One of the common questions that I get asked about DataSnap is related to authentication in a DataSnap Server using TCP/IP as the transport (TDSTCPServerTransporter component). If you are considering the HTTP transporter it is not a problem, the authentication component is there and provides an event for this.
It makes sense to ask about that, since without authentication anyone will be able to connect to your DataSnap Server and execute all Server Methods available. This post will demonstrate how to implement the authentication very easily.
I’m assuming you already know the basic stuff in DataSnap, if you already don’t know I recommend you to read some articles or watch some videos published in EDN.
Let starts talking about the client side, which needs to send the credentials (username and password) to be validated through the server side. The TSQLConnection is the way to connect client in to server, beside hostname, port, driver and other parameters, also it will contain the user credentials which will be part of the Params property.
In general we use the parameters UserName and Password, which is correct, but in this case I recommend you to use the parameters DSAuthenticationUser and DSAuthenticationPassword. DataSnap consider these parameters when you use HTTP as transporter, and if you would like to execute the server methods from DataExplorer you will be able to connect and your server will be able to verify the credentials, also these are the standard parameters.
Our code on the client side will be like this:
With SQLConnection1 do begin Params.Values['HostName'] := Server; Params.Values['Port'] := Port; Params.Values['DSAuthenticationUser'] := 'user'; Params.Values['DSAuthenticationPassword'] := 'password'; end;
On the server side we will use the component and event DSServer.OnConnect for the authentication process.
The event OnConnect has the parameter DSConnectEventObject which is using the property ConnectProperties provides all connection information, it means all parameters passed from the client side will be available including the parameters I mentioned before.
In the follow example the login and password get the respective values from the properties DSAuthenticationUser and DSAuthenticationPassword, after that occur the validation through the class TUser, which is a class I created to use in this sample.
In case of invalid credentials the server raises a Exception, any exception raised on the event OnConnect stop the connection, in other words, the client application will not be connected on the server.
With DSConnectEventObject.ConnectProperties do begin login := Properties.Values['DSAuthenticationUser']; password := Properties.Values['DSAuthenticationPassword']; end; userConn := TUser.Create; try if not userConn.IsValidUser(login, password) then raise Exception.Create('Invalid Login/Password'); finally userConn.Free; end;
My DataSnap samples was updated to reflect this authentication process and is already available, download here.