to true if the user is an admin of the page, false if they're not).
Using that page id you can build the Page URL:
http://www.facebook.com/pages/-/PAGE_ID
If you want the link to your Page Tab with your application use:
http://www.facebook.com/pages/-/PAGE_ID?v=app_APPLICATION_ID
Beware, HTTP_REFERRER is provided by client and cannot be trusted, and it's may be cut by plugin/proxy/etc...
Notes:
Pages may have different URL in real life, but using this technique user will be landing the correct Page since Facebook will issue redirect to correct URL of a Page.
Sample URLs use HTTP scheme, feel free to use HTTPS if you need it.
In PHP for example you can detect the current scheme like this:
$scheme = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']!=="off") ||
(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
$_SERVER['HTTP_X_FORWARDED_PROTO']=="https")
) ? 'https' : 'http';
HTTP_REFERRER might not work as expected in my experience. If the tab app is designed for a specific page (which I suppose it kind of should), have you tried recreating it?
https://www.facebook.com/MYPAGENAME/app_MYAPPID
Where MYPAGENAME is your page name and MYAPPID is the app id, of course.
If the tab is applied to multiple pages though, I'm quite sure you'll get the relevant data to apply the above from https://graph.facebook.com/PAGEID, where PAGEID is the ID of the page which you get from the signed request.
I have a bunch of pages which should only be accessible when the user is logged in. So that the URLs make sense, and also so that the user may bookmark them, I have made them bookmarkable URLs in Wicket.
Now the problem occurs, that if the user comes to view these pages, but is not yet logged in. The constuctor which takes a PageParameters on my page is called.
My approach is going to be:
For all pages which should only be available logged in, but which are bookmarkable, put an if statement in this constructor to test if the user is logged in or not.
If the user is not logged in:
Store (a) this.class (b) the PageParameters in a special place in the session
setReponsePage to be my login page
In the login page, if the login is successful, check to see if these special attributes in the session are set, and if so, then setResponsePage to be the class/parameters of the desired bookmarkable URL
Is this approach correct? It seems to be a bit of extra/manual work (although not too much!), but Wicket provides a lot of useful stuff "out of the box": so my question is: is this necessary or is there some Wicket facility I'm not aware of which I can take advantage of?
You should use a IAuthorizationStrategy to protect your pages. See for example wicket-auth-roles for a simplistic roles based library.
When Wicket tries to render the page that is mapped to the bookmarked URL of the user it will notice the user is not yet logged in (since the session has no user assigned to it), store the current requested URL, redirect to the login page and wait until the user correctly signs in. In the onSubmit of your login form you then call
if(!continueToOriginalDestination()) {
setResponsePage(SomeReasonableDefaultPageLikeYourHomePage.class);
}
See for an example the Authentication example in the Wicket Examples project (online demo here)
continueToOriginalDestination will instruct Wicket to render the original URL that the user requested, if one is stored, and otherwise return false.
what is the link between backbutton and continueToOriginalDestination(). method.
how to keep url saved for continueToOriginalDestination() method while clcking browsers back button.
continueToOriginalDestination() is used when a request was (temporarily) redirected to an intercepting page, for example a login page. When a user requests a secured page but is not yet authenticated, the security framework that hooks into wicket (auth-roles, shiro, swarm/wasp) will present the user with a login page, and store the original URL. When the user has authenticated, you can call continueToOriginalDestination and Wicket will process the original request, displaying the requested secured page.
Not only security frameworks can use this, you can do it yourself by throwing a RestartResponseAtInterceptPage exception.
The back button has nothing to do with this, nor does it have any affect on the processing of the original destination page. Wicket keeps storing the original destination until a new one is set, or until continueToOriginalDestination has been called.
continueToOriginalDestination returns true when there was a page to go to, and false when the user landed on the intercept page directly (e.g. guessing the login page URL or clicking on a link pointing to the login page).