Login ProductsSalesSupportDownloadsAbout |
Home » Technical Support » Elevate Web Builder Technical Support » Support Forums » Elevate Web Builder Web Server and Modules » View Thread |
Messages 1 to 4 of 4 total |
Issue with AuthenticateUser |
Tue, Jun 21 2016 12:27 AM | Permanent Link |
Sidney | The datasetclient sample application uses the delphi datasetmodule dll. I modified the datasetaclient EWB2 application to send a username and password like so:
procedure TMainForm.MainFormShow(Sender: TObject); begin Database.UserName := 'testuser'; Database.Password := 'testpass'; Database.LoadRows(Biolife); end; This causes AuthenticateUser in the DLL to be passed the UserName and Password. The DLL sees the following values: Request.RequestParams: method=rows dataset=Biolife user=testuser password=testpass Request.RequestUser: testuser Request.RequestPassword: testpass Request.RequestUrlParams: method=rows&dataset=Biolife&user=testuser&password=testpass The result is as expected. However, the DLL is also called each time a record is selected to load the graphic. But when this happens, the UserName and Password are not passed to AuthenticateUser in the DLL even when I explicitly assign them in GraphicImageLoad as shown below: begin Database.UserName := 'testuser'; Database.Password := 'testpass'; with GraphicImage do begin BeginUpdate; try Animations.Visible.Style:=asQuadEaseIn; Animations.Visible.Duration:=350; Visible:=True; finally EndUpdate; end; end; end; The DLL sees the following values: Request.RequestParams: dataset=Biolife method=load column=Graphic row=90020 Request.RequestUser: Request.RequestPassword: Request.RequestUrlParams: dataset=Biolife&method=load&column=Graphic&row=90020 As you can see, the user and password are not being passed in the request. This is a problem since the DLL is being called independently for "rows" and "load" requests. The "rows" request is authenticated but it is not possible to authenticate the "load". Since the AuthenticateUser procedure does not provide direct access to the Request, it cannot determine if not having the user and password is ok. Preferably, the "load" request should also provide the RequestUser and RequestPassword. 1) What can be done about this problem so validation can proceed for all requests? A second problem also exists. It does not seem to matter whether the Database.AuthenticationMethod is set to amHeaders or amParameters. Regardless of the setting, the User and Password is always in Request.RequestParams and in Request.RequestUrlParams but never in Request.Header. 2) Can you fix this so amHeaders does not put the user and password in the parameters and but does put them in the header? Of course Request.User and Request.Password should also be set so authentication will work. Thanks |
Tue, Jun 21 2016 1:39 AM | Permanent Link |
Sidney | The original post mentioned an issue with Database.AuthenticationMethod but I am now seeing the expected behavior. It appears I may not have had the latest html and js when testing the DLL.
The first problem remains. REVISED POST: The datasetclient sample application uses the delphi datasetmodule dll. I modified the datasetaclient EWB2 application to send a username and password like so: procedure TMainForm.MainFormShow(Sender: TObject); begin Database.UserName := 'testuser'; Database.Password := 'testpass'; Database.LoadRows(Biolife); end; This causes AuthenticateUser in the DLL to be passed the UserName and Password. The DLL sees the following values: Request.RequestParams: method=rows dataset=Biolife user=testuser password=testpass Request.RequestUser: testuser Request.RequestPassword: testpass Request.RequestUrlParams: method=rows&dataset=Biolife&user=testuser&password=testpass The result is as expected. However, the DLL is also called each time a record is selected to load the graphic. But when this happens, the UserName and Password are not passed to AuthenticateUser in the DLL even when I explicitly assign them in GraphicImageLoad as shown below: begin Database.UserName := 'testuser'; Database.Password := 'testpass'; with GraphicImage do begin BeginUpdate; try Animations.Visible.Style:=asQuadEaseIn; Animations.Visible.Duration:=350; Visible:=True; finally EndUpdate; end; end; end; The DLL sees the following values: Request.RequestParams: dataset=Biolife method=load column=Graphic row=90020 Request.RequestUser: Request.RequestPassword: Request.RequestUrlParams: dataset=Biolife&method=load&column=Graphic&row=90020 As you can see, the user and password are not being passed in the request. This is a problem since the DLL is being called independently for "rows" and "load" requests. The "rows" request is authenticated but it is not possible to authenticate the "load". Since the AuthenticateUser procedure does not provide direct access to the Request, it cannot determine if not having the user and password is ok. Preferably, the "load" request should also provide the RequestUser and RequestPassword. What can be done about this problem so validation can proceed for all requests? |
Tue, Jun 21 2016 4:11 AM | Permanent Link |
Matthew Jones | Sidney wrote:
> Preferably, the "load" request should also provide the RequestUser > and RequestPassword. This is a basic security requirement of course. Standard hacking mode is to get all the images by changing the URL. (I once worked on a tool for the US military, and we put a lot of effort into validating every extra bit of info that was put into a page - don't want to be able to leak secrets to those not allowed to see them!) |
Wed, Jun 22 2016 2:12 PM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Sidney,
<< However, the DLL is also called each time a record is selected to load the graphic. But when this happens, the UserName and Password are not passed to AuthenticateUser in the DLL even when I explicitly assign them in GraphicImageLoad as shown below: >> You need to change this property: http://www.elevatesoft.com/manual?action=viewprop&id=ewb2&comp=TDatabase&prop=AuthenticationMethod The default is amHeaders, which won't work for load requests because there isn't any way to specify custom headers for a URL. So, just change it to amParameters and EWB will send the user/password as part of the load request. Tim Young Elevate Software www.elevatesoft.com |
This web page was last updated on Wednesday, April 24, 2024 at 11:07 AM | Privacy PolicySite Map © 2024 Elevate Software, Inc. All Rights Reserved Questions or comments ? E-mail us at info@elevatesoft.com |