Your website shouldn’t allow the call to http anymore.
I did a quick check with the https and async execution. There is a status 200 and then - of course - the RSA signature can’t be verified. But the basics look okay.
A test project or app would help.
I think that is an over broad generalization. There is absolutely zero user data or anything on my website that would need security. I know it’s in vogue to have everything locked down but in reality there’s nothing that needs to be secure on my site.
[quote]
I did a quick check with the https and async execution. There is a status 200 and then - of course - the RSA signature can’t be verified. But the basics look okay.[/quote]
Kaju uses synchronous execution. Not sure why there would be a signature issue.
I’ll put something together in the next couple days.
There is now also an asynchronous call that uses the new framework class. Eventually I’ll switch both over to URLConnection, but for now, the async call is more compatible.
OK. I’ll update then as that will probably make the UI a bit smoother. If a user can’t access my site for whatever reason, the program hangs a bit while waiting for the synchronous call. So that would be nice to have. Still doesn’t solve the issue of why my existing users don’t see updates…
Alright, I updated and am using the Async method. I keep getting the following error:
I am not able to get the test app to work with Kem’s servers either. I get the same thing.
I just updated the develop branch to include the custom plist entry to allow access to insecure links on the Mac, and it now works fine here. Please get that branch and try again.
But I am using Https.
If you tried my site through the test app, it does not use https. Have you tried your site through the test app?
OK. I want to try HTTPS. The whole reason I am doing this is that I am having users report to me that they are not getting update information delivered to them. I get it every time I try. So I am wondering if it’s some sort of new HTTPS thing since everyone seems to think that you must use HTTPS to even do things that don’t need security. Beyond that, do you have any idea why I see updates but others don’t? I’m using a server outside my own network.
Firewall or dns issues are the only things that come to mind.
the new mantra from the “security” folks is anything that uses non-HTTPS is bad bad bad bad. in their minds everything has to be “secured” or else. This includes internal communications between two servers within their own datacenter. It even includes communication via TCP packets on itself own servers (like connecting to a port on 127.0.0.1 … )
I get why security folks rather us use HTTPS over HTTP. But common sense doesnt come into play when they apply the security rules. mostly because if there is ever a breach, the end users/public doesnt care about common sense, just about the blanket rules.
now this doesnt address why its not working but could explain why people are asking for HTTPS. if not, please ignore me.
–sb
[quote=429306:@scott boss]the new mantra from the “security” folks is anything that uses non-HTTPS is bad bad bad bad. in their minds everything has to be “secured” or else. This includes internal communications between two servers within their own datacenter. It even includes communication via TCP packets on itself own servers (like connecting to a port on 127.0.0.1 … )
I get why security folks rather us use HTTPS over HTTP. But common sense doesnt come into play when they apply the security rules. mostly because if there is ever a breach, the end users/public doesnt care about common sense, just about the blanket rules.
now this doesnt address why its not working but could explain why people are asking for HTTPS. if not, please ignore me.
–sb[/quote]
I agree with you completely. It’s just like all the sandboxing that Apple has done. There’s never been a problem with security on Apple devices. Yet Apple goes through all these insane hoops under the pretense that it “could” happen. Yeah, and I could buy a winning Lotto ticket as well. Doesn’t mean it will happen. Much of these policies are solutions looking for a problem. They simply don’t make sense and not all devices will or should support them. Until people use common sense instead of the panic of group think and Chicken Little, this stuff will only get worse.
Yeah, but that doesn’t make sense. As I’ve had people manually test my update URL in a browser and they get that but they still don’t get notified about the update. I wonder if there’s something else I’m doing wrong…
Kem,
I tried this and am still getting the Security Token error. I then tried your site and it was fine. So I went back and tried mine without the RSA key. I got the error the RSA key didn’t match. So that was good. Then I put the key back in and tried. Still got the security token error.
I then looked at this code:
for i as integer = 0 to ub
//
// Make sure it has a Security Token
//
dim thisElement as JSONItem = j( i )
if thisElement.Lookup( kNameSecurityToken, "" ) = "" then
raise new KajuException( KajuLocale.kMissingReason + " security token", CurrentMethodName )
end if
dim thisInfo as new Kaju.UpdateInformation( thisElement )
//The JSONItem, j, has all the data in it that it should have. I don’t know what this security token is. I use your Admin app to generate the JSON UpdateInfo file.
What am I missing here?
Jon
Please put a breakpoint in your code after the JSON is download, then copy and paste the complete data, including the signature, here.
Are you sure you used a recent version of that admin to generate the file?
Here is the Value of the JSON Item Created with this code:
Private Function ProcessUpdateData(raw As String) As Boolean
// Return true if there was no error or if the user wants to try later
mResult = ResultType.NoUpdateAvailable // Assume this is true
dim j as new JSONItem( raw )
dim versionDouble as double = if( DryRun, -1.0, Kaju.VersionToDouble( Kaju.AppVersionString ) )
//
// Get an array of the info
//
dim ub as integer = j.Count - 1
dim info() as Kaju.UpdateInformation
dim updateIsRequired as booleanThe forum is not letting me post the data. It must be too long…
I’m using the same version of Admin I’ve been using for the last couple years - 2.0. My Kaju code in my app hasn’t been touched in along time until I started trying to tackle this now.
I’m not sure how to help you. The security token is just random characters designed to make the signature of the packet different even when the content is the same. It’s actually not technically needed, but a nice security addition. The admin generates is along with the rest of the JSON.
Maybe download the admin from the develop branch and re-save your update information with it.
I just got your email and, sure enough, the security token is missing. You must be using an old version of admin as that was introduced in 2.1.