Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
1
Web Server - Share Knowledge / Re: In praise of Fastmem
« on: December 04, 2018, 12:06:03 PM »
Is Fastmem required for Clarion 11?
FastMem install does not know of C11
poul
FastMem install does not know of C11
poul
2
Web Server - Ask For Help / Re: IP address/port conflict
« on: March 24, 2017, 12:18:21 PM »
Jane,
if that code is your webserver code then your
ThisWebServer._ServerIP assignment has to be further down after the generated assignment - as it will override yours.
if you had left the template setting blank, then that would be in effect (listening on all ip address) regardless of your INI settings.
Or just do what bruce suggests but just a thought:
if BOUNCE.INI is not where you think, GLO:PUBLICIP might be blank by default...
Unless there is another reason, you only need one global variable, set it based on your ini settings
and make sure that the template uses it, i think thats how bruce intended it.
poul
if that code is your webserver code then your
ThisWebServer._ServerIP assignment has to be further down after the generated assignment - as it will override yours.
if you had left the template setting blank, then that would be in effect (listening on all ip address) regardless of your INI settings.
Or just do what bruce suggests but just a thought:
if BOUNCE.INI is not where you think, GLO:PUBLICIP might be blank by default...
Unless there is another reason, you only need one global variable, set it based on your ini settings
and make sure that the template uses it, i think thats how bruce intended it.
poul
3
Web Server - Ask For Help / Re: p_web.SetSessionLoggedIn(0) for a WebserviceMethod
« on: March 09, 2017, 08:02:18 AM »
yes , once i added the performance tab, i saw how the sessions where building up,
i had to fiddle with things to get it right , but i can trust the counters, right?
i have delete session on logout = true
I turn off allow keep alive - (probably not needed)
it has been working, so long as i logoff at the end of a servicemethod
- this kind of dedicates the server for the APIs, which in this case i can live with, as i have s separate server for pages..
but i'd rather have the option that each method automatically can simply delete/ clean up everything like it was never there.
Perhaps with the default option set in the NetWebservice not the webMethod that indicates all its methods are stateless?
i tried to find a place in web handler like getpassword or authenticate
where i also do things like Free(self._CookieQueue) to remove the sessionid.
but its too to soon for logout, as there is stuff in a netwebmethod that may depend on session data (loggedin state for example)
so It would be great if you could add something, thanks.
poul
i had to fiddle with things to get it right , but i can trust the counters, right?
i have delete session on logout = true
I turn off allow keep alive - (probably not needed)
it has been working, so long as i logoff at the end of a servicemethod
- this kind of dedicates the server for the APIs, which in this case i can live with, as i have s separate server for pages..
but i'd rather have the option that each method automatically can simply delete/ clean up everything like it was never there.
Perhaps with the default option set in the NetWebservice not the webMethod that indicates all its methods are stateless?
i tried to find a place in web handler like getpassword or authenticate
where i also do things like Free(self._CookieQueue) to remove the sessionid.
but its too to soon for logout, as there is stuff in a netwebmethod that may depend on session data (loggedin state for example)
so It would be great if you could add something, thanks.
poul
4
Web Server - Ask For Help / p_web.SetSessionLoggedIn(0) for a WebserviceMethod
« on: March 03, 2017, 09:00:48 AM »
Currently at the end of each ServiceMethod I am adding code to kill my session.
Without it, i must rely on the session timeout which keeps many sessions opens for no good reason
as i will not reuse the session. All to maintain the stateless aspect of a RESTful API.
poul
Without it, i must rely on the session timeout which keeps many sessions opens for no good reason
as i will not reuse the session. All to maintain the stateless aspect of a RESTful API.
Code: [Select]
!----------------------------------------------------------------------------------------------------
! All your actual code for this method goes here. The "incoming parameter variables" have been primed
!----------------------------------------------------------------------------------------------------
ServiceMethod routine
! Start of "Service Method Routine"
! [Priority 4000]
...
p_web.SetSessionLoggedIn(0) !<<-- template option?
