Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 9 of 9 total
Thread AuthenticateUser in HTTP GET and return JSON
Tue, Sep 6 2016 5:45 PMPermanent Link

KimHJ

Comca Systems, Inc

I have build a EWBModule that can receive HTTP GET request from anything that can do a HTTP GET.

My problem is I can't find a way to add in password and user. The EWBModuleAuthenticateUser is always blank.
I'm using Basic Authentication I know it's not the best if there is a better way I'm all open, thanks.

If I use Postman from google chrome. I enter the password and user name in the Basic Auth. I then make a HTTP call.
http://127.1.0.0:8099/modules/ewbmodule?Phone='9999999999'

From java I use this:
         Authenticator.setDefault(new Authenticator() {
                   @Override
                   protected PasswordAuthentication getPasswordAuthentication() {
                       return new PasswordAuthentication(loginName, passWord.toCharArray());
                   }
               });

In the ewbmodule I then use the EDBQuery to retrieve the name and other information from the ElevateDB server.

Is there any example how to use TEWBJSONWriter?

Thanks,
Kim
Thu, Sep 8 2016 7:26 AMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Kim,

<< My problem is I can't find a way to add in password and user. The EWBModuleAuthenticateUser is always blank.  I'm using Basic Authentication I know it's not the best if there is a better way I'm all open, thanks. >>

Don't use basic authentication.  Just use a secure https URL along with the user ID/password as parameters:

https://127.1.0.0:8099/modules/ewbmodule?Phone='9999999999'&User=XXXX&Password=XXXX

<< Is there any example how to use TEWBJSONWriter? >>

Not at this time, no. I'll try to work up an example module that shows how it's used.  For now, the docs should have everything you need:

http://www.elevatesoft.com/manual?action=viewcomp&id=ewb2mod&product=rsdelphi&version=XE&comp=TEWBJSONWriter

The basic sequence is:

Initialize;
BeginObject;
while (not DoneWithProperties) do
  begin
  // If you want a new line for the property, call the BeginNewLine method here
  XXXProperty('MyProperty',PropertyValue); // StringProperty, IntegerProperty, etc.
  end;
EndObject;

Arrays get slightly more complicated, but not by much.  You don't need to emit separators because the class keeps track of how many properties have been written for an object, and whether a separator is necessary.

Tim Young
Elevate Software
www.elevatesoft.com
Mon, Sep 12 2016 11:58 AMPermanent Link

KimHJ

Comca Systems, Inc

Tim,

Thanks. I will be using https, right now I'm testing.

I do understand how to use BeginObject and all the other functions, but I thought that there was a function that would take a row or many rows from the EBD a turn it into a json.

Right now I put all results into an array this way. Then I can do a count on the array to see how many rows I get back if any.

{results:[ {row1},{row2},{row3} ] }

Kim

<<Tim Young [Elevate Software] wrote:

<<< Is there any example how to use TEWBJSONWriter? >>

<<Not at this time, no. I'll try to work up an example module that shows how it's used.  For now, the docs should <<have everything you need:

<<http://www.elevatesoft.com/manual?<<action=viewcomp&id=ewb2mod&product=rsdelphi&version=XE&comp=TEWBJSONWriter

<<The basic sequence is:

<<Initialize;
<<BeginObject;
<<while (not DoneWithProperties) do
<<   begin
<<   // If you want a new line for the property, call the BeginNewLine method here
<<   XXXProperty('MyProperty',PropertyValue); // StringProperty, IntegerProperty, etc.
<<   end;
<<EndObject;

<<Arrays get slightly more complicated, but not by much.  You don't need to emit separators because the class <<keeps track of how many properties have been written for an object, and whether a separator is necessary.

<<Tim Young
Mon, Sep 12 2016 4:49 PMPermanent Link

erickengelke

Avatar

<< My problem is I can't find a way to add in password and user. The EWBModuleAuthenticateUser is always blank.  I'm using Basic Authentication I know it's not the best if there is a better way I'm all open, thanks. >>

>Don't use basic authentication.  Just use a secure https URL along with the user ID/password as parameters:
>
>https://127.1.0.0:8099/modules/ewbmodule?Phone='9999999999'&User=XXXX&Password=XXXX

It's best not to encode a password in a URL  because many web servers log GET parameters in the HTTPD access
log file and then your password is saved in plain text.

There are lots of other solutions.  I know I talk about them in my book, but I don't have a copy near me so I can't tell you which pages. Basically, in either the parameters or in POST parameters.  Neither of those are logged.

<< Is there any example how to use TEWBJSONWriter? >>

>Not at this time, no. I'll try to work up an example module that shows how it's used.  For now, the docs should have everything you need:

There's a whole chapter on that subject with lots of examples including arrays.

>Arrays get slightly more complicated, but not by much.  You don't need to emit separators because the class keeps >track of how many properties have been written for an object, and whether a separator is necessary.
Tue, Sep 13 2016 5:04 AMPermanent Link

Matthew Jones

erickengelke wrote:

> > Don't use basic authentication.  Just use a secure https URL along
> > with the user ID/password as parameters:
> >
> >
https://127.1.0.0:8099/modules/ewbmodule?Phone='9999999999'&User=XXXX&Password=XXXX
>
> It's best not to encode a password in a URL  because many web servers
> log GET parameters in the HTTPD access log file and then your
> password is saved in plain text.

Hmm, the logging is on the server you are talking to, and you have to
trust someone. I think this is fine as a practice, and is indeed quite
common with REST services. So long as you are HTTPS and the server is
trusted, you should be okay.

--

Matthew Jones
Tue, Sep 13 2016 5:49 AMPermanent Link

erickengelke

Avatar

"Matthew Jones" wrote:

erickengelke wrote:

> > Don't use basic authentication.  Just use a secure https URL along
> > with the user ID/password as parameters:
> >
> >
https://127.1.0.0:8099/modules/ewbmodule?Phone='9999999999'&User=XXXX&Password=XXXX
>
> It's best not to encode a password in a URL  because many web servers
> log GET parameters in the HTTPD access log file and then your
> password is saved in plain text.

>Hmm, the logging is on the server you are talking to, and you have to
trust someone. I think this is fine as a practice, and is indeed quite
common with REST services. So long as you are HTTPS and the server is
trusted, you should be okay.

If the server is Apache or NGinx, there will be logs.  And if the server ever gets compromised, the logs
may be viewed.  And if the user reuses his password... I know, but many people do... then the password
to other systems and the userid are compromised.

Ashley-Madison is just one of many sites where passwords were  found/stolen and there were lawsuits.

I'm just sayin'.

Erick
Tue, Sep 13 2016 6:16 AMPermanent Link

Matthew Jones

It is certainly worth considering, to be sure. If it is your own
server, perhaps EWB, RemObjects or whatever, the logging may be
non-existant. It may also be worth starting off with a login process
which returns a short-life token, though I guess that initial handshake
would need to be in the data rather than URL.

Yes, consider it carefully.


--

Matthew Jones
Tue, Sep 13 2016 7:10 AMPermanent Link

erickengelke

Avatar

"Matthew Jones" wrote:

>It is certainly worth considering, to be sure.

Sorry, for the last few months I've been working closely with a security expert/pen tester on my next book.
He's got me paranoid about leaking secrets - so he's really done his job!

Erick
Wed, Sep 14 2016 1:02 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Erick,

<< It's best not to encode a password in a URL  because many web servers log GET parameters in the HTTPD access log file and then your password is saved in plain text. >>

Good point.  One can easily do a POST server request instead of a GET.

Tim Young
Elevate Software
www.elevatesoft.com
Image