Security in Servoy Offline

Discuss the Offline version of Servoy that allows you to run Servoy applications on and offline by using synchronization technology like Mobilink and SQL Remote.

Security in Servoy Offline

Postby dpearce » Sat Dec 15, 2007 10:36 am

I have a solution ready to distribute in servoy offline.

I have removed the designer mode access in the servoy. properties panel.

The solution has its own in built security using a table.

It occurs to me that if anyone who gets a copy of this who wants to try and hack it, then all the need to do is learn a bit of Servoy, come to this forum and switch on the designer.enabled=true again and then they can hack the solution.

Unless i am missing something, the native Servoy security doesn't seem to have an 'allow exclude designer access' function.

The obvious fix would to ask for a feature request to allow only administrators to go into designer mode, but that may take time!

Has anyone else come across the potential issue and are their any workaround?

David
dpearce
 
Posts: 469
Joined: Sun Dec 03, 2006 11:53 am

Postby dpearce » Sat Dec 15, 2007 12:14 pm

To answer my own question, here is a start:
By reading the properties file one can at least check the the line that has been added to remove the developer rights has remained intact, but placing this in my on open script.

Code: Select all
//Check to make sure that the servoy.properties file has not been changed

var textData = plugins.file.readTXTFile('servoy.properties');

if (utils.stringPatternCount(textData, 'designer.enable=false')<1)
{
application.exit()
}


Any brighter ideas?
dpearce
 
Posts: 469
Joined: Sun Dec 03, 2006 11:53 am

Postby Harjo » Sat Dec 15, 2007 12:55 pm

Hi,

also make your solutions password protected.
That way they can't acces your sourcecode.
And change also the default Sybase access: dba, sql to something different. The passwords in the properties file are also encrypted.

This way, no one can (easily) access your source-code.

Hope this helps
Harjo Kompagnie
Direct ICT / Servoy Hosting / ServoyCamp
Servoy Certified Developer
Servoy Valued Professional
SAN Developer
User avatar
Harjo
 
Posts: 4269
Joined: Fri Apr 25, 2003 11:42 pm
Location: DEN HAM OV, The Netherlands

Postby ROCLASI » Sat Dec 15, 2007 1:42 pm

Hi David,

I believe the suggestion of Harjo is actually the only safe way to deploy your solution in a protected manner.
This way even if they have access to to Developer (online or offline) they still need to know the password to see/change/remove any of your code.

Hope this helps.
Robert Ivens
ROCLASI Software Solutions / JBS Group, Partner
SAN Developer / Servoy Valued Professional / Servoy Certified Developer
Twitter: @roclasi / @servoyforge
--
ServoyForge - Building Open Source Software.
PostgreSQL - The world's most advanced open source database.
User avatar
ROCLASI
Servoy Expert
 
Posts: 5205
Joined: Thu Oct 02, 2003 9:49 am
Location: Netherlands/Belgium

Postby dpearce » Sat Dec 15, 2007 4:21 pm

I think i am missing something here.

Servoy Offline is developer with the designer.enabled=false

Even if i set an admin password on this, but take this line out of the code to make it into developer again (something that isnt hard to think someone could do), then even if i log in as a non administrator then i can still edit the code.

There appears to be nothing within the security setting that stops a user using developer to access the code. Obviously the risk is therefore limited to someone tampering with the disabled developer which is what is given out with Offline?

I may just be confused about offline and Runtime, but i thought i now had this sussed. If you want someone to be able to access a remote database then you use offline?

Is their a security setting that i am not aware of that allows me to prevent someone accessing the scripts even if they are in developer?

David
dpearce
 
Posts: 469
Joined: Sun Dec 03, 2006 11:53 am

Postby ROCLASI » Sat Dec 15, 2007 5:03 pm

Hi David,

When you export a solution you can select it to be exported with a password. This is totally separate of any security settings in the repository.
When imported into another repository the solution source is protected by this password.