! End of "Service Method Routine"
! [Priority 1300]
This works fine, but i am lazy and sometimes forget, is there a place where i can embed this once - for all servicemethods , so the session ends immediately after any service method call? Or perhaps more simply can the template give me an option to logoff/end the session and write this line of code? (or take me to a common wrap up/kill method were i can write this once)poul
5
Web Server - Ask For Help / Re: NetWebmethod: Only Serve if Secure TLS
« on: February 27, 2017, 11:57:11 AM »
Hi bruce,
i am quite confident there is only my NT apps and nothing else using both the default and my test ports.
i was testing with 2 servers and 3 client - (local, LAN and WAN scenarios).
and i have never used more than one web handler. Some of my testing would have included some explicit ports as well, ie 8080 etc ie:
my initial concern was that it was the server, I am more comfortable with it being a confused client. (even if its mine)
But i am also seeing something strange with gzip which i cannot quite explain, what i will do is as time permits is build a
sample server and client from scratch with latest updates and see if i can "capture" some of this for you in a bottle,
I will start a new thread if i find something to share.
thanks
poul
i am quite confident there is only my NT apps and nothing else using both the default and my test ports.
i was testing with 2 servers and 3 client - (local, LAN and WAN scenarios).
and i have never used more than one web handler. Some of my testing would have included some explicit ports as well, ie 8080 etc ie:
Code: [Select]
would https://test:88/testthis followed by a http://test:88/testthis request be detected as a different port?my initial concern was that it was the server, I am more comfortable with it being a confused client. (even if its mine)
But i am also seeing something strange with gzip which i cannot quite explain, what i will do is as time permits is build a
sample server and client from scratch with latest updates and see if i can "capture" some of this for you in a bottle,
I will start a new thread if i find something to share.
thanks
poul
6
Web Server - Ask For Help / Re: NetWebmethod: Only Serve if Secure TLS
« on: February 23, 2017, 07:09:13 AM »
"inclined to treat this as a bug in the client"
perhaps, i wasn't sure if there was a property/method to clear (or that i had inadvertently set) before sending the request, but i was more
concerned with the server rather than the client. Init seemed to work.
I wasn't sure if it was by design/accident or on purpose, browsers when using BASIC / DIGEST http authentication will cache
things and appear to do something similar (you have to close the browser to re-enter credentials) , so maybe its useful to have the
client have the ability to force TLS regardless of the formatted protocol request once the initial connection is made,
but I feel its wrong to be the default behaviour. (nor really required in the class itself), as it flys in the face of my stateless pursuit.
poul
perhaps, i wasn't sure if there was a property/method to clear (or that i had inadvertently set) before sending the request, but i was more
concerned with the server rather than the client. Init seemed to work.
I wasn't sure if it was by design/accident or on purpose, browsers when using BASIC / DIGEST http authentication will cache
things and appear to do something similar (you have to close the browser to re-enter credentials) , so maybe its useful to have the
client have the ability to force TLS regardless of the formatted protocol request once the initial connection is made,
but I feel its wrong to be the default behaviour. (nor really required in the class itself), as it flys in the face of my stateless pursuit.
poul
7
Web Server - Ask For Help / Re: NetWebmethod: Only Serve if Secure TLS
« on: February 22, 2017, 01:10:34 PM »
no only one object.
so is it correct to say if i have only one webserver object and its set to use TLS
that the setting in the netwebserver "only serve if Secure TLS" has no meaningful impact?
(perhaps it might have more utility in multiple port model?)
i see it generates
but p_web.RequestData.WebServer.SSL is always true regardless if the client specifies http or https in the request
in other words its always TLS or nothing when doing requests.
OIC !, its an artifact of how my testprogram - NetwebClient communicates! it was based on your demo
Even if my server does a p_web.SetSessionLoggedIn(0) after a webservicemethod (keeping things RESTful) it still 'remembers' and uses how the initial connection is made
regardless of the how the subsequent request is made.
So when i change the request to http and test - it still works, if i close the client screen and try again with just http - it complains as expected.
Resolution:
The server is working but my testclient is messing with me.
dunno if its best but for my REST TEST program, i added a net.init() in my webclient in pagerecieve and its all good.
i can do repeated tests and get the behaviour i expected.
thanks
poul
so is it correct to say if i have only one webserver object and its set to use TLS
that the setting in the netwebserver "only serve if Secure TLS" has no meaningful impact?
(perhaps it might have more utility in multiple port model?)
i see it generates
Code: [Select]
If p_web.RequestData.WebServer.SSL = 0
p_web.CloseConnection()
Return ''
Endbut p_web.RequestData.WebServer.SSL is always true regardless if the client specifies http or https in the request
in other words its always TLS or nothing when doing requests.
OIC !, its an artifact of how my testprogram - NetwebClient communicates! it was based on your demo
Even if my server does a p_web.SetSessionLoggedIn(0) after a webservicemethod (keeping things RESTful) it still 'remembers' and uses how the initial connection is made
regardless of the how the subsequent request is made.
So when i change the request to http and test - it still works, if i close the client screen and try again with just http - it complains as expected.
