Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 785
  • Last Modified:

Datasnap with socket connection: how to verify user before releasing any database information?

Hi,

I need to create a login-procedure that prevents clients from retrieving any database data, before login is successfully completed. I know how to make call'able functions in application server, but I don't know how to intercept SocketConnection calls before they reach actual data components in application server.

Any ideas?

Regards
  Janne Timmerbacka
  Finland
0
olmy
Asked:
olmy
  • 6
  • 5
1 Solution
 
DavidRissatoCommented:
I think it's not a good idea to intercept SocketConnection because this way you will trap login procedures too.

Maybe the best way is to raise an exception on the methods that retrieve data from Database when the user isn't logged to system.

Doing by this way, you can even reject execution based on it's access level.

{}'s
David Rissato Cruz
0
 
olmyAuthor Commented:
Thanks DavidRissato. How do I get the information what client (user) is retrieving data?
0
 
olmyAuthor Commented:
Thanks DavidRissato. How do I get the information what client (user) is retrieving data?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
DavidRissatoCommented:
There are a lot of ways to make this kind of login control.

One way could be to send login information (name + password) as a parameter in every call to a "must be logged in" function. In each of these functions, you can call a method like TestLoginValidity(name, pass) and this method can even raise a Exception when it not matches.

However, you don't need to ask user to input name + password on the front end every time he wants to query database.

When the frontend call the login procedure first time, you can hold these values in local variables and send it right on every query database request.

There are other ways to do this login schema, but i think this on is simple and functional and it's relatively secure.

{}'s
David Rissato Cruz
0
 
olmyAuthor Commented:
The nicest way would be that user information is asked and sended only once. I would like to leave the "call" parameter free for real use.

Can I identify the client connection, without sending additional information from the client? First time a login call would be made and then I can match the connection with user information.
0
 
DavidRissatoCommented:
You can hold a reference in your frontend to the server database query object when you first login and set LoginInformation property on it.

So everytime you call any of it's functions, it will check the existence of this loginInformation.

The bad thing about this format is that you will keep your server busy with so many client objects instantiated to be used sometimes.

{}'s
David Rissato Cruz
0
 
olmyAuthor Commented:
Sorry DavidRissato, I didn't quite understod you last comment. Could you explain it in another way. Addition to my previous comment: I'd like to identify the client connection in a server side. Can I do that?
  Janne
0
 
DavidRissatoCommented:
It depends how do you make callable functions on the server? How are you doing it? Is it a DCOM object registered in your MTS?

{}'s
David Rissato Cruz
0
 
olmyAuthor Commented:
Yes, I think so. I haven't seen any other way in datasnap examples and manuals.
0
 
DavidRissatoCommented:
So how are you doing to retrieve data from this object?

Are you instantiating it, make a call and freeing the object?

If you work this way, just don't destroy the object on every call. Make a login procedure on this class that just changes a private boolean field inside it (ex: FLogged : boolean;) when got success.

And then, on every each "must-be-logged call", you check the value of this boolean field and raise an exception in case of failure.

But is very important that you maintain your object created from the first login until program termination.

{}'s
David Rissato Cruz
0
 
olmyAuthor Commented:
Thank you DavidRissato. It took me a while not undestrand what you were saying. I'm too newbie with Midas. A little example would have been nice. But with your help I undestrood what to look for and finally got it. Thank you
  Olmy
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now