My C++ CodeRage 8 "Secure DataSnap Development" links and source code
This is a very simple demo that shows basic security in DataSnap, including secure communication with HTTPS protocol, encryption transport filters plus authentication and authorisation in code.
This demo builds on top of the first demo and shows using SSL, encryption and authentication/authorization in the context of the multitier database system with InterBase database at the server, accessed via FireDAC and server methods for retrieving data and applying updates back to the database. The client is a mobile app that is using FireDAC in-memory database tables and Visual LiveBindings for binding data to visual controls.
Marco Cantu, Delphi Product Manager, has blogged about this new approach to building multitier database apps here: http://blog.marcocantu.com/blog/delphi_xe5_update2_datasnap_firedac.html
During the session I have been also using OpenSSL for generating test security certificates. All relevant links to OpenSSL and custom batch file you can find in my blog post about my earlier Delphi CodeRage 8 "Secure DataSnap Development" session here: http://blogs.embarcadero.com/pawelglowacki/2013/10/16/40089
I would like to thank Jim Tierney, Embarcadero R&D Engineer, for providing me with the initial version of the second demo and Vsevolod Leonov, Embarcadero Technical Evangelist, for helping with C++ coding:-)
Comments
-
Friday, 7 March 2014Thank you very much!
-
Monday, 10 March 2014
halo,
sory to write this problem her.
can you help me?
i have a problem.
need to sovle this. if is posible.
i try to create a server and client datasnap whit ado component:
server:
Tadoconection -> tadotable -> tdatasetprovider
client:
Tsqlconnection ->TdspProviderConnection -> tclientsataset ->tdatasourse and tdbgrid
all is done and ok inclusive ApplyUpdates
now, i want to create a TadoStoredProg interogation on client whit parameter:
server:
Tadoconection -> TadoStoredProg -> tdatasetprovider
question?
when parse parameter on server (ex: TadoStoredProg.param.paramvalues['@AParam']:= AValue and TadoStoredProg.execute ? ( if it.s need on server)
client:
Tsqlconnection ->TdspProviderConnection -> tclientsataset
how and when parse parameter on clinet (ex: TadoStoredProg.param.paramvalues['@AParam']:= AValue and TadoStoredProg.execute ? (on client)
i try on client this (C2 it.s a TClientdataset):
C2.Close;
C2.Params.ParamValues['@user']:= Avalues;
C2.Params.ParamValues['@pass']:= Avalues;
C2.Execute;
Edit3.Text := C2.Params.ParamValues['@mess'];
and i have C2: Parameter: ‘@pass’ not found
now i create on C2.Params a Tparam named: @user , datatype: ftstring, paramtype: ptinput, size : 50
error it,s "Catastrophi failure" and I am stuck
I am try after generate clientmoduleunit and same problem.
what it’s wrong?
need to make a good ms storedproc connection server client datasnap
can you help me?
thx for your wasted time
pls send me a message by email too ([email protected])
mssql 2008 sp2 and xe3, -
Monday, 7 April 2014
Thanks a lot for your sessions, especially second more complex one
Have I missed Delphi version of this example? If not, I'm going to try to do it myself. It would be educational to have both of them.
What do you think of embracing TFDJSONDataSets as means to convert complex client/server database project? -
Monday, 28 April 2014
XE6 try sessions error
-
Please login first in order for you to submit comments
- Page :
- 1
I hoped the "gotofail" Apple debacle - and the GnuTLS similar one - had teached developers how real, proper security requires proper written code. But here I see more and more code defined "secure" when it is not at all. SSL is not secure because it's called SSL, is secure if you use it as it is designed to be used.
1) I see certificates put in some folder. What if someone changes the certificates? There is no check about certificates - before using a certificate you have to check its validity.
2) Does the client check about the certificate against a valid CA? I can't see that. If it doesn't 1) is trivial
3) Does the server checks if the client is valid?
4) User names in the .dfm? Is this the way to teach security?
5) The password parameter is a string - and let user think they should pass password arounds. That usually best avoided. Sure, you have to do it with Interbase, for example, because a) Interbase doesn't understand Windows security b) You have no way to perform more sophisticated remote authentication in Datasnap. Because SSL is not used properly, sniffing passwords is trivial.
6) Again, the unknown PC1 encryption algorithm. No one at Embarcadero ever explained where it is from, and how secure it is.
7) Encryption keys inside a .dfm? That's another good example of fake "security".
I really hope Datassnap will be re-architected to ensure it can properly secure data exchange. Until now, please stop trying to imply the actual implementation is. You're putting at risk user data, and your customer reputation.