How to display webpages only via the web app

Hi all,
I think this question probably/hopefully has a simple answer.
I have created a membership web app on xojo cloud.
I have a login page and a content index for registered users.

I want to be able to display content via webHtmlViewer only to those who have gained access via login.
If I place the content html pages within the ‘web/myapplication/Documents’ folder then the url can be copied
whilst viewing the iframe content and used to gain direct access to those pages, by passing the app login.

Is there a simple way to display html pages only to those who have successfully logged in via the web app???

Thanks in advance.

There may be other ways, but off the top of my head…

  • Place the pages in a location that is not automatically served.
  • Construct your URLs to those pages so that they include some form of identifier.
  • Use WebApplication.HandleURL or WebApplication.HandleSpecialURL to intercept URLs to those pages.
  • In your HandleURL or HandleSpecialURL event handler check the identifier, make sure the user is logged in and allowed to view the page, and then open/read/serve it via the WebRequest object that’s passed to the handler.

I would probably use a one time unique ID with which I could find the user’s Session object, make sure they’re logged in, make sure they have permission, and also make sure the request is coming from the same IP address. I would not pass any of that information itself via the URL, otherwise someone could still fake their way to the document.

Thanks Daniel

That sounds like a very comprehensive solution, thank you, as my understanding is pretty limited I will give you a more detailed description of my intentions to check your method is still valid.

I am creating a large amount of animated content using tumult hype. Hype creates a simple html and resources folder (containing the javascript and image files etc.) which I have placed within the /myapplication/documents’ folder.

-How would I address the ‘content.html’ if it was placed outside of the ‘web/myapplication/Documents’ folder using showurl.

Knowing a bit more about my intentions would you still recommend the solution you provided?

Tried loading the html from the shared_documents directory with:

[code]dim f as folderItem
f = specialFolder.SharedDocuments.child(“my content.html”)

if f.exists then
me.LoadPage(f.nativePath)
else
msgbox(“oops”)
end if[/code]

The native path gives me “/home/sites/www.example.com/Shared_Documents/mycontent.html” odd ??

I’m not sure how to answer that. Of the three approaches I can think of it’s the most robust, flexible, and secure. It’s also the most technical and the most work to implement. I’ve done it before so to me it seems simple. But I have to admit it might be a pain for someone not familiar with HandleSpecialURL, WebRequest, and the inner workings of a web server.

But the other two approaches that come to mind have their own problems. They are…

WebHTMLViewer.LoadPage
Your mistake in the code above is that you’re passing a URL to LoadPage when it expects HTML. You would read the file with a BinaryStream or TextInputStream and pass that HTML string to LoadPage. However, in your sample code the page is still in your public folder which means a savvy user can still access it. Depending on server settings and/or naming conventions it might even be trivial to access.

You could place the page in a private location and .LoadPage the HTML. But this is only going to work if the HTML does not link to any resources that have to sit beside the page on your server. Those resources will not be served by Apache from a private location outside your web folder. If it links to public resources on another server, or in your web folder, then it will still work fine. That of course raises the question of whether or not those resources should be public, or should be limited like the HTML page itself.

.htaccess
You could set an Apache .htaccess file in web/myapplication/Documents. Deny access to everyone. When a user logs in, add a line allowing them to access the folder. (This can be done via IP address or cookie.) When the Session closes due to logout or timeout, remove that line. If your application crashes then on restart it has to “clean” the .htaccess file and delete all the allow lines. While down, anyone who was allowed before the crash will continue to have access until your application starts and cleans .htaccess.

It should be noted that depending on your .htaccess code, you might end up allowing everyone logged in to see any file in the location. This wouldn’t work if you were generating HTML files of personalized medical results, for example.

The .htaccess approach feels like more of a “hack” to me but it should be workable. It has the advantage of preserving all your existing code. You just have to add code to create/manage the .htaccess file.

To answer your first question: if it was my code base I would go the HandleSpecialURL route unless the pages were entirely self contained and could therefore be easily served via WebHTMLViewer.LoadPage.

Hi Daniel,
After hours of scratching about I have been able to create webfiles for the content however there seems to be a problem in the referenced javascript file in the html.

[code]

problem area>>>>>
[/code]

the src (javaURL) is not the problem as this is replaced with the webfile.url and works fine, it seems xojo just doesn’t like the reference to the script.

