IBM Connections - can't add opensocial gadget - ibm-connections

I developed an open social gadget and am trying to display it in Connections. I can't get Connections to even try to load the xml definition file.
I get
"Unable to load widget" in the gadget area in the side column
In JS console the errors read:
(Usable to retrieve spec for gadgeturl. HTTP error 400) while loading widget
_WidgetHandleBase - gadget failed to load (gadgeturl)
Here's what I did:
1)
Enabled developer mode and restarted Connections. I used this guide as a reference, allServers attribute is set to true so I'm not using the whitelist.
http://public.dhe.ibm.com/software/dw/lotus/OS_gadget_IC4_final.pdf
2)
Configured the gadget in admin section of Connections.
Type: Open Social Gadget
Security: Trusted, Use SSO
Server Access via Proxy: All Servers
Display on the Widgets page: True
Display on the Updates page: True
Use IBM Connections specific tags: True
Opened by default: True
3) Added the gadget through the customize link
Again, the gadget url leads to an xml definition file and it is accessible via a browser. Connections never accessed the url based on server logs.
Any idea what I am missing?
Thanks,
Vilem

Based on Paul Bastide's questions I did these additional steps:
In opensocial-config.xml I set all whitelistEnabled and urlWhitelistEnabled attributes to false. Setting up just the developer tag attributes like the doc suggested wasn't enough.
Set up hosts file to allow the connections server to access the gadget url.
For clarity I am using the Greenhouse image.

Related

Access a local IBM Notes application with default system browser

I am developping web applications using the Xpages framework from the IBM Lotus Notes technology.
My users don't use the embedded Notes Client browser, but use a regular modern browser (Firefox, Chrome) to browse Notes applications.
Everything is ok when the user has an internet connexion, he can access the application on the online server through his favorite browser.
However some of my applications need to be used Offline, in local. When a user works in local, he opens the IBM Notes Client, go to his workspace and click to open an application locally. Then, the Notes Client runs a http server on a random port and open the application with the embedded Notes Client browser.
What I want to achieve is to be able to open the application on a regular browser (Firefox, Chrome), by just using the default system browser and not the embedded Notes Client browser.
Here is what I tried without success :
With window.location.href I get the port where the local http server runs and the path to the page that is opened in the embedded Notes Client browser. I get this kind of result :
127.0.0.1:54428/xsp/Gfn/CoffeShop.nsf/xp_home.xsp?OpenXPage&&xspRunningContext=Notes
So I just keep the interesting part :
127.0.0.1:54428/xsp/Gfn/CoffeShop.nsf/xp_home.xsp
Now I need to pass the session id has a parameter of this http request so the browser will have the right to access the application. I get the session ID with the following :
facesContext.getExternalContext().getRequest().getSession().getId()
From this I get an ID and I build my complete http request :
127.0.0.1:54428/xsp/Gfn/CoffeShop.nsf/xp_home.xsp?SessionID=ID-fae7aca8f062023972fe35e5909b0106f44ba2ae
But when I try this into a regular browser, instead of getting the page I get an error 500. If I look at the log of the server, I see the following error message :
Exception Thrown
javax.servlet.ServletException: The request is not coming from a trusted Rich Client part
But I am sure my ID is correct. I tried to investigate this on the internet but no success for now, I would be happy if someone has an idea about what do I miss? Or maybe another way to open a local application in the default system browser?
Thank you!
In short, you can't. This is disabled by security restrictions.
But maybe you should think again about a XPiNC application: With 9.0.1, the underlying XULRunner component was upgraded and supports now HTML5 and a lot of the "newer" features.
It matches Firefox 10.0.6, here are the HTML5 test results:
https://html5test.com/s/555ae51ca555ac7b.html
The only reasonable action you have at you disposal is to install Domino designer on the clients. Then you get the nhttp task that serves to a standard browser (you might get away analysing what nhttp needs and only install that part).
The caveat there: the local nhttp does not support authentication. So you need to hack around it (e.g. copy data back and forth between the local NSF and the properly secured one).
Alternative you could try the approach I took with vert.x (should work with any Java container, but then you won't have any XPages, just raw Domino data.
Danielle pushed that forward with the Crossworlds Project - which might be what you need.
Stephan says it as it is: the way you are considering is just going to cause you huge headaches.
If offline capacity is a must, have you thought about creating a pure Notes-Client application? That would certainly be far easier.

How to test whether user security settings will cause window.localStorage not to work in Internet Explorer?

In Internet Explorer, if the user has protected mode checked on the Security tab for the Internet domain, window.localStorage.setItem() silently fails. Is there a Microsoft-specific way of testing whether the feature is enabled? Testing for its mere presence returns true.
if(window.localStorage&&window.sessionStorage){
// do storage stuff;
}
else {
alert('your userAgent does not support DOM Storage or it is disabled by your browser settings or Group Policy');
}
In MSIE (8 and higher) browsers DOM storage is user and GPO configurable from the Advanced tab of Internet Options>"enable DOM Storage"...
localStorage and sessionStorage are 'undefined' in html files using the file: protocol. Develop and test using your localhost or a web server.
Hi,
my bad....
if ('undefined'!==typeof(win.localStorage)) {
OT: I see my forum puppy is still humping my leg...

