Search This Blog

Monday, May 11, 2015

Redirecting from an external hyperlink to a View in an XAF Web app with the ASP.NET Forms Authentication - YOUR FEEDBACK IS NEEDED

I wanted to ask the XAF community members interested in this functionality to test a simpler solution to the problem described in this thread. Long story short, you have a hyperlink to an XAF Web application form like this: 


and want to include it in an email and send it to a user so that he or she is able to navigate to that view on your web site (e.g., open a user profile or changed order details). If that app has a security system  with a logon form enabled, then the URL fragment after # is cut after a successful authentication, which makes navigation to the required app screen not possible by default. Instead, the URL fragment before the hash symbol is opened (see similar threads on StackOverFlow for more details: one, two, three).
There was a tricky solution to work around the default ASP.NET request processing mechanism in the original Support Center thread, but today I wanted to share a simpler solution for our users.



Here it comes:
1. In the Solution Explorer, right-click the YourSolutionName.Web/Login.aspx file and invoke the View Markup command from the context menu.
2. Paste the <script/> element with the JavaScript code below before the </body> element, as follows:



<body class="Dialog">
    <div id="PageContent" class="PageContent DialogPageContent">
        <form id="form1" runat="server">
            <cc4:ASPxProgressControl ID="ProgressControl" runat="server" />
            <div id="Content" runat="server" />
        </form>
    </div>
    <%--This part is added.--%>
    <script type="text/javascript">
    //<![CDATA[
    function encodeLocationHash() {
        var search = window.location.search;
        if (search && search.indexOf('ReturnUrl=') > -1) {
            var hash = window.location.hash;
            if (hash && hash.length > 1) {
                var newUrl = window.location.href.replace(hash, '');
                newUrl += encodeURIComponent(hash);
                window.location.replace(newUrl);
            }
        }
    }
    attachWindowEvent('load', encodeLocationHash);
    //]]>
</script>
</body>

This simple solution worked fine in many internal tests, but we wanted to make sure there are no tricky situations in your real apps, which are left uncovered.

I look forward to hearing from you on whether you:
Q1. ever experienced such a requirement in your XAF web sites.
Q2. got this new and simple solution working in your Web apps with the logon form.
Thanks in advance!

15 comments:

  1. Nice Post Dennis
    I have tried and it change url from

    http://www.companywebsite.com/Login.aspx#MARKEDPRIVATE_DetailView=3D3a149934-a2c5-4c05-a9c7-e4c8be03e7d2

    To

    www.companywebsite.com/Login.aspx%23MARKEDPRIVATE_DetailView%3D3a149934-a2c5-4c05-a9c7-e4c8be03e7d2

    Which gives a 404
    Also using Xpand so dont know if that could be the cause, any ideas ?

    ReplyDelete
    Replies
    1. News, Tips, Tricks And More About Devexpress Application Framework (Xaf) Directly From The Lab: Redirecting From An External Hyperlink To A View In An Xaf Web App With The Asp.Net Forms Authentication - Your Feedback Is Needed >>>>> Download Now

      >>>>> Download Full

      News, Tips, Tricks And More About Devexpress Application Framework (Xaf) Directly From The Lab: Redirecting From An External Hyperlink To A View In An Xaf Web App With The Asp.Net Forms Authentication - Your Feedback Is Needed >>>>> Download LINK

      >>>>> Download Now

      News, Tips, Tricks And More About Devexpress Application Framework (Xaf) Directly From The Lab: Redirecting From An External Hyperlink To A View In An Xaf Web App With The Asp.Net Forms Authentication - Your Feedback Is Needed >>>>> Download Full

      >>>>> Download LINK gU

      Delete
  2. Hello Wayne, thanks for your comment! This non-standard situation was not handled by our solution. We will consider either ignoring such URLs or making it to work as expected. Would you please also point out a specific eXpand Framework feature you are using? Looking at the query string, I guess it has something to do with making user-friendly URLs, but I am not 100% sure.

    ReplyDelete
  3. Hi
    Thank you for the post
    I have a question. Howto generate the url of a detailview to sending it by email to a user?

    ReplyDelete
  4. @MohAl: You can use the two solutions from https://www.devexpress.com/Support/Center/Question/Details/T181841

    ReplyDelete
  5. @Wayne Van Rooyen: This situation is now handled. See the updated code snipped for more details.

    ReplyDelete
  6. @Dennis
    Thanks only came across your reply now.
    Thanks

    ReplyDelete
  7. Hi Dennis,
    We migrated our application where we use this code to new XAf Web UI and this code does not work anymore as is.
    during debugging javascript told us attachWindowEvent does not exist or something like that. So I found out I must change attachWindowEvent by method addEventListener (parameters are the same as in attachWindowEvent ) and code again works as expected.

    ReplyDelete
    Replies
    1. Petr,

      The attachWindowEvent function is from the XAF's CommonFunctions.js file, which contains a lot of standard functionality and cannot be missing. This function internally uses the addEventListener method you used, which should be working in the latest web browsers such as IE9+ and others. We need to use this custom function for compatibility with the old web browsers XAF supported at the time of writing this article.

      function attachElementEvent(element, name, handler) {
      if (element.addEventListener) {
      element.addEventListener(name, handler, false);
      }
      else {
      element.attachEvent('on' + name, handler);
      }
      }

      Delete
  8. So one of my clients uses a penetration tester. The Penn tester is warning that this is unsafe because of the potential for Cross-site Scripting and that there is potential for a malicious user to 'craft a request that may run arbitrary JavaScript in a victim's web browser'. It goes on to say that malicious users could use this to steal session tokens or private data of authenticated users.


    Thoughts on this accusation?
    Any other way around this?

    ReplyDelete
    Replies
    1. Hello, Ambur! Would you please provide a detailed description of a possible attack or step-by-step instructions that can be used to reproduce it with the MainDemo.Web app using the aforementioned approach? With that, we will be able to research and give additional information on this issue, which can eventually be a 'false positive' as well.
      Please email this info at support@devexpress.com or rather submit a private ticket using the Support Center (https://www.devexpress.com/ask).

      Delete
  9. News, Tips, Tricks And More About Devexpress Application Framework (Xaf) Directly From The Lab: Redirecting From An External Hyperlink To A View In An Xaf Web App With The Asp.Net Forms Authentication - Your Feedback Is Needed >>>>> Download Now

    >>>>> Download Full

    News, Tips, Tricks And More About Devexpress Application Framework (Xaf) Directly From The Lab: Redirecting From An External Hyperlink To A View In An Xaf Web App With The Asp.Net Forms Authentication - Your Feedback Is Needed >>>>> Download LINK

    >>>>> Download Now

    News, Tips, Tricks And More About Devexpress Application Framework (Xaf) Directly From The Lab: Redirecting From An External Hyperlink To A View In An Xaf Web App With The Asp.Net Forms Authentication - Your Feedback Is Needed >>>>> Download Full

    >>>>> Download LINK

    ReplyDelete