We need a way to login without using the built-in login security screen.
Ideally this would be the complement of the already existing logout
method.
This is needed to allow us to replace the Servoy login dialog box with a
form that incorporates an urgently needed feature “Forgot Password”.
We have developed a very large complex application based on the Servoy
Group security model, but our entire application is defeated if we can not
login programmatically. As a result, this is a very urgent matter for us.
Do you want to be able to write your own login screen?
Putting aside for now the “forgot password” issue, I’m having trouble seeing a couple of things here (probably because of I am not fully conversant in Servoy security yet). So I’m officially abstaining on this vote, and posting my below thoughts & questions instead.
Regarding the wish to roll one’s own security module and have it work together with Servoy Security … can someone explain why this would not work?:
use your own UI in your “home-made” User Maintenance module for the creation of Groups, creation of User, setting user passwords, assigning users to groups etc., and - of course - setting the kind of process-oriented and view-filtering privileges that we tend to use hand-rolled log-in schemes to manage
now when a user logs in (via Servoy security) your method uses getUserName for a match with their record in your User Maintenance module
If this does not satisfy the desire for “using your own security combined with servoy security” please show me the hole in my thinking, thanks.
===
Re the request to have Servoy load your own log-in form without passing Servoy security first …
Sure looks like a huge security hole to me. If a form, any form, of a solution loads without log-in required, what would prevent any Joe Blow from using Developer to load the solution and then doing whatever they want? (I must be missing something obviou.)
===
Now coming back to the “forgot password” problem … maybe this is the feature request that would be more reasonable to make…
But, then, what would you want to happen if someone clicks this I Forgot My Password button? Run a method that you specify in solution settings, and you will code your own mechnism for handling the situation? Or some other automated thing, and if so what? (Send the password in an unencrypted email? Call a beeper number? Spray indelible red ink on Joe Blow for forgetting his silly password? )
Also, for those in a bind while waiting for a resolution to the Forgot Password Problem, might it help to provide a web page with a link that runs a method on a headless client? In other words, the headless client is logged in with privileges that allow it to access all records in your User Maintenance table. The user enters “JBlow” in the username field on this web page, and clicks the Forgot Password button which runs a method via H.C., doing whatever it is that you wanted the Forgot Password button to do. Then all your users have to know is the URL to visit when they’re in trouble.
Thank you for your thoughful remarks Kazar. My understanding is limited as well
but this is what I understand.
There is currently only one way to assign the current user, as defined
in the Servoy security model. That would be to enable the Servoy security
which inturn presents the user with a security challange not unlike an
htaccess challange, soliciting a user name and password.
The Servoy security challange is not extensible. A failure to pass the
challenge results in denied access in a well written application.
Users often forget passwords. This grows in magniture as the number
of concurrent users grows. A user who is denied access will have little
alternative than to contact support: IE: they pick up the phone and ask
for help.
Our goal in developing our application is to minimize the requirement
for backend telephone support. We feel that we can remediate this in
the following fashion:
a) We intend to present a username and password challange
together with a link for those who have forgotten their password.
b) If the user presses the “forgot password” link, his password is
cleared, and a random password is generated and assigned to him
and emailed to his well known email address. In addition he is placed
on a list which tags his account as one which requires the user to reset
his password on the next login. The user is advised to read his email
for instruction as to how process. No support involvement is needed.
I personally see no reason why a replacement login page should any
less secure than the Servoy login page. Both are using exactly the same
back end code and database. The only problem is that Servoy has not
provided a means of declaring that a particular user is now logged in.
We tie into the system by insuring that our login page is the first form
displayed, and all other pages are not displayed on the menu.
In turn we manage the jump the correct page on successful security
challange.
If you are not able, as a developer, to establish the current user than
the Servoy security model will not benefit your application, as the current
user is used to determine what access rights are present.
In this instance the Servoy group based security model breaks down.
Hi Dan – Thanks for the very clear explanation of the situation you are facing. A little more clarification now from me:
I’m having a really hard time shaking off 10 uninterrupted years of living & breathing FileMaker Pro. On a daily basis I’m running up against my own presumptions that stem from having been so immersed in a tool that is meant both for designing AND using a database.
When I thought more about my concern re exposing a form in a solution that did not require log-in, I realized that of course in order for a Person Of Evil Intention to get that solution open using Servoy Developer, s/he would need to know the password to make a connection to the back end database.
So I withdraw that particular security concern, it’s just a relic of my FMP past (and I hope to be doing this less and less on this forum!)
Clearly the action you would want the Forgot Password button to take is very specific to your situation. Other developers would likely want a different set of actions to take place if a user clicks a Forgot Password button (after all, they may not even have a table with users’ email addresses).
Therefore, the only way I could see the Forgot Password button working on Servoy security log-in would be to allow one to designate a method that would be run if one chooses the option to include the “Forgot Password” button in the log-in dialog. Again, maybe that should be another (separate) feature request … for all we know it might be a lot easier to institute in an upcoming version than a security.logIn type of function.
That said, I will join this chorus and ask for full control of security functions via methods, including the ability to log in via a method. I’ll even add a further request: re-login (for ‘terminals’ that might be used by multiple users for a few minutes at a time)
But, Dan, regarding the word “urgent” in your selected title for this discussion, you do need Servoy security and you also need a way to deal with forgotten passwords that is as low-maintenance for your support desk as possible. From what you say this is a broadly deployed solution, so at least until such time as a log-in function might be added to Servoy, do consider creating a web page FAQ and put right at the top “I forgot my password, what should I do?” with a link to a form for username, and that form can have a Submit button that sets the new password for the user & sends the email… (or is there something I’m not seeing again … could not a headless client do this?)
I am most grateful for your attention to this issue, and the depth of
though that you have committed to it.
My experience suggests that a web page will not work as if the current
Servoy authentication screen fails, it gets stuck in an appararent
indefinite loop. If this was not the case, or if the failure case could be
diverted to a form of our choosing, then I could construct the kind of
web page solution that you promote. But given that the Servoy authenicator
loops on failure there is really nothing that I can do to even capture the
failure case after the fact.
In Servoy 3.0 we will provide a solution property loginForm and a method on the scripting security node called login(username,password).
This will allow you to do/desing your own login form and process login, until login the login is succeeded you will not be able to leave the loginForm.
BTW if you need something urgently like this before 3.0 please contact support@servoy.com
Jan Blok:
In Servoy 3.0 we will provide a solution property loginForm and a method on the scripting security node called login(username,password).
This will allow you to do/desing your own login form and process login, until login the login is succeeded you will not be able to leave the loginForm.
BTW if you need something urgently like this before 3.0 please contact support@servoy.com
Jan, will it be also possible to re-login by scripting??
So we can reset all our FilterParams??
