Servoy Forum

Hi

I am using Servoy 6 and would like to over ride the Servoy built in security to use my own. I have unchecked the Must Authenticate and as I read the docs this should prevent the Servoy built in login form showing up. I have either completely mis understood the the process OR this does not appear to have any effect because in deployment mode this triggers regardless of it being set or not.

Is there a way to block the Servoy security form over riding the developers own version ?

nb this is only in 6.01

Many thanks

Implementing your own security is way easier actually since Servoy 6. I think what you observe is "enhanced security". Check this out: http://wiki.servoy.com/display/Serv52/U ... d+Security

Hi Patrick

Unfortunately the link is for Servoy 5,2 and 6 has now changed the approach again !. The facility to disable the enhanced security is no long visible in the server properties. i.e.

Code: Select all

Servoy Application Server: A new setting has been added on the Servoy Admin page, under "Servoy Server Home" > "Admin settings", called "servoy.application_server.enhancedSecurity"

I have always used my own security and as a consequence have no experience of any of the Servoy security solutions. I am struggling to see why you think using Servoy 6 security is easier !! It strikes me as significantly harder and as far as I can see the enhanced security is going to add a lot of extra work for zero benefit.

Best
Gordon

Hi

It appears the only way to disable the enhanced security now is to set this by editing the properties file

Code: Select all

Enhanced Security is now the default mode. The UI in Servoy Developer and in the Application Server to disable it has been removed. It is only possible to disable Enhance Security through setting the relevant property in the servoy.properties file: "servoy.application_server.enhancedSecurity=false"

Which would no doubt suggest that in the very near future it won't be possible to disable this feature at all.

So to avoid this breaking in the future as far as I can see I have no choice but to re work this security model into the solution - not at all happy about this a bad day all round

Updated link for building Custom Security Servoy 6.x

http://wiki.servoy.com/display/public/D ... g+Security

Gordon wrote:I have always used my own security and as a consequence have no experience of any of the Servoy security solutions. I am struggling to see why you think using Servoy 6 security is easier !! It strikes me as significantly harder and as far as I can see the enhanced security is going to add a lot of extra work for zero benefit.

Hi Gordon,

Although I haven't been able to implement the enhanced security due to available time, I don't agree this will return zero benefit.
The possibility to implement own security was nice, but 1 major downside: if you make a mistake implementing this, users can end up being in your solution without any filter on the database. In other words: anything you'd prevent them to see might just be visible.

The enhanced security though, enables you to implement your own business rules.
But as long as you don't grant access, users can't get to the database.
Everything you need from the database during your login check, has to go through the authentication module.

I'd say this is a huge benefit from the security perspective.

enhanced security doesn't 'enabled' anything.
Its not that you then can implement some security that you can't do without that setting.
That flag is just there to force smart clients to login first into the server before being able to do anything.

You are right that this behavior will be fixed at a next version of Servoy, without the possibility to turn it off.

The thing is if you don't want to show users a login dialog, just make a login solution and an authenticator and let the login solution in its load method call your authenticator which does a login at the server with a default user.

Firstly I think I owe Servoy an apology, there is no doubt the security is there for the benefit of both developers and ultimately clients. The Servoy team have obviously given this a lot of thought and come up with a solution that protects the integrity of the product and the underlying databases. The implementation, as Patrick rightly pointed out is not hard and does allow for custom engineering.

On the down side I have had to do a lot of work to get back to where I was, this is a time consuming process and would I would have preferred not to have done it. That said now the new security is in place and I would not consider using anything else in future.

I was wrong about the zero benefit, overall Servoy have done the right thing with this security. I wasted a lot of time but probably for my benefit long term and I now have a better product.