I'm using JavaFX WebView to load a website. This website is using iframes.
It's working fine on a classical browser, but when I'm displaying the pages using JavaFX WebView, the frames are empty.
I tried to display the content of the iframe programmatically from the Java code (according to this: How to get by javafx webview content iframe loaded page?). It is empty.
I also tried to allow everything with Content Security Policy, X-Frame-Options, etc. on the client side (by overriding the HTTP headers), following JavaFX WebView disable Same origin policy (allow cross domain requests). It did not change anything.
I hava added a WebConsoleListener to see some logs. I have no errors.
What is the issue? Is there a way to get more logs?
It turns out that the issue was the following: the website in the iframe had an issue with the certificate chain (the whole certificate chain was not transmitted by the website in the iframe). The issue was identified using SSLLabs.
It's not a problem when accessing the page using a browser because browsers are able to manage the situation, but the sun JVM is not able to do so.
A SSL handshake exception was risen somewhere, but it was hidden by the JavaFX WebView (somewhere it was caught and not displayed clearly thereafter).
So once the issue is identified, to fix it we fall back to the traditional solutions:
If possible, fix the website with the incomplete certificate chain (recommended)
If not, either explicitly trust the certificate provided by the site by adding it to the cacerts file, or disable the SSL security (not recommended)
Related
My company is in the process of changing all our URLs from HTTP to HTTPS. One of the most useful tools to us is manually using the console in Chrome to view the information on the Security and Network tabs to find the items that are preventing the page from being secure (showing the green padlock).
I am using Java code that reads through a local text file of HTTPS URLs to test.
Using Chromedriver, can it tell me if a URL is secure or insecure (as it would show me if I used Chrome manually)? Also, can it tell me what is causing a page to not be secure?
I'm hoping someone has tackled this one already, but can't find anything on it. Thanks in advance!
We have recently needed to change our SSL certificate on our server. Our consuming application has suddenly stopped working. I had presumed this was to do with Java's cacerts, and modified the program to import the new certificate to each client, the problem was not resolved.
When the application attempts to load the remote view (shown below) on the server, it simply loads a white page. I have tried loading the page through http:// and it seems to function, however the rest of the application (including the API) requires https, and subsequent calls to the API fail (images loaded through https are showing as broken within the app).
The website is functional, and when I access URL's being provided to the app, through my desktop browser they load without issue. The app is also functional when I run it in Debug mode, these issues only occur when I use the "Run" build mode.
I have tried creating a blank MAF application, hoping it was some caching issue, however this new app also cannot load the remote URI. I have done a clean build and have tested other remote URI's (they work). I feel as if there is an issue with Java somehow not accepting the new certificate. The first time I tried to load the website within Eclipse's browser, an error displayed along the lines of "certificate revocation information". I didn't pay much attention to this error and it provided the option to install the new certificate, after which the page loaded within eclipse's browser.
In Jdeveloper there is an option of Disabling the Application Transport Security as shown in the image.
Could you try disabling in your eclipse too, Kindly refer this doc https://wiki.eclipse.org/Jetty/Howto/Configure_SSL, this might do a little help :)
The issue seems to be due to the changed SSL certificate on your server.
Short answer:
There was no chain installed, I installed the provided ca-bundle file and updated the httpd.conf file to reflect the chain location and the app now works.
Long answer:
When our server dev installed the new certificate, he neglected to install the ca-bundle (certificate chain) provided by the CA. The site was working in a browser, I can only assume, because it has a more complete list of trusted CA's built in. My best guess is that MAF requires the chain to be installed and was failing some security test, or the chrome webview it uses did not have this CA on the trusted list.
What is the use of having iframe tag in gwt host html page? Is any specific reasons behind this?
When i'm using iframe with ssl enabled it's giving me an popup window(get messages stating that there is un-secure content in the page.). Happening only in ie.. How to avoid this ?
Update: the problem was because of the Flash used in the page (FlasTag setting the code base to http://download.macromedia.com). More details here.
