Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 10 of 11 total
Thread User Authentication for Server Modules
Wed, Sep 6 2017 12:56 AMPermanent Link

Paul Coshott

Avatar

Hi All,

Tim mentioned to me that I shouldn't hard code the user name and password for user authentication, when calling server modules. At the moment, I am doing the following. Can anyone tell me what I should be doing?

Thanks,
Paul

-----------------------------------------
EWB Code
-----------------------------------------
   with ServerRequestReports do begin
     { Set the authentication information as URL parameters }
     Params.Values['user'] := 'some_username';
     Params.Values['password'] := 'some_password';
     Params.Values['method'] := 'prepare';
     Params.Values['report_name'] := 'client_check';
     Params.Values['clientid'] := IntToStr(FClientId);
     URL := '/modules/rs_pdfreports';
     Execute;
   end;

-----------------------------------------
Delphi Module Code
-----------------------------------------
procedure TmodMain.EWBModuleAuthenticateUser(const RequestUserName,
 RequestPassword: string; var Authenticated: Boolean);
begin
 if AnsiSameText(RequestUserName,'some_username') and (RequestPassword='some_password') then begin
   Authenticated := True
 end else begin
   Authenticated := False;
 end;
end;
Wed, Sep 6 2017 3:15 AMPermanent Link

Matthew Jones

Paul Coshott wrote:

>       Params.Values['user'] := 'some_username';
>       Params.Values['password'] := 'some_password';

You should be asking the user for these, and storing them in variables. The connection should be https too (SSL/TLS) and if not, I think 2.07 is making it easy for WebBuilder Server users.

Basically, those passwords are all available in the source, and in the browser log, so anyone can get them and use them in other code.

--

Matthew Jones
Wed, Sep 6 2017 8:22 AMPermanent Link

Paul Coshott

Avatar

"Matthew Jones" wrote:

>You should be asking the user for these, and storing them in variables. The connection should be https too >(SSL/TLS) and if not, I think 2.07 is making it easy for WebBuilder Server users.

Hi Matthew,

Thanks for your reply. I'm not sure how to go about this though. If I ask the user for a user name and password, how do I get these values to the server module to check against?

Cheers,
Paul
Wed, Sep 6 2017 9:16 AMPermanent Link

Matthew Jones

At its simplest,

     Params.Values['user'] := editUser.Text;
     Params.Values['password'] := editPassword.Text;

In my EWB applications nothing can happen until the user has logged in, and that is done by showing a form with the password etc. That then gets validated, and stored in a form variable to apply as required to the requests. If a call fails, with a user authentication error number, then I show the login again, as something changed.

--

Matthew Jones
Wed, Sep 6 2017 11:40 AMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Matthew,

<< You should be asking the user for these, and storing them in variables. The connection should be https too
(SSL/TLS) and if not, I think 2.07 is making it easy for WebBuilder Server users. >>

Just to confirm:  yes, 2.07 will make it easy to use TLS as well as making user management much easier because user/role management is built into the EWB Web Server.

Tim Young
Elevate Software
www.elevatesoft.com
Wed, Sep 6 2017 11:46 AMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Paul,

<< Thanks for your reply. I'm not sure how to go about this though. If I ask the user for a user name and password, how do I get these values to the server module to check against? >>

As Matthew indicates, you need to ask the user for their credentials and then store them in-memory once they are validated during a login process.  After that point, you would simply include them with any of your own server requests using the TServerRequest component (see below link on authenticating requests on how to send them), or in the UserName and Password properties with database requests:

https://www.elevatesoft.com/manual?action=viewprop&id=ewb2&comp=TDatabase&prop=UserName
https://www.elevatesoft.com/manual?action=viewprop&id=ewb2&comp=TDatabase&prop=Password

combined with the authentication method that you wish to use:

https://www.elevatesoft.com/manual?action=viewprop&id=ewb2&comp=TDatabase&prop=AuthenticationMethod

This is all covered in the modules manual here:

https://www.elevatesoft.com/manual?action=viewtopic&id=ewb2mod&product=rsdelphiwin32&version=10T&topic=Handling_Requests

under "Authenticating a Request".

Tim Young
Elevate Software
www.elevatesoft.com
Wed, Sep 6 2017 10:02 PMPermanent Link

Paul Coshott

Avatar

Hi Tim,

>>As Matthew indicates, you need to ask the user for their credentials and then store them in-memory once they are
>>validated during a login process.

When you say ask the user for their credentials, would that be when they login? Do I save their user name and password from their login, and then send these to the server module.

And then in the server module, check that the user name exists and that the password matches in the Users database table?

Cheers,
Paul
Thu, Sep 7 2017 3:35 AMPermanent Link

Matthew Jones

Paul Coshott wrote:

> Do I save their user name and password from their login, and then send these to the server module.
>
> And then in the server module, check that the user name exists and that the password matches in the Users database table?

Yes

--

Matthew Jones
Thu, Sep 7 2017 11:24 AMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Paul,

<< When you say ask the user for their credentials, would that be when they login? Do I save their user name and password from their login, and then send these to the server module.

And then in the server module, check that the user name exists and that the password matches in the Users database table? >>

As Matthew indicates: yes.  You need to authenticate the user credentials with every single request (at least for now until EWB has proper session management).

Tim Young
Elevate Software
www.elevatesoft.com
Thu, Sep 7 2017 11:55 PMPermanent Link

Paul Coshott

Avatar

Hi Guys,

>> As Matthew indicates: yes.  You need to authenticate the user credentials with every single request (at least for
>> now until EWB has proper session management).

Thanks for the help. All working now with the users login credentials.

Tim - You also mentioned that I need to authenticate database requests. I can see how to set the Username and Password properties for authentication in the EWB app, but I'm not sure how I do the authentication in the database server?

Thanks,
Paul
Page 1 of 2Next Page »
Jump to Page:  1 2
Image