November 2009 Archives

WPF Commands and Command Target

| No Comments | No TrackBacks

So, had an interesting problem today. We are using a WPF DataGridView in our application and where having problems with the main menu of the window getting all its elements disabled whenever the datagrid was in row or cell edit mode.

At first we thought it had something to do with our 'single click checkbox in grid'-code, but it turned out it had something to do with command targets and how command targets are used to enable/disable commands.

The default command target is the currently active control in the window (the control with focus) - in our case the data grid being edited. The behaviour of a datagrid in edit state, is to disable all commands connected to it. Therefore are commands (menus) where getting disabled whenever the datagrid was in edit mode.

The fix is always simple once you know the problem - in our case - set the command target to something else that does not cause the command to be disabled. We changed it to the main window using the following code;

<MenuItem x:Name="mnuClose" Header="E_xit"Command="ApplicationCommands.Close"

    CommandTarget="{Binding ElementName=MainWindow}"

    InputGestureText="Alt-F4"></MenuItem>

There is one more gotcha with the above - make sure you commit all changes to the window to the model before actually handeling the exit, as if you do not, you may loose the last edit the user did - which is bad.

Cheers!

Cookie based authentication does not work with Excel

| No Comments | No TrackBacks

So I had a fun out-of-IE security 'experience' last week.

Background: On the current project I am working on, we have an .Net web-site that uses form-based authentication to set a authorization cookie value (simple username and password request, that sets-up a session variable storing the users authentication ticket - the session variable is carried between requests using cookies). The web-site will allow you to stay logged in for a long time - so you do not have to always enter your username and password.

The web-site is based on Microsoft's MVC implementation, so navigation to 'objects' on the web-site is quite easy to figure out for users, and they go off creating their own URLs to access data (which is a good thing).

Now we got a call from a customer trying to create simple links in Microsoft Excel spread sheets, to navigate to details about the current spread sheet row. Simple enough you think, I think not.

Problem: Some security expert (I assume) at one of the largest IT companies in the world, figured out that sending cookies on web-requests from Excel is a bad thing. E.g. when you select a URL link in Excel, the resulting request in IE will *never* send any cookies. The request will open up in Internet Explorer fine, but it sucks that the users have to log onto our system for each row they access.

If you based authentication on sessions or cookies, you are basically stuck.

I Bing'ed (that didn't work, sorry... I 'searched') around on the net, trying to locate information that could help resolve the simple 'web link in Excel spreadsheet does not work' etc. With little luck.

Reworking the authentication scheme on the web-application was not going to happen, so needed to come up with something to solve what one would think to be a simple problem.

Solution: I noticed that after accessing the first link from Excel, entering my form-based user name and password, everything worked fine. It was only the first request that caused a problem. Ok, what if we create a proxy page that does not require any authentication, but forwards the user to the page they actually wanted.

So I build a proxy page with the following simple HTML and Javascript code (note this is clean HTML/Javascipt, so this will work with .Net, Java, Tomcat, Perl, Python, etc. web-page that needs cookies to work). For those of you that like spoons, place the HTML code below in a file called redirect.htm and place it anywhere available on the net. Make sure you change the URL in the code to point to the correct web-site as well)

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>Redirect Page</title>
</head>
<body>
Please wait, redirecting...
<script type="text/javascript">
<!--
function getQuerystring(key)
{
  key = key.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
  var regex = new RegExp("[\\?&]"+key+"=([^&#]*)");
  var qs = regex.exec(window.location.href);
  return qs[1];
}
window.location = "http://www.vc2go.com/" + getQuerystring('page');
//-->
</script>
</body>
</html>

So now by accessing http://www.vc2go.com/redirect.htm?page=authentication.aspx will fire up the redirect code above and basically redirect the user to http://www.vc2go.com/authentication.aspx - the clue being that the redirected request will in fact have all the user cookies setup and authentication will no longer be a problem.

Ending: This was a happy ending. I never really figured out why the cookies did not get passed over, but assumed it to be a security expert that thinks good security is turing off your PC. It will keep you secure, but it makes it harder to use the tools on your PC.

About this Archive

This page is an archive of entries from November 2009 listed from newest to oldest.

December 2008 is the previous archive.

April 2010 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Pages

Powered by Movable Type 4.21-en