My C++ CodeRage 8 "Secure DataSnap Development" links and source code

Posted by on in Blogs
During my recent CodeRage 8 "Secure DataSnap Development" session, I have promised to make the source code of both demos available for download. I have just uploaded them to Embarcadero CodeCentral!

This is a very simple demo that shows basic security in DataSnap, including secure communication with HTTPS protocol, encryption transport filters plus authentication and authorisation in code.

This demo builds on top of the first demo and shows using SSL, encryption and authentication/authorization in the context of the multitier database system with InterBase database at the server, accessed via FireDAC and server methods for retrieving data and applying updates back to the database. The client is a mobile app that is using FireDAC in-memory database tables and Visual LiveBindings for binding data to visual controls.

Marco Cantu, Delphi Product Manager, has blogged about this new approach to building multitier database apps here:

During the session I have been also using OpenSSL for generating test security certificates. All relevant links to OpenSSL and custom batch file you can find in my blog post about my earlier Delphi CodeRage 8 "Secure DataSnap Development" session here:

I would like to thank Jim Tierney, Embarcadero R&D Engineer, for providing me with the initial version of the second demo and Vsevolod Leonov, Embarcadero Technical Evangelist, for helping with C++ coding:-)

Gold User, Rank: 9, Points: 364
Crazy about Delphi Programming!


  • Guest
    LDS Friday, 7 March 2014

    I hoped the "gotofail" Apple debacle - and the GnuTLS similar one - had teached developers how real, proper security requires proper written code. But here I see more and more code defined "secure" when it is not at all. SSL is not secure because it's called SSL, is secure if you use it as it is designed to be used.
    1) I see certificates put in some folder. What if someone changes the certificates? There is no check about certificates - before using a certificate you have to check its validity.
    2) Does the client check about the certificate against a valid CA? I can't see that. If it doesn't 1) is trivial
    3) Does the server checks if the client is valid?
    4) User names in the .dfm? Is this the way to teach security?
    5) The password parameter is a string - and let user think they should pass password arounds. That usually best avoided. Sure, you have to do it with Interbase, for example, because a) Interbase doesn't understand Windows security b) You have no way to perform more sophisticated remote authentication in Datasnap. Because SSL is not used properly, sniffing passwords is trivial.
    6) Again, the unknown PC1 encryption algorithm. No one at Embarcadero ever explained where it is from, and how secure it is.
    7) Encryption keys inside a .dfm? That's another good example of fake "security".

    I really hope Datassnap will be re-architected to ensure it can properly secure data exchange. Until now, please stop trying to imply the actual implementation is. You're putting at risk user data, and your customer reputation.

  • Guest
    Lena Friday, 7 March 2014

    Thank you very much!

  • Guest
    Cornestian Mircea Monday, 10 March 2014

    sory to write this problem her.
    can you help me?

    i have a problem.
    need to sovle this. if is posible.

    i try to create a server and client datasnap whit ado component:
    Tadoconection -> tadotable -> tdatasetprovider

    Tsqlconnection ->TdspProviderConnection -> tclientsataset ->tdatasourse and tdbgrid

    all is done and ok inclusive ApplyUpdates

    now, i want to create a TadoStoredProg interogation on client whit parameter:

    Tadoconection -> TadoStoredProg -> tdatasetprovider

    when parse parameter on server (ex: TadoStoredProg.param.paramvalues['@AParam']:= AValue and TadoStoredProg.execute ? ( if it.s need on server)

    Tsqlconnection ->TdspProviderConnection -> tclientsataset
    how and when parse parameter on clinet (ex: TadoStoredProg.param.paramvalues['@AParam']:= AValue and TadoStoredProg.execute ? (on client)

    i try on client this (C2 it.s a TClientdataset):
    C2.Params.ParamValues['@user']:= Avalues;
    C2.Params.ParamValues['@pass']:= Avalues;
    Edit3.Text := C2.Params.ParamValues['@mess'];

    and i have C2: Parameter: ‘@pass’ not found

    now i create on C2.Params a Tparam named: @user , datatype: ftstring, paramtype: ptinput, size : 50

    error it,s "Catastrophi failure" and I am stuck

    I am try after generate clientmoduleunit and same problem.

    what it’s wrong?

    need to make a good ms storedproc connection server client datasnap
    can you help me?

    thx for your wasted time

    pls send me a message by email too ([email protected])
    mssql 2008 sp2 and xe3,

  • Guest
    IL Monday, 7 April 2014

    Thanks a lot for your sessions, especially second more complex one :)
    Have I missed Delphi version of this example? If not, I'm going to try to do it myself. It would be educational to have both of them.
    What do you think of embracing TFDJSONDataSets as means to convert complex client/server database project?

  • Guest
    ww66 Monday, 28 April 2014

    XE6 try sessions error

  • Please login first in order for you to submit comments
  • Page :
  • 1

Check out more tips and tricks in this development video: