Closed GoogleCodeExporter closed 9 years ago
Sorry, I accidentally submitted the issue without filling out the other
sections in the template.
I'm using gwt-crypto-2.3.0-20110518.123759-2.jar
OS - Windows XP SP3
GWT - v2.1
GAE for Java - v1.5.3
I'm also using SmartGWT v2.5 (not sure whether that is relevant here).
Original comment by harwinde...@gmail.com
on 26 Aug 2011 at 8:59
What modules (AES, RSA, digest, etc.) of the crypto are you using? Did you try
to use wireshark to track the communication with your server from home/company
and compare them, are there any notable differences? Does your company uses
some other networking equipment (proxies, firewalls) that could somehow
intercept your web content? Also try to use newer GWT, it could possibly solve
your problem. I honestly cant figure out why firewall should block some http
communication if there is some more JS in it or if it has encrypted content.
For which purpose are you using the crypto? Maybe we could figure some other
way to use it in order to make this work.
Original comment by rame...@gmail.com
on 31 Aug 2011 at 6:28
First of all, thank you. I'm glad to see your response. I'm just using the
TripleDesCipher to encrypt and decrypt the content following the example
mentioned on your usage page:
http://code.google.com/p/gwt-crypto/wiki/Usage
I'm not sure what you call that module as. This is the first time I've heard
about Wireshark, but I'll explore more on that. Today I talked to some network
security guys in my company, but could not talk to the key guys. From what I've
learned so far, we are using Juniper equipment and it has had problems with GWT
applications in the past. Exactly what those problems were are still not clear
to me. I'll get the details soon.
I'll try to upgrade to the latest version of GWT that is support for SmartGWT
and check the result.
Regarding the purpose: I'm developing an exam prep system. I noticed that all
the content (collection of questions and answers), which is sent from the
server, is visible in plain text in Firebug. I didn't really feel comfortable
with that. I wanted to add a layer of obscurity (not really security) to the
content that comes over from the server to the client. I came across
gwt-crypto, followed the example given on the usage page, and got exactly what
I wanted within a few minutes. So, my purpose is to really obfuscate the
content, and not really secure it.
If you can suggest other means of achieving the same result, that will be
great.
Thanks again.
Original comment by harwinde...@gmail.com
on 31 Aug 2011 at 8:25
Here are some updates on this:
1. The issue is still unresolved. The network team (including the network
security team) spent almost 2 days investigating into this, but could not find
anything wrong. According to them, no packets were getting dropped anywhere.
2. If I use SSL, then the app works behind the firewall too. For example
http://www.myapp.com does NOT work, but https://myapp.appspot.com works.
3. I also upgraded to GWT 2.4, but that didn't help.
4. Interestingly, even the onModuleLoad() of my app does not get called when I
have encryption enabled, even though there's no encryption/decryption at the
point of loading the application. Encryption / decryption only kicks in when
user performs a particular action, which invokes an RPC call. So, I'm not sure
why the onModuleLoad() is not invoked.
5. In the meanwhile, few other users of my app have also reported the same
issue - the app doesn't load in their corporate network.
I haven't tried wireshark yet.
Thanks.
Original comment by harwinde...@gmail.com
on 16 Sep 2011 at 4:01
One more point:
When encryption/decryption is turned on (I use a boolean constant to turn the
encryption/decryption on/off), I noticed that the *.cache.html seems to get
truncated, not entirely blocked.
Original comment by harwinde...@gmail.com
on 16 Sep 2011 at 4:58
That's really interesting, even more so if you say the app works anywhere if
transferred via SSL.
Wireshark (as you probably know now is packet sniffing software I use a lot
when dealing with these kind of problems) might help you catch the transmission
problem but if your network guys are saying it isn't the problem then I guess
they are right.
Can you confirm that your browser downloads the JS code successfully in both
cases (HTTP/HTTPS or corporate/home) and that there are no errors in JS console?
I suppose that this issue can be seen on any browser not just FF? I had some
problems with Chrome that refused to load/run some JS from my intranet, but
thats probably different issue.
What you may try is to use code splitting
(http://code.google.com/intl/cs-CZ/webtoolkit/doc/latest/DevGuideCodeSplitting.h
tml) and place your decryption code there, this way you can tell whether the
app starts running (onModuleLoad gets called) which might point you to a
solution.
Original comment by rame...@gmail.com
on 10 Oct 2011 at 7:00
My understanding is that was due to https on appengine. Not related to gwt-crypto
Original issue reported on code.google.com by
harwinde...@gmail.com
on 26 Aug 2011 at 5:37