Re: workaround for Opera and Safari from Henry Story on 2011-12-23 (public-xg-webid@w3.org from December 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 23 Dec 2011 18:38:11 +0100
To: Kingsley Idehen <kidehen@openlinksw.com>
Cc: WebID XG <public-xg-webid@w3.org>
Message-Id: <E7BC9CB6-76C3-40B8-AF19-5EA439CD06FD@bblfish.net>
On 23 Dec 2011, at 17:54, Kingsley Idehen wrote:

> On 12/23/11 11:40 AM, Henry Story wrote:
>> Ok so I now have a demo of a WebID service that works in a user friendly way with all desktop browsers. Here the issue was to get Safari and Opera to request a certificate from the user if he has one, without showing him an ugly ERROR screen if he does not or refuses.
>> 
>> You can try this out now with
>> 
>>    https://foafssl.org/srv/idp?rs=http://webid.fcns.eu/
>> 
>> The changes this required are listed here
>> 
>>   https://dvcs.w3.org/hg/read-write-web/rev/23a4ecd7b45d
>> 
>> especially see the needyLogin function in
>> 
>>   https://dvcs.w3.org/hg/read-write-web/diff/23a4ecd7b45d/src/main/resources/template/webidp/idp/util.js
>> 
>> Merry Xmas,
> 
> That's what I call an Xmas present !

Here's a bit more. 

A think Safari does not have the TLS fix for the famous TLS bug of a few years ago, so in java one has to add the following to the command line. 

-Dsun.security.ssl.allowUnsafeRenegotiation=true -Dsun.security.ssl.allowLegacyHelloMessages=true 

and the code that knows how to make need requests is in 
https://dvcs.w3.org/hg/read-write-web/file/ed559ff1977b/src/main/scala/auth/X509Cert.scala

   212   
   213   private def unapplyReceivedMessage[T <: ReceivedMessage](r: HttpRequest[T], fetch: Boolean): Option[IndexedSeq[Certificate]] = {
   214 
   215     import org.jboss.netty.handler.ssl.SslHandler
   216     
   217     val sslh = r.underlying.context.getPipeline.get(classOf[SslHandler])
   218     
   219     trySome(sslh.getEngine.getSession.getPeerCertificates.toIndexedSeq) orElse {
   220       if (!fetch) None
   221       else {
   222         sslh.setEnableRenegotiation(true)
   223         r match {
   224           case UserAgent(agent) if needAuth(agent) => sslh.getEngine.setNeedClientAuth(true)
   225           case _ => sslh.getEngine.setWantClientAuth(true)
   226         }
   227         val future = sslh.handshake()
   228         future.await(30000) //that's certainly way too long.
   229         if (future.isDone && future.isSuccess)
   230           trySome(sslh.getEngine.getSession.getPeerCertificates.toIndexedSeq)
   231         else
   232           None
   233       }
   234     }
   235 
   236   }

and the needAuth method

   246   def needAuth(agent: String): Boolean =
   247     (agent contains "Java")  | (agent contains "AppleWebKit")  |  (agent contains "Opera")

What remains to be done now is:

  1. To continue searching for methods so that browsers other than only Firefox and Ineternet Explorer can do logout - I don't have too much hope that this can be done without those browsers doing a bit of work. Just adding a javascript logout function would be enough.

  2. To add a bit of text so that if people don't have a WebID I can point them to the right place
     to get one. 

 3. Remove notices to tell people to try again if they are using browsers that don't allow it (and for which 1 can't be solved)


   Henry

> 
> Awesome!
> 
> Kingsley
>> 
>> 	Henry
>> 
>> 
>> On 22 Dec 2011, at 15:30, Henry Story wrote:
>> 
>>> So by now every desktop browser I have works well with WebID except Opera and Safari. Well
>>> in fact they do work but one has to use the pre TLS-renegotation fix compatibility mode
>>> and the server has to ask for the certificate in NEED mode. I am not sure if this is needed
>>> only on OSX btw, it may be different on Windows. So what is the problem? Well the problem
>>> is that in NEED mode if the client does not have a certificate or cancels the selection then
>>> the web page displayed is going to be an ugly error page that would disconcert non technical
>>> users.
>>> 
>>> But I think we have a fix for that. All that is required is to make the authentication
>>> over AJAX for those browsers! I suppose there is a way for the javascript to catch a TLS
>>> error somehow. It can then display an error message nicely saying that no certificate is
>>> available, and ask the user in a friendly manner to do so.
>>> 
>>> Any AJAX specialists willing to help me put that together quickly, or point me in the right
>>> direction?
>>> 
>>> Henry
>>> 
>>> Social Web Architect
>>> http://bblfish.net/
>>> 
>> Social Web Architect
>> http://bblfish.net/
>> 
>> 
>> 
> 
> 
> -- 
> 
> Regards,
> 
> Kingsley Idehen	
> Founder&  CEO
> OpenLink Software
> Company Web: http://www.openlinksw.com
> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca handle: @kidehen
> Google+ Profile: https://plus.google.com/112399767740508618350/about
> LinkedIn Profile: http://www.linkedin.com/in/kidehen
> 
> 
> 
> 
> 
> 

Social Web Architect
http://bblfish.net/
Received on Friday, 23 December 2011 17:38:53 UTC