Comments on: DataSnap 2010 authentication throught TCP/IP Transport http://www.andreanolanusse.com/en/datasnap-2010-authentication-throught-tcpip-transport/ Where Andreano Lanusse talk about technology, software development, programming techniques, databases, games and more through articles, tutorials and videos Tue, 15 Nov 2011 19:16:36 +0000 hourly 1 https://wordpress.org/?v=6.7.4 By: Brian http://www.andreanolanusse.com/en/datasnap-2010-authentication-throught-tcpip-transport/#comment-9886 Tue, 15 Nov 2011 19:16:36 +0000 http://www.andreanolanusse.com/en/?p=271#comment-9886 Is there a way to require a client to use a filter?
I’ve noticed that if the server has filters set and the client that connects to the server has no filters defined, it still works fine.
But I want to require the client to use RSA filter to connect to the server.

]]>
By: Failover Server in DataSnap and Delphi 2010 | Delphi básico: Lo más básico de Delphi http://www.andreanolanusse.com/en/datasnap-2010-authentication-throught-tcpip-transport/#comment-2637 Sun, 11 Apr 2010 17:21:35 +0000 http://www.andreanolanusse.com/en/?p=271#comment-2637 […] DataSnap 2010 authentication throught TCP/IP Transport Comparte y disfruta: […]

]]>
By: Mortgage Broker in Tampa reaching out to other brokers/sales professionals on any lead generation ideas.? http://www.andreanolanusse.com/en/datasnap-2010-authentication-throught-tcpip-transport/#comment-2608 Mon, 05 Apr 2010 15:14:25 +0000 http://www.andreanolanusse.com/en/?p=271#comment-2608 […] DataSnap 2010 authentication throught TCP/IP Transport | Andreano … […]

]]>
By: Luigi D. Sandon http://www.andreanolanusse.com/en/datasnap-2010-authentication-throught-tcpip-transport/#comment-2597 Fri, 02 Apr 2010 10:41:30 +0000 http://www.andreanolanusse.com/en/?p=271#comment-2597 I apoligize for the double post – they don’t appear imemdiately and I didn’t know the posts are moderated.
As already commented, Teti’s encryption filters have a basic flaw due to the Datasnap architecture: they can’t exchange a session key properly because of lack of proper hooks. If you store the key inside the application or PC you have just false security. And if you never change the session key you have false security again.
Moreover no matter how you encrypt the session, is a basic flaw to send the password itself. Even basic examples should teach proper security practices.
Above all, still Embarcadero makes simple what already is – sending a user/password – but doesn’t help developers to tackle actual. real issues to develop commercial grade appplications easily. For example how do you fit Kerberos/GSSAPI authentication or TLS/SSL authentication in Datasnap using TCP/IP transport? Those are industry-standard authentication methods, and should have been available in the box for an expensive tool like Delphi that aims to be called “Enterprise”.
Authentication may require more than one simple roundtrip to establish the authentication context. Has Datasnap hooks to allow for it? I didn’t find them, maybe it’s just I did not understand how it works fully yet, or maybe they are missing. All that SQL-related way of working does not help at all, IMHO.
A flexible architecture is welcome, but IMHO Datasnap design is not enough flexible to provide to plug-in the needed authentication, authorization and encryption.
For example I would like to see a connection phase were the client and the server are allowed to keep on exchanging data until both parties agree the authentication phase is completed. Same for exchanging the session encryption key. A single server side event or a simple stream filter is not enough.
And I’d wish to see an authorization plug-in hook that could check methods calls against ACLs instead of having to hard code that within each method call. Is there any facility to store the user context on the server? Or again everything is left to the developer? How do I store that context in each call to ensure the server knows who is calling it, especially in a stateless design?
Before designing this new Datasnap did someone give a look to what DCOM and WCF provide? It looks it was designed with database stored procedures in mind, not system-wide RPC. But stored procedures are called from uses already authenticated by the database communication layer, and calls are authorized by the DB ACLs, that’s why they are simpler from a user point view and a DB library does not have to care about much. But RCP is not that simple – all those features must be added.

]]>
By: Andreano Lanusse http://www.andreanolanusse.com/en/datasnap-2010-authentication-throught-tcpip-transport/#comment-2596 Thu, 01 Apr 2010 21:46:31 +0000 http://www.andreanolanusse.com/en/?p=271#comment-2596 In reply to LDS.

Hi LDS,

As you already know you can encrypt the communication between client and server in DataSnap using filter. Daniele Tele created a very nice set of filters including encryption and compression – http://www.danieleteti.it/?p=168

So, you decide to send cleartext or encrypt the communication.

Luigi you again, you also already know about the Daniele filters. I can implement many others stuffs to improve security, but the idea of this post is to explain how they can handle the authentication.

Also, you have to understand that we wanna provide a flexible architecture the allow the developers to plugin and extend DataSnap, filters is one example.

]]>
By: LDS http://www.andreanolanusse.com/en/datasnap-2010-authentication-throught-tcpip-transport/#comment-2594 Thu, 01 Apr 2010 11:30:53 +0000 http://www.andreanolanusse.com/en/?p=271#comment-2594 In 2010 authentication is still nothing more than how to send a user/password(!) in cleartext at Embarcadero?

]]>
By: Luigi D. Sandon http://www.andreanolanusse.com/en/datasnap-2010-authentication-throught-tcpip-transport/#comment-2593 Thu, 01 Apr 2010 11:14:13 +0000 http://www.andreanolanusse.com/en/?p=271#comment-2593 Lame form of authentication:
1) You’re transmitting plain text
2) You’re transmitting the password!
3) With a single call even using parameters may not be possible to use proper security and authentication.
4) Most authentication scheme require to exchange binary data, using “params” they should be encoded in strings.

The connection handshacking may require more than a single call to establish the security context. Datasnap lacks those kind of hooks. It really looks Embarcardero is unable to understand what security means in today world, and sticks to very minimal implementations useless in any real situation.

Go back to the drawing board, please, and design a modern solution, please – not one of the ’80s.

]]>
By: Nick Hodges » Blog Archive » Random Thoughts on the Passing Scene #153 http://www.andreanolanusse.com/en/datasnap-2010-authentication-throught-tcpip-transport/#comment-2591 Thu, 01 Apr 2010 01:03:38 +0000 http://www.andreanolanusse.com/en/?p=271#comment-2591 […] A project that shows how to do HTTP authentication with DataSnap […]

]]>