Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 5 of 5 total
Thread TServerRequest and TDatabase Username / Password
Sun, Oct 6 2013 1:11 PMPermanent Link

Eivind

Hi

I'm in the process of building a Delphi HTTP Server using Indy HTTP Server component. So far it's going good and I can serve the files and JSON data. I'm now at a stage of building Authentication, hence this question. My plan was in EWB to use a TServerRequest and issue a request with username and password and return a session id that I will pass in the header of all subsequent requests when requesting JSON data. TDatabase and TServerRequest has a Usernane and Password property, but I cannot get those values on the Indy server. Are they for some other purpose than sending auth request to the server? I have also been thinking of creating my own Basic Authenticate header, but I cannot find a function for base64 encode the usernameTonguessword string. Does this exists in EWB?

Thanks for any heads up's on this

Eivind
Sun, Oct 6 2013 9:02 PMPermanent Link

Raul

Team Elevate Team Elevate

On 10/6/2013 1:11 PM, Eivind wrote:
>TDatabase and TServerRequest has a Usernane and Password property, but I
cannot get those values on the Indy server.

You're not giving enough info on what you have done on Indy side for us
to help.

So here goes general answer: with Indy10 you'd have to do something like
this if you want Indy to handle it . (wrote it from memory so might not
be exact)

In CommandGet/CommandOther :

....
  if ARequestInfo.AuthExists=false then
  begin
    AResponseInfo.AuthRealm := 'Give me auth';
    AResponseInfo.ResponseNo := 401;
    exit
  end
  //otherwise check session and/or username/password and issue session
if needed, etc

....

OR

Alternative is to just add your username/password manually into either
URL params ( i.e. MyServerERquest.Add('user='+<user>) and similar for
pass) or headers (MyServerERquest.RequestHeaders.Add('user'+<user>)) and
parse yourself on Indy side.



> I have also been thinking of creating my own Basic Authenticate header, but I cannot find a function for base64 encode the usernameTonguessword string. Does this exists in EWB?

If you do need to do it manually then base64 is trivial to write but i
would not bother. Since you want to do own session management anyways
just include it with params or headers and manage yourself.

EWB official (as far i as know) suggestion is to just populate the
username/password of TServerRequest every time and send it along.

Obviously everything above should run over SSL

Raul
Mon, Oct 7 2013 4:53 AMPermanent Link

Matthew Jones

I'll just mention that you need to be careful with this, as you are of course
passing plain text passwords over the internet. This is not good in this day and
age. Indy has SSL integration, and I'd recommend you use that. Me, I used the
RemObject server which uses Indy and does all the hard work for me.

/Matthew Jones/
Mon, Oct 7 2013 6:54 AMPermanent Link

Eivind

(Matthew Jones) wrote:

I'll just mention that you need to be careful with this, as you are of course
passing plain text passwords over the internet. This is not good in this day and
age. Indy has SSL integration, and I'd recommend you use that. Me, I used the
RemObject server which uses Indy and does all the hard work for me.

/Matthew Jones/

SSL will be implemented for sure once it's on the production server. At the moment I just purchased EWB and Delphi XE5 pro so my budget are a bit depleted for the moment when it comes to RemObj. I got it all working pretty well with Indy so the next step will be to add SSL.

Thanks for the heads up though
Tue, Oct 8 2013 3:39 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Eivind,

<< I'm in the process of building a Delphi HTTP Server using Indy HTTP
Server component. So far it's going good and I can serve the files and JSON
data. I'm now at a stage of building Authentication, hence this question. My
plan was in EWB to use a TServerRequest and issue a request with username
and password and return a session id that I will pass in the header of all
subsequent requests when requesting JSON data. TDatabase and TServerRequest
has a Usernane and Password property, but I cannot get those values on the
Indy server. Are they for some other purpose than sending auth request to
the server? >>

There are two separate items here:

1) The TDatabase UserName/Password properties modify these headers sent over
with JSON requests from the datasets/database:

X-EWBUser
X-EWBPassword

These headers have special meaning beyond the HTTP authentication and are
used for providing dynamic authorization to the underlying
datasets/database.

2) The TServerRequest UserName/Password properties are are actual basic HTTP
authentication.

<< I have also been thinking of creating my own Basic Authenticate header,
but I cannot find a function for base64 encode the usernameTonguessword string.
Does this exists in EWB? >>

You won't need to as long as you assign the TServerRequest UserName/Password
properties.  The browser will automatically perform the base64-encoding and
authentication.  However, AJAX (TServerRequest) can *only* do basic
authentication at this time.

Tim Young
Elevate Software
www.elevatesoft.com


Image