Server Independent reference in xpage theme XPiNC

This question covers adding XPages css resources via a theme which references a resource nsf database by adding /.ibmxpsres/domino to the path eg.
<resource>
<content-type>text/css</content-type>
<href>/.ibmxspres/domino/CommonElements.nsf/styles.css</href>
</resource>
This works fine in a browser the mark up generated being..
...href="/CommonElements.nsf/styles.css"
However in a Notes Client this results in ..
... href="/xsp/.ibmxspres/domino/xsp/CommonElements.nsf/styles.css
Which does not seem correct, I think I may need it to generate the following mark up in XPiNC.
href="/xsp/"servername"!!CommonElements.nsf/xsp/styles.css"
I have restarted Notes, used Ctrl Shift Del to try to remove any Notes cache, but I cannot get the style sheet to work.
I have resorted to using the full domain of the server http://mydomain/CommonElements.nsf/styles.css but I wish it to be server independent and allow the use of local copies when off line.
Any help would be appreciated.
Thanks
The client URL is correct. It says: load from the same server as the XPage. On the Notes client that is local host unless you specified that the page should be loaded from the server.
You have 3 options:
as you did: specify the server
set the property to load the XPage on the server
use a policy to push down your resource database to the clients
Note: when an XPage run locally on a client, the application scope is not shared with other clients. That only happens in server mode.

Detect broken SSL or insecure content warning with Selenium, BrowserStack, & Node.js

I'm trying to setup some automated testing using Browserstack's Selenium and their Node.js driver. I want to check if the page is showing any insecure content warnings when accessing the URL via HTTPS.
Is there a way to detect that in Selenium? If one browser does it easier than another that's fine.
Here are a few different ways to detect this using Selenium and other tools:
iterate through all links and ensure they all start with https:// (though via Selenium, this won't detect complex loaded content, XHR, JSONP, and interframe RPC requests)
automate running the tool on Why No Padlock?, which may not do more than the above method
utilize Sikuli to take a screenshot of the region of the browser address bar showing the green padlock (in the case of Chrome) and fail if not present (caveat of using this in parallel testing mentioned here
There is also mention here of the Content Security Policy in browsers, which will prevent the loading of any non-secure objects and perform a callback to an external URL when encountered.
UPDATE:
These proposed solutions intend to detect any non-secure objects being loaded to the page. This should be the best practice for asserting the content is secure. However, if you literally need to detect whether the specific browser's insecure content warning message is being displayed (aka, software testing the browser vs your website), then utilizing Sikuli to match either the visible existence warning messages or the non-existence of your page's content could do the job.
Firefox creates a log entry each time it runs into mixed content, so you can check the logs in selenium. Example:
driver = webdriver.Firefox()
driver.get("https://googlesamples.github.io/web-fundamentals/fundamentals/security/prevent-mixed-content/simple-example.html")
browser_logs = driver.get_log("browser")
and, in browser_logs look for
{u'timestamp': 1483366797638, u'message': u'Blocked loading mixed active content "http://googlesamples.github.io/web-fundamentals/samples/discovery-and-distribution/avoid-mixed-content/simple-example.js"', u'type': u'', u'level': u'INFO'}
{u'timestamp': 1483366797644, u'message': u'Blocked loading mixed active content "http://googlesamples.github.io/web-fundamentals/samples/discovery-and-distribution/avoid-mixed-content/simple-example.js"', u'type': u'', u'level': u'INFO'}

Pitfalls of accessing a webserver on 127.0.0.1 from js with a public site

I'm thinking about exploring the idea of having our client software run as a service on a high port and listen for simple http GET requests from 127.0.0.1. The theory is that I would be able to access this service via js from a web page that is served from my site.
1) User installs client software that installs itself as a service and waits for authenticated requests on 127.0.0.1:8080
2) When the user hits my home page js on the page makes an xhtml request to 127.0.0.1:8080 and asks for the status
3) The home page then makes another js request back to my web server sending the status that it received.
This would allow my users to upload/download and edit files on a USB attached device in real-time from a browser. Polling could be the fallback method which is close to what we do today.
Has anyone done this and what potential pitfalls are there? Will this even work?
I can't see any potential pitfalls. I do have a couple of points however.
1/ You probably want to make sure your service only accepts incoming connection from the local machine (127.0.0.1). Otherwise, anyone could look at your JavaScript and figure out that it's talking to [your-ip]:8080. They could then try that themselves from a remote site (security hole).
2/ I wouldn't use port 8080 as it's commonly used for other things (alternate HTTP servers, etc.). Make it configurable and choose a nice high random-type value.
3/ I'm not sure what you're trying to do with point 3 but I think you're trying to send the status back to the user. In which case, why wouldn't the JavaScript on your home page just get the status in a single session and output/update the HTML to be presented to the user? Your "another js request back to my web server" doesn't make sense to me.
You may not be able to do a xml http request to 127.0.0.1 as XMLHTTPRequest is usually limited to the same domain as the main content is being served from. I'm not sure if this restriction applies if the server is on the client's machine. That being said, you could still create a <script> tag that had the src pointing to 127.0.0.1, and have the web server return some Javascript to run. If you only need a simple response, this could work well.
I think it is much better for you to avoid implementation of application logic in JavaScript and html. Once user clicks button on a web page JavaScript should send request to your service and allow it do the rest of the work.
You could have problems with step 1 (Client installs itself) depending on your target user base.
You will need a customised install for each supported environment (Win2K, Vista, Linux, MAC OS 9.0/10.0 etc.).
If your user is on a locked down at work PC this simply wont be allowed.
To some users this might look distressingly similar to a trojan unless you explicitly point out you will be installing software that runs as a service.
You didnt mention an unistall procedure. Users resent "Adobe" like software which installs itself and provides no sensible un-install options
Ohterwise the approach is sound, and, there are are couple of commercial products out there that use exactly this approach!

Resources