Login ProductsSalesSupportDownloadsAbout |
Home » Technical Support » Elevate Web Builder Technical Support » Support Forums » Elevate Web Builder General » View Thread |
Messages 1 to 10 of 11 total |
User Authentication for Server Modules |
Wed, Sep 6 2017 12:56 AM | Permanent Link |
Paul Coshott | Hi All,
Tim mentioned to me that I shouldn't hard code the user name and password for user authentication, when calling server modules. At the moment, I am doing the following. Can anyone tell me what I should be doing? Thanks, Paul ----------------------------------------- EWB Code ----------------------------------------- with ServerRequestReports do begin { Set the authentication information as URL parameters } Params.Values['user'] := 'some_username'; Params.Values['password'] := 'some_password'; Params.Values['method'] := 'prepare'; Params.Values['report_name'] := 'client_check'; Params.Values['clientid'] := IntToStr(FClientId); URL := '/modules/rs_pdfreports'; Execute; end; ----------------------------------------- Delphi Module Code ----------------------------------------- procedure TmodMain.EWBModuleAuthenticateUser(const RequestUserName, RequestPassword: string; var Authenticated: Boolean); begin if AnsiSameText(RequestUserName,'some_username') and (RequestPassword='some_password') then begin Authenticated := True end else begin Authenticated := False; end; end; |
Wed, Sep 6 2017 3:15 AM | Permanent Link |
Matthew Jones | Paul Coshott wrote:
> Params.Values['user'] := 'some_username'; > Params.Values['password'] := 'some_password'; You should be asking the user for these, and storing them in variables. The connection should be https too (SSL/TLS) and if not, I think 2.07 is making it easy for WebBuilder Server users. Basically, those passwords are all available in the source, and in the browser log, so anyone can get them and use them in other code. -- Matthew Jones |
Wed, Sep 6 2017 8:22 AM | Permanent Link |
Paul Coshott | "Matthew Jones" wrote:
>You should be asking the user for these, and storing them in variables. The connection should be https too >(SSL/TLS) and if not, I think 2.07 is making it easy for WebBuilder Server users. Hi Matthew, Thanks for your reply. I'm not sure how to go about this though. If I ask the user for a user name and password, how do I get these values to the server module to check against? Cheers, Paul |
Wed, Sep 6 2017 9:16 AM | Permanent Link |
Matthew Jones | At its simplest,
Params.Values['user'] := editUser.Text; Params.Values['password'] := editPassword.Text; In my EWB applications nothing can happen until the user has logged in, and that is done by showing a form with the password etc. That then gets validated, and stored in a form variable to apply as required to the requests. If a call fails, with a user authentication error number, then I show the login again, as something changed. -- Matthew Jones |
Wed, Sep 6 2017 11:40 AM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Matthew,
<< You should be asking the user for these, and storing them in variables. The connection should be https too (SSL/TLS) and if not, I think 2.07 is making it easy for WebBuilder Server users. >> Just to confirm: yes, 2.07 will make it easy to use TLS as well as making user management much easier because user/role management is built into the EWB Web Server. Tim Young Elevate Software www.elevatesoft.com |
Wed, Sep 6 2017 11:46 AM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Paul,
<< Thanks for your reply. I'm not sure how to go about this though. If I ask the user for a user name and password, how do I get these values to the server module to check against? >> As Matthew indicates, you need to ask the user for their credentials and then store them in-memory once they are validated during a login process. After that point, you would simply include them with any of your own server requests using the TServerRequest component (see below link on authenticating requests on how to send them), or in the UserName and Password properties with database requests: https://www.elevatesoft.com/manual?action=viewprop&id=ewb2&comp=TDatabase&prop=UserName https://www.elevatesoft.com/manual?action=viewprop&id=ewb2&comp=TDatabase&prop=Password combined with the authentication method that you wish to use: https://www.elevatesoft.com/manual?action=viewprop&id=ewb2&comp=TDatabase&prop=AuthenticationMethod This is all covered in the modules manual here: https://www.elevatesoft.com/manual?action=viewtopic&id=ewb2mod&product=rsdelphiwin32&version=10T&topic=Handling_Requests under "Authenticating a Request". Tim Young Elevate Software www.elevatesoft.com |
Wed, Sep 6 2017 10:02 PM | Permanent Link |
Paul Coshott | Hi Tim,
>>As Matthew indicates, you need to ask the user for their credentials and then store them in-memory once they are >>validated during a login process. When you say ask the user for their credentials, would that be when they login? Do I save their user name and password from their login, and then send these to the server module. And then in the server module, check that the user name exists and that the password matches in the Users database table? Cheers, Paul |
Thu, Sep 7 2017 3:35 AM | Permanent Link |
Matthew Jones | Paul Coshott wrote:
> Do I save their user name and password from their login, and then send these to the server module. > > And then in the server module, check that the user name exists and that the password matches in the Users database table? Yes -- Matthew Jones |
Thu, Sep 7 2017 11:24 AM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Paul,
<< When you say ask the user for their credentials, would that be when they login? Do I save their user name and password from their login, and then send these to the server module. And then in the server module, check that the user name exists and that the password matches in the Users database table? >> As Matthew indicates: yes. You need to authenticate the user credentials with every single request (at least for now until EWB has proper session management). Tim Young Elevate Software www.elevatesoft.com |
Thu, Sep 7 2017 11:55 PM | Permanent Link |
Paul Coshott | Hi Guys,
>> As Matthew indicates: yes. You need to authenticate the user credentials with every single request (at least for >> now until EWB has proper session management). Thanks for the help. All working now with the users login credentials. Tim - You also mentioned that I need to authenticate database requests. I can see how to set the Username and Password properties for authentication in the EWB app, but I'm not sure how I do the authentication in the database server? Thanks, Paul |
Page 1 of 2 | Next Page » | |
Jump to Page: 1 2 |
This web page was last updated on Wednesday, October 9, 2024 at 05:37 AM | Privacy PolicySite Map © 2024 Elevate Software, Inc. All Rights Reserved Questions or comments ? E-mail us at info@elevatesoft.com |