Visual LANSA Forum

Hi

The customer would like to use form authentication.

Before login(using popup login window), user can see the source codes of js files executing the following URLs for example.
http://localhost:8081/lansav14/dev/XXXX.js
http://localhost:8081/lansav14/lansa_14_1_0_3/lansa.js

Is it possible to prevent users to see these source code if users are not already logged in?

I appreaciate your kind advice.

Best Regards,
Megumi Sawada

Hi Megumi,

You can't prevent people seeing source code in a browser...that's why pretty much everybody delivers their sourcecode obfuscated (all meaningful names gone).

LANSA does the same.

If you compile RDML without the Debug flag on, it will also be obfuscated (in as much as we can without stopping individually compiled components interacting with one another). So make sure that's done before you deploy.

There are several techniques to make sure the bulk of the application doesn't load until after the login. But the login code itself (obviously) has to be there and is potentially readable for a tech-savvy end user. But so is the sourcecode for Facebook and every other web application out there.

Regards,
Danny

Hi Danny,

What customer would like to do is that what apache mod_auth_form can achieve.
http://httpd.apache.org/docs/trunk/mod/ ... _form.html
Using mod_auth_form it seems user authentication can be done on apache only not with web server.
Is it possible to implement like this with VLWeb?

Best Regards,
Megumi Sawada

Hi Megumi

There is nothing in VL Web for this, but there's nothing to stop a customer implementing it themselves and redirecting to the VL web page when successful.

The VL Web equivalent would be to present a page which only shows a sign in dialog. When successful, use a SRVroutine with a response(*WebPage etc) to serve the real application. This ensures that the majority of the application remains completely hidden from the user.

Is there a particular reason that the customer wants to hide the generated JavaScript?


Regards