I use NSURLConnection with Webview to load a page which need to do a client cert authentication. All are passed and load the web page successfully. However, there is problem after reading the web page around 120s. The webpage auto refresh with javascript, and it loads the resource from server. I found there is return 403 in the refresh.
Is the Client Cert time out in the webview ? Is there any setting in Webview / NSURLConnection to solve this problem ?
Thanks very much.
Accepted Reply
I can solve the problem now.
The UIWebview will not handle the authen challenge while timeout.
And it need to use URLProtocol to handle this authen challenge.
Thanks very much.
Replies
IMPORTANT Both
NSURLConnection
and
WebView
have been deprecated. I strongly recommend that you look at adopting their replacements (
NSURLSession
and
WKWebView
).
The fact that handling a client certificate authentication challenge in
NSURLConnection
would help with
WebView
was an artefact of the implementation rather than an explicit design decision. Specifically, both of these subsystems doing their networking in your process using the shared session (the same session you get to via
NSURLSession.sharedSession
) and thus ended up sharing entries in the TLS session cache (see QA1727
TLS Session Cache for more about that).
The failure you’re seeing is a result of those cache entries timing out. It’s hard to fix this because you’re not connected to the web view’s authentication challenge mechanism, and thus you don’t get notified of the timeout.
My recommendation is that you connect up to the web view’s authentication mechanism by implementing the
-webView:resource:didReceiveAuthenticationChallenge:fromDataSource:
delegate callback. My concern here is that this might not work for client certificate authentication challenges (
NSURLAuthenticationMethodClientCertificate
) because those challenges might not be delivered to your delegate (this is a weird historical edge case, and I don’t know how the legacy macOS
WebView
handles that).
The correct long-term solution is to use
WKWebView
, which definitely delivers the client certificate authentication challenge to its delegate (in this case
-webView:didReceiveAuthenticationChallenge:completionHandler:
). Alas, there’s a wrinkle there too. On currently shipping OS releases it’s not possible to successfully handle that challenge with
WKWebView
. You get the challenge and can respond to it but that response is ineffective. This bug has been fixed on the currently seeded version of iOS (iOS 12.0b6). I believe that fix also applies to the currently seeded version of macOS (10.14b7), but I haven’t personally verified this.
So, my advice:
Whatever else you do, you should look at moving forward to
andWKWebView
.NSURLSession
You should test whether
handles client certificate authentication challenges on the latest macOS 10.14 beta.WKWebView
For currently shipping systems, you should check whether
delivers client certificate authentication challenges to your delegate.WebView
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
I try to change using WKWebview to load the webpage. However, the page can't load completely.
That mean it could receive response success, but all the resource content in the web page can't get.
I found all the resource in the page can't load with 403 forbidden. WKWebview load the html and i see pass the client cert authen. Is there any problem in this part ?
thanks
What OS release are you testing on? As I mentioned earlier,
WKWebView
has a bug that prevents it from responding property to client certificate authentication challenges (
NSURLAuthenticationMethodClientCertificate
) prior to iOS 12.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
I can solve the problem now.
The UIWebview will not handle the authen challenge while timeout.
And it need to use URLProtocol to handle this authen challenge.
Thanks very much.