__gwt_historyFrame is used to store/retrive history tokens (make back/forward button work correctly). If you don't embed an iframe, GWT history mechanism won't work.
Update by Tomas Broyer:
This is only true for IE6 and IE7. IE8 will use onhashchange, and
other browsers do not need the iframe either (using a timer to
regularly check the location's hash)
As pointent out here, iframe is not the only possible cause.
I am using the SWT Browser Widget to load the image of a webcam-server via HTTPS. Sadly the webcam-server certificate is untrusted. I tried to 2 variants to load the image:
Browser.setHTML(String)
Load the image using HTML+JavaScript every second. This is the prefered way to avoid flickering. This works very fine for HTTP, if i have a HTTPS connection i will see noting at all except my alternative text.
Browser.setUrl(String)
Load the image by setting the URL every second. This causes massiv flickering because of the reload, wich is unacceptable. I tried this variant with all available SWT-Browsers. If i use SWT.WEBKIT or SWT.MOZILLA (XulRunner) i have no chance at all to get the image. An dialog pop up and tell me the certificate is untrusted with no option to accept it. If i use SWT.NONE the IE is used (i am on WinXP) and the pop-up dialog ask if i want to trust the cert, after pressing OK i can see the image.
Here at Stackoverflow i found: how-to-import-a-ssl-certificate-file-with-swt-browser.
But i unable to find the cert_override.txt in my XULRunner, and i am unable to find a download link for the Personal Security Manager (like many others) !
How can i allow the untrusted certificate, use variant 1 and XULRunner aka MOZILLA ? Is it possible to do it programmatically ?
cert_override.txt is located in the user's profile. On Windows the directory for XULRunner's user profiles is %APPDATA%\<vendor>\<product>\Profiles\<something>.default, on OS X /Library/Application Support/<product>/Profiles/<something>.default, on Linux ~/.<vendor>/<product>/Profiles/<something>.default. At runtime you can use nsIDirectoryService to locate the directory (ProfD is the key for this directory).
You can either write to the user's profile directly from your application or add a copy of cert_override.txt to your XULRunner application to be copied into all user profiles created (it would have to be put under defaults/profile/cert_override.txt in the XULRunner application directory). Note that the latter will only have an effect on new profiles being created, not on profiles that already exist.
Btw, the simplest way to create a cert_override.txt file would be accepting an untrusted certificate in Firefox and then copying the entry from the Firefox profile to the XULRunner profile.
I have a Java web application running in JBOSS with Tomcat with two web applications (contexts) running on it.
A button press on one of the applications opens runs a javascript command to open a new window with a page from the other.
The problem I seem to be having is that this raises a security alert in IE. with the following message:
I can't really ask my customer to add an exception to "http://" what are the likely causes for it not picking up the site?
The browser is correctly pointed at the full url for the page (Ie www.something.net:8080/blah/somepage.jsp) the browser is IE7 with enhanced security running on windows 2003.
You need to uninstall "Explorer Enhanced Security", which is on by default in Windows Servers, before IE will act like a normal browser. :)
Workstations shouldn't get this problem.
IE Enhanced Security Configuration is deliberately designed to prevent general purpose browsing from servers. Folks who want to do workstation-style browsing and just happen to be on a server SKU should disable ESC.
What's the exactly line of code? window.open("http://fullURL", etc), or something like var v=window.open("about:blank"); v.location.href=etc ?
Do the two applications have different domains? IE is preventing the cross-site scripting.
Can you not just have a link to the other site?
EDIT: If this is on Windows Server 2003, then the only way that I've managed to get around it is to disable to enhanced browser security. If this is the case, then you shouldn't really be browsing from a server in the first place.
Edit2:I'm guessing that it is the enhanced browser security that is doing this.
Check out this link: http://support.microsoft.com/kb/815141 on info about it.
Your choices are to either to disable it, add an exception for that site, or use another browser.