The datasetclient sample application uses the delphi datasetmodule dll.  I modified the datasetaclient EWB2 application to send a username and password like so:

procedure TMainForm.MainFormShow(Sender: TObject);
begin
 Database.UserName := 'testuser';
 Database.Password := 'testpass';
 Database.LoadRows(Biolife);
end;

This causes AuthenticateUser in the DLL to be passed the UserName and Password.

The DLL sees the following values:
Request.RequestParams: method=rows dataset=Biolife user=testuser password=testpass
Request.RequestUser: testuser
Request.RequestPassword: testpass
Request.RequestUrlParams: method=rows&dataset=Biolife&user=testuser&password=testpass

The result is as expected.

However, the DLL is also called each time a record is selected to load the graphic.  But when this happens, the UserName and Password are not passed to AuthenticateUser in the DLL even when I explicitly assign them in GraphicImageLoad as shown below:

begin
  Database.UserName := 'testuser';
  Database.Password := 'testpass';
  with GraphicImage do
   begin
     BeginUpdate;
     try
        Animations.Visible.Style:=asQuadEaseIn;
        Animations.Visible.Duration:=350;
        Visible:=True;
     finally
        EndUpdate;
     end;
   end;
end;

The DLL sees the following values:
Request.RequestParams: dataset=Biolife method=load column=Graphic row=90020
Request.RequestUser:
Request.RequestPassword:
Request.RequestUrlParams: dataset=Biolife&method=load&column=Graphic&row=90020

As you can see, the user and password are not being passed in the request.

This is a problem since the DLL is being called independently for "rows" and "load" requests.  The "rows" request is authenticated but it is not possible to authenticate the "load".  Since the AuthenticateUser procedure does not provide direct access to the Request, it cannot determine if not having the user and password is ok.  Preferably, the "load" request should also provide the RequestUser and RequestPassword.

1) What can be done about this problem so validation can proceed for all requests?

A second problem also exists.  It does not seem to matter whether the Database.AuthenticationMethod is set to amHeaders or amParameters.  Regardless of the setting, the User and Password is always in Request.RequestParams and in Request.RequestUrlParams but never in Request.Header.

2) Can you fix this so amHeaders does not put the user and password in the parameters and but does put them in the header?  Of course Request.User and Request.Password should also be set so authentication will work.

Thanks

The original post mentioned an issue with Database.AuthenticationMethod but I am now seeing the expected behavior.  It appears I may not have had the latest html and js when testing the DLL.

The first problem remains.

REVISED POST:

The datasetclient sample application uses the delphi datasetmodule dll.  I modified the datasetaclient EWB2 application to send a username and password like so:

procedure TMainForm.MainFormShow(Sender: TObject);
begin
 Database.UserName := 'testuser';
 Database.Password := 'testpass';
 Database.LoadRows(Biolife);
end;

This causes AuthenticateUser in the DLL to be passed the UserName and Password.

The DLL sees the following values:
Request.RequestParams: method=rows dataset=Biolife user=testuser password=testpass
Request.RequestUser: testuser
Request.RequestPassword: testpass
Request.RequestUrlParams: method=rows&dataset=Biolife&user=testuser&password=testpass

The result is as expected.

However, the DLL is also called each time a record is selected to load the graphic.  But when this happens, the UserName and Password are not passed to AuthenticateUser in the DLL even when I explicitly assign them in GraphicImageLoad as shown below:

begin
  Database.UserName := 'testuser';
  Database.Password := 'testpass';
  with GraphicImage do
   begin
     BeginUpdate;
     try
        Animations.Visible.Style:=asQuadEaseIn;
        Animations.Visible.Duration:=350;
        Visible:=True;
     finally
        EndUpdate;
     end;
   end;
end;

The DLL sees the following values:
Request.RequestParams: dataset=Biolife method=load column=Graphic row=90020
Request.RequestUser:
Request.RequestPassword:
Request.RequestUrlParams: dataset=Biolife&method=load&column=Graphic&row=90020

As you can see, the user and password are not being passed in the request.

This is a problem since the DLL is being called independently for "rows" and "load" requests.  The "rows" request is authenticated but it is not possible to authenticate the "load".  Since the AuthenticateUser procedure does not provide direct access to the Request, it cannot determine if not having the user and password is ok.  Preferably, the "load" request should also provide the RequestUser and RequestPassword.

What can be done about this problem so validation can proceed for all requests?

Sidney wrote:

>  Preferably, the "load" request should also provide the RequestUser
> and RequestPassword.

This is a basic security requirement of course. Standard hacking mode
is to get all the images by changing the URL. (I once worked on a tool
for the US military, and we put a lot of effort into validating every
extra bit of info that was put into a page - don't want to be able to
leak secrets to those not allowed to see them!)

Sidney,

<< However, the DLL is also called each time a record is selected to load the graphic.  But when this happens, the UserName and Password are not passed to AuthenticateUser in the DLL even when I explicitly assign them in GraphicImageLoad as shown below: >>

You need to change this property:

http://www.elevatesoft.com/manual?action=viewprop&id=ewb2&comp=TDatabase&prop=AuthenticationMethod

The default is amHeaders, which won't work for load requests because there isn't any way to specify custom headers for a URL.

So, just change it to amParameters and EWB will send the user/password as part of the load request.

Tim Young
Elevate Software
www.elevatesoft.com