Resolution:
The server is working but my testclient is messing with me.
dunno if its best but for my REST TEST program, i added a net.init() in my webclient in pagerecieve and its all good.
i can do repeated tests and get the behaviour i expected.
thanks
poul
8
Web Server - Ask For Help / NetWebmethod: Only Serve if Secure TLS
« on: February 21, 2017, 03:34:11 PM »
Hello,
i am trying to confirm something as my web-service behaves different than i expect.
i have setup a self signed certificate (The server is Configured to USE TLS)
a regular web page works as expected from a browser.
I can use both Basic or Digest HTTP authentication for a webservice which appears to be working fine.
as an example,
for an employees NetWebservice Method i have set the security to "Only Serve if Secure TLS"
a Client that does a "GET for https://myserverapi/v1/employees" appears to work fine.
but a "GET for http://myserverapi/v1/employees" also works, i was expecting nothing to return or an error.
How can i tell if the connection is truly thru TLS or not?
The SSL method seems to indicate that its TRUE.
If i turn off the "Only Serve if Secure TLS" for the method, the SSL flag still indicates true
Does the server setting take precedence over the http(s) protocol in the request?
I'd like to test and enforce that https:// has been specified by the client explicitly for any web-service call.
is this something i should be concerned over or is this expected behavior.
TIA
poul
i am trying to confirm something as my web-service behaves different than i expect.
i have setup a self signed certificate (The server is Configured to USE TLS)
a regular web page works as expected from a browser.
I can use both Basic or Digest HTTP authentication for a webservice which appears to be working fine.
as an example,
for an employees NetWebservice Method i have set the security to "Only Serve if Secure TLS"
a Client that does a "GET for https://myserverapi/v1/employees" appears to work fine.
but a "GET for http://myserverapi/v1/employees" also works, i was expecting nothing to return or an error.
How can i tell if the connection is truly thru TLS or not?
The SSL method seems to indicate that its TRUE.
If i turn off the "Only Serve if Secure TLS" for the method, the SSL flag still indicates true
Does the server setting take precedence over the http(s) protocol in the request?
I'd like to test and enforce that https:// has been specified by the client explicitly for any web-service call.
is this something i should be concerned over or is this expected behavior.
TIA
poul
9
Web Server - Ask For Help / WWW-Authenticate - Challenge
« on: January 25, 2017, 08:18:38 AM »
Hi Bruce,
I know you plan to add something to enable the www-authenticate header response with a 401 in 9.18.
Will that include or can you consider adding support or an embed point so it can send a full challenge
Including nonce,opaque etc
poul
I know you plan to add something to enable the www-authenticate header response with a 401 in 9.18.
Will that include or can you consider adding support or an embed point so it can send a full challenge
Including nonce,opaque etc
poul
10
Web Server - Ask For Help / Re: No SessionID for a REST response
« on: January 23, 2017, 12:58:52 PM »
Yes that appears to do the trick.
thanks
poul
thanks
poul
11
Web Server - Ask For Help / No SessionID for a REST response
« on: January 20, 2017, 03:21:24 PM »
So i have my webservice mostly RESTful now,
The only bit of house keeping i would like to do is not set the SESSIONID cookie.
I can delete the cookie in my webservice method but it leaves an artifact in the Response
is there a way to prevent the "Set-Cookie: SESSIONID ..." from ever happening?
ie Never appear in the response header
poul
The only bit of house keeping i would like to do is not set the SESSIONID cookie.
I can delete the cookie in my webservice method but it leaves an artifact in the Response
is there a way to prevent the "Set-Cookie: SESSIONID ..." from ever happening?
Code: [Select]
HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 23:04:43 GMT
Server: NetTalk-WebServer/9.13
Content-Length: 4308
Content-Encoding: gzip
Content-Type: application/json
Set-Cookie: SESSIONID=; expires=Tue, 07 Apr 1801 05:00:00 GMT;; path=/
Connection: close
X-Frame-Options: sameoriginie Never appear in the response header
Code: [Select]
HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 23:04:43 GMT
Server: NetTalk-WebServer/9.13
Content-Length: 4308
Content-Encoding: gzip
Content-Type: application/json
Connection: close
X-Frame-Options: sameoriginpoul
12
Web Server - Ask For Help / Re: Implementing HTTP Authentication on a Server
« on: January 20, 2017, 03:06:17 PM »
Yes , i meant to type non Nettalk servers in production - as you have to make the digest work for them with NT clients.
to be clear i can assume the issue is on the server side? CreateAuthorizationString yields what you believe is correct?
so my tweak should suffix until 9.18
to be clear i can assume the issue is on the server side? CreateAuthorizationString yields what you believe is correct?
so my tweak should suffix until 9.18
13
Web Server - Ask For Help / Re: Implementing HTTP Authentication on a Server
« on: January 19, 2017, 04:23:33 PM »
I cannot get DIGEST to work and I think its because the response formulae in CreateAuthorizationString
that i use in my web client is not the same as the response formulae in HeaderAuthentication that is used by my server to confirm the response
my client sends something like this
when i provide the same password to GetPassword in my server it seems to calculate a different/incorrect response - so fails
I don't know what the correct structure is for the digest, so i assume the CreateAuthorizationString code is more correct as I assume it has been in production and tested against none Nettalk servers.
