Security - Must Authenticate

Questions, tips and tricks and techniques for scripting in Servoy

Security - Must Authenticate

Postby Gordon » Tue Oct 25, 2011 3:04 pm

Hi

I am using Servoy 6 and would like to over ride the Servoy built in security to use my own. I have unchecked the Must Authenticate and as I read the docs this should prevent the Servoy built in login form showing up. I have either completely mis understood the the process OR this does not appear to have any effect because in deployment mode this triggers regardless of it being set or not.

Is there a way to block the Servoy security form over riding the developers own version ?

nb this is only in 6.01

Many thanks
Gordon McLean
Click Digital Media Ltd
SAN Developer
www.clickdigital.com
User avatar
Gordon
 
Posts: 265
Joined: Thu Mar 17, 2005 8:05 pm
Location: UK

Re: Security - Must Authenticate

Postby patrick » Tue Oct 25, 2011 4:18 pm

Implementing your own security is way easier actually since Servoy 6. I think what you observe is "enhanced security". Check this out: http://wiki.servoy.com/display/Serv52/U ... d+Security
Patrick Ruhsert
Servoy DACH
patrick
 
Posts: 3682
Joined: Wed Jun 11, 2003 10:33 am
Location: Munich, Germany

Re: Security - Must Authenticate

Postby Gordon » Tue Oct 25, 2011 5:27 pm

Hi Patrick

Unfortunately the link is for Servoy 5,2 and 6 has now changed the approach again !. The facility to disable the enhanced security is no long visible in the server properties. i.e.
Code: Select all
Servoy Application Server: A new setting has been added on the Servoy Admin page, under "Servoy Server Home" > "Admin settings", called "servoy.application_server.enhancedSecurity"


I have always used my own security and as a consequence have no experience of any of the Servoy security solutions. I am struggling to see why you think using Servoy 6 security is easier !! It strikes me as significantly harder and as far as I can see the enhanced security is going to add a lot of extra work for zero benefit.

Best
Gordon
Gordon McLean
Click Digital Media Ltd
SAN Developer
www.clickdigital.com
User avatar
Gordon
 
Posts: 265
Joined: Thu Mar 17, 2005 8:05 pm
Location: UK

Re: Security - Must Authenticate

Postby Gordon » Tue Oct 25, 2011 5:35 pm

Hi

It appears the only way to disable the enhanced security now is to set this by editing the properties file

Code: Select all
Enhanced Security is now the default mode. The UI in Servoy Developer and in the Application Server to disable it has been removed. It is only possible to disable Enhance Security through setting the relevant property in the servoy.properties file: "servoy.application_server.enhancedSecurity=false"


Which would no doubt suggest that in the very near future it won't be possible to disable this feature at all.

So to avoid this breaking in the future as far as I can see I have no choice but to re work this security model into the solution - not at all happy about this a bad day all round :(
Gordon McLean
Click Digital Media Ltd
SAN Developer
www.clickdigital.com
User avatar
Gordon
 
Posts: 265
Joined: Thu Mar 17, 2005 8:05 pm
Location: UK

Re: Security - Must Authenticate

Postby grahamg » Tue Oct 25, 2011 6:55 pm

Updated link for building Custom Security Servoy 6.x

http://wiki.servoy.com/display/public/D ... g+Security
Graham Greensall
Worxinfo Ltd
www.worxinfo.com
grahamg
 
Posts: 752
Joined: Fri Oct 03, 2003 3:15 pm
Location: Midlands UK

Re: Security - Must Authenticate

Postby mboegem » Thu Oct 27, 2011 9:28 am

Gordon wrote:I have always used my own security and as a consequence have no experience of any of the Servoy security solutions. I am struggling to see why you think using Servoy 6 security is easier !! It strikes me as significantly harder and as far as I can see the enhanced security is going to add a lot of extra work for zero benefit.


Hi Gordon,

Although I haven't been able to implement the enhanced security due to available time, I don't agree this will return zero benefit.
The possibility to implement own security was nice, but 1 major downside: if you make a mistake implementing this, users can end up being in your solution without any filter on the database. In other words: anything you'd prevent them to see might just be visible.

The enhanced security though, enables you to implement your own business rules.
But as long as you don't grant access, users can't get to the database.
Everything you need from the database during your login check, has to go through the authentication module.

I'd say this is a huge benefit from the security perspective.
_____________________
Marc Boegem
Solutiative / JBS Group, Partner
• Servoy Certified Developer
• Servoy Valued Professional
• Freelance SAN Developer

Image
User avatar
mboegem
 
Posts: 1531
Joined: Sun Oct 14, 2007 1:34 pm
Location: Amsterdam

Re: Security - Must Authenticate

Postby jcompagner » Thu Oct 27, 2011 9:38 am

enhanced security doesn't 'enabled' anything.
Its not that you then can implement some security that you can't do without that setting.
That flag is just there to force smart clients to login first into the server before being able to do anything.

You are right that this behavior will be fixed at a next version of Servoy, without the possibility to turn it off.

The thing is if you don't want to show users a login dialog, just make a login solution and an authenticator and let the login solution in its load method call your authenticator which does a login at the server with a default user.
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8284
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Security - Must Authenticate

Postby Gordon » Thu Oct 27, 2011 9:57 am

Firstly I think I owe Servoy an apology, there is no doubt the security is there for the benefit of both developers and ultimately clients. The Servoy team have obviously given this a lot of thought and come up with a solution that protects the integrity of the product and the underlying databases. The implementation, as Patrick rightly pointed out is not hard and does allow for custom engineering.

On the down side I have had to do a lot of work to get back to where I was, this is a time consuming process and would I would have preferred not to have done it. That said now the new security is in place and I would not consider using anything else in future.

I was wrong about the zero benefit, overall Servoy have done the right thing with this security. I wasted a lot of time but probably for my benefit long term and I now have a better product.
Gordon McLean
Click Digital Media Ltd
SAN Developer
www.clickdigital.com
User avatar
Gordon
 
Posts: 265
Joined: Thu Mar 17, 2005 8:05 pm
Location: UK


Return to Methods

Who is online

Users browsing this forum: No registered users and 2 guests