Do you have any idea why?? Thanks again :slight_smile:

In an HTML page, you got to reference the library before using it. Xojo has nothing to do with it whatsoever.

https://www.w3schools.com/js/

Hi Michel,

Can you give me an example to explain your statement more fully?
The javaScript referenced by the html is, as previously mentioned, the body of the page itself in that it contains complex, animations, images, text, buttons etc.
Are you saying xojo is not capable of displaying a webpage containing complex javaScript within an html viewer?

Can you provide the actual source of the page that is generated when you expect it to work? You can do this by going into the developer tools, inspecting the DOM for that area, and pasting it here. That includes not redacting the URL for the javascript. We can’t provide any answers without seeing the actual problem.

WebHTMLViewer is an iframe. It’s fully capable of everything the web browser is, but it has security requirements that may be getting in the way of hacky things you’re used to being able to do in the desktop version.

I’m not sure you’ve explained your problem fully, what do you mean by “just doesn’t like the reference to the script.”?
What did you expect to happen?
What actually happened?

[quote=439165:@James Moore]Hi Michel,

Can you give me an example to explain your statement more fully?
The javaScript referenced by the html is, as previously mentioned, the body of the page itself in that it contains complex, animations, images, text, buttons etc.
Are you saying xojo is not capable of displaying a webpage containing complex javaScript within an html viewer?[/quote]

James, all you posted was a very simple HTML page. I assumed that was to be displayed through HandleURL.

[quote]I want to be able to display content via webHtmlViewer only to those who have gained access via login.
If I place the content html pages within the ‘web/myapplication/Documents’ folder then the url can be copied
whilst viewing the iframe content and used to gain direct access to those pages, by passing the app login.

Is there a simple way to display html pages only to those who have successfully logged in via the web app???[/quote]

I am looking for the simplest solution to the above… The problem only occurs when i move the location of the html and resources file to the Shared_Documents folder. I moved the html and resource folder to the Shared_Documents folder as it is not a public folder.

Hi everyone, thanks for spending time on this,
to make things a little clearer here is the url to the web app in question

https://www.balmyandzen.co.uk/MyApplication-Dev

Ignore the listbox and menus.

@Tim Parnell let me know if you need more info

I have created 2 buttons to replicate the action of the listbox.
Clicking the top button demonstrates the problem i’m having and does not display the html properly.

I have put in message box’s to show the state of the html etc.

Hope this makes it it a bit clearer…:slight_smile:

I get the following errors trying the top button:

If I download https://www.balmyandzen.co.uk/MyApplication-Dev/index.cgi/84C8BA4B8EEBEFE9F79B2D6DE6772C10AA84BEBB/files/3666-7850-4318-4622-2869/javaURL directly I get an HTML file with a similar div section to the main file, and not a JavaScript file.

This common div section between all three (top button, bottom button, getting the javaURL directly) opens with the following:

<div id="wisdomseekers_hype_container" style="margin:auto;position:relative;width:100%;height:2652px;overflow:hidden;">

In the working page that same div references an actual script file at: WisdomSeekers.hyperesources/wisdomseekers_hype_generated_script.js?83652

Reading past messages and trying to make sense of it all…

  • javaURL is not getting replaced with a real JavaScript reference.
  • Even if it were to be replaced, if that JavaScript file does not exist in your public folder it will not be served. If it’s in your public folder, someone can grab it and access content later.
  • I’m a little confused as to why the URL that ends in javaURL returns a small HTML document with that same div section again.

Going back to my older post: if you’re trying to securely display HTML content which links to external resources that also must be secured then I don’t think there isn’t a simple solution. You end up having to handle the requests yourself (HandleSpecialURL) authenticating each request.

Thanks Daniel for checking that out for me.

I am not clear on the structure and process of the app.handlespecialurl method you kindly suggested.

-Where would the content html and javascript/resources files be located? to avoid public access without logging in wouldn’t they have to be stored in the shared_documents directory and if so wouldn’t that create the same problem I have highlighted?

I must admit on the surface this looks like a very simple project to take on and is proving to be anything but :frowning:

With HandleURL or HandleSpecialURL you control the URL and what is returned to the client browser. But that also means you have to do the work of parsing requests and returning the right resource.

Xojo Cloud includes Apache to serve static resources. Apache serves everything unless instructed to do otherwise via the config file or .htaccess. If you want to control the process then you have to either “talk to” Apache (via .htaccess) or take control of the process of serving the secured files.

You might try storing your html pages in a database that can only be viewed in the WebHTMLViewer in your app.