To correct this I tweaked my Netweb.Clw NetWebServerWorkerBase.HeaderAuthentication Procedure() so that it does the same as CreateAuthorizationString does
Part of me feels this should be the otherway around as GET:// feels more right and the fix should be in CreateAuthorizationString
but i dunno, perhaps its just inconsistent assumptions about how to deal with some of these optional values (uri in particular)
so don't know if this will work when i expose my webservice to non clarion developers...
which is correct?
poul
that i use in my web client is not the same as the response formulae in HeaderAuthentication that is used by my server to confirm the response
my client sends something like this
Code: [Select]
Digest username="ServiceLoginName", realm="", qop="auth", algorithm="MD5", uri="/", nonce="", nc=00000001, cnonce="", opaque="", response="e711aca2bffef0ef1ae1cc9435237648"when i provide the same password to GetPassword in my server it seems to calculate a different/incorrect response - so fails
I don't know what the correct structure is for the digest, so i assume the CreateAuthorizationString code is more correct as I assume it has been in production and tested against none Nettalk servers.
To correct this I tweaked my Netweb.Clw NetWebServerWorkerBase.HeaderAuthentication Procedure() so that it does the same as CreateAuthorizationString does
Code: [Select]
...
If password.Length()
TempString1 = username.GetValue() & ':' & item.GetValue() & ':' & Password.GetValue()
NetMD5(TempString1, len(clip(TempString1)), TempString1)
item.setvalue(str.GetLine(str.InLine('uri=', , , , , , st:begins)))
item.SetValue(item.Between('"','"'))
item.prepend('GET:') ! <=============== Fix: this is effectively the way CreateAuthorizationString does this part
! item.prepend('GET:/') ! <=============== Was THIS
TempString2 = item.getvalue()
NetMD5(TempString2, len(clip(TempString2)), TempString2)
...
Part of me feels this should be the otherway around as GET:// feels more right and the fix should be in CreateAuthorizationString
but i dunno, perhaps its just inconsistent assumptions about how to deal with some of these optional values (uri in particular)
so don't know if this will work when i expose my webservice to non clarion developers...
which is correct?
poul
14
Web Server - Ask For Help / Re: Implementing HTTP Authentication on a Server
« on: January 17, 2017, 10:04:47 AM »
Thank you that helps.
Is there something I can do to make sure that the Webservice 401 response
is formatted appropriately ( JSON rather than HTML?)
poul
Is there something I can do to make sure that the Webservice 401 response
is formatted appropriately ( JSON rather than HTML?)
poul
15
Web Server - Ask For Help / Implementing HTTP Authentication on a Server
« on: January 16, 2017, 10:24:48 AM »
Hello, are there any examples,documentation,tips,webinars?
My main goal is to simplify REST access for a WebService, but i would also like to have it as the default for a webbrowser.
(I am returning XML by default to the Browser, but JSON for the Webclients who request it)
I see lots of plumbing bits for the Authentication/token etc, but nothing the puts it altogether
For example: in my webservice method i can set it to "user must be logged in"
Which does an immediate "401 Unauthorizd"
I suppose a Webclient would know to send the Credentials, but i believe i should be
putting something like "WWW-Authenticate: Basic" in the header.
is there a simple way to do that before the
my current assumption is that i have to handle things myself in the CheckForToken routine
but its unclear if that's the intention or best place.
poul
My main goal is to simplify REST access for a WebService, but i would also like to have it as the default for a webbrowser.
(I am returning XML by default to the Browser, but JSON for the Webclients who request it)
I see lots of plumbing bits for the Authentication/token etc, but nothing the puts it altogether
For example: in my webservice method i can set it to "user must be logged in"
Which does an immediate "401 Unauthorizd"
I suppose a Webclient would know to send the Credentials, but i believe i should be
putting something like "WWW-Authenticate: Basic" in the header.
is there a simple way to do that before the
Code: [Select]
If p_web.GetSessionLoggedIn() = 0
p_web.SendError (401,'Unauthorized', 'A login is required to view this page')
Return
endmy current assumption is that i have to handle things myself in the CheckForToken routine
but its unclear if that's the intention or best place.
poul