Hope this explains things.
Robert Ivens
ROCLASI Software Solutions / JBS Group, Partner
SAN Developer / Servoy Valued Professional / Servoy Certified Developer
Twitter: @roclasi / @servoyforge
--
ServoyForge - Building Open Source Software.
PostgreSQL - The world's most advanced open source database.
User avatar
ROCLASI
Servoy Expert
 
Posts: 5205
Joined: Thu Oct 02, 2003 9:49 am
Location: Netherlands/Belgium

Postby Jan Aleman » Sat Dec 15, 2007 8:29 pm

As roclasi points out you can protect the solution independent from your deployment model and properties settings.

Please also note that the default offline edition uses runtime edition which has no database repository. The special 'disabled developer' offline edition is only used if you need specific functionality (eg to connect to multiple databases)
Jan Aleman
Servoy
Jan Aleman
Site Admin
 
Posts: 2071
Joined: Wed Apr 23, 2003 9:49 pm
Location: Planet Earth

Postby dpearce » Sat Dec 15, 2007 9:18 pm

Jan & Roclasi,

Thanks, I thought that there must be some protection method, but have never used it before as all my solutions have been served.

That works brilliantly.

The reason i need the full developer edition is for exactly that reason, i am using the solution to download certain specific files to be worked on from the main server offline and then once they are completed i am sending the results back again.

This wont work with the runtime solution, unless i go through the pain of mobilink, which seems overcomplicated and overkill for my functionality required.

I suppose i should ask Jan, are their any licensing issues with the special disabled developer edition? or is it up to 500 like runtime?

Thanks again. A painful week but i think i have now cracked my local offline solution to complement my Smart Client and Webclient versions.

David
dpearce
 
Posts: 469
Joined: Sun Dec 03, 2006 11:53 am

Postby Jan Aleman » Sun Dec 16, 2007 4:08 pm

Servoy offline has the same license fee as Servoy Smart Client but in stead of per concurrent user you pay per installed copy (as it runs offline/stand alone there is no concurrency)
Jan Aleman
Servoy
Jan Aleman
Site Admin
 
Posts: 2071
Joined: Wed Apr 23, 2003 9:49 pm
Location: Planet Earth

Postby Riccardino » Sun Dec 16, 2007 9:29 pm

dpearce wrote:I think i am missing something here.

Servoy Offline is developer with the designer.enabled=false

Speakin' of that: activating this option, what happens exactly?
I got a developer with no editing options or do I get a client able to startup the db and launchable like a desktop application?

It's quite important, since client and developer handle code differently..
ciao, ric
User avatar
Riccardino
 
Posts: 911
Joined: Thu Apr 24, 2003 11:42 am
Location: Ferrara, Italy

Postby Jan Aleman » Mon Dec 17, 2007 10:38 am

Riccardino wrote:
dpearce wrote:I think i am missing something here.

Servoy Offline is developer with the designer.enabled=false

Speakin' of that: activating this option, what happens exactly?
I got a developer with no editing options or do I get a client able to startup the db and launchable like a desktop application?

It's quite important, since client and developer handle code differently..


It's developer with the designer functions (form design, method editor, etc, etc) disabled.
Jan Aleman
Servoy
Jan Aleman
Site Admin
 
Posts: 2071
Joined: Wed Apr 23, 2003 9:49 pm
Location: Planet Earth

Postby Riccardino » Mon Dec 17, 2007 12:15 pm

Jan Aleman wrote:
Riccardino wrote:
dpearce wrote:I think i am missing something here.

Servoy Offline is developer with the designer.enabled=false


It's developer with the designer functions (form design, method editor, etc, etc) disabled.


Ok. So the code is not compiled, when executed, right?

What I mean is: if I have a single machine installation, can I choose the Offline option instead of setting up a server and a client on the same machine, having the same result or is it always preferable to adopt a client/server option, even if there's only one machine involved?
ciao, ric
User avatar
Riccardino
 
Posts: 911
Joined: Thu Apr 24, 2003 11:42 am
Location: Ferrara, Italy


Return to Servoy Offline Client

Who is online

Users browsing this forum: No registered users and 1 guest