POST #012
========================================================================
Delphi XE introduced the ability to build DataSnap servers to work with an HTTP REST interface.
On client side, there's a powerful framework called ExtJS.
I would like to make CRUD operations (create, Read, Update, Destroy) using these outstanding technologies.
So I've decided to mix {Delphi + Firebird + ExtJS 4+} up to see what would happen. I've looking for a trully RAD tool that would save me the time to develop a thin client JS, to create user interface and so on, I've found a tool called Sencha Architect, I love the way straightforward and sturdy you can do something with this tool, you can invoke remote methods from Delphi using REST interface. That's so beautiful.
warleyalex from Seven Lakes, Brazil.
Tags: crud with delphi and extjs; sencha architect with datasnap; crud com datasnap and extjs;
domingo, 10 de fevereiro de 2013
sábado, 26 de janeiro de 2013
JAVASCRIPT AUTHENTICATION WITH DELPHI REST SERVER
POST #011
=============================================================================
Has anyone done Javascript authentication with a Delphi REST server application?
It makes sense to ask about authentication, since without authentication anyone will be able to connect to your web server and execute all server methods available.
In this mini-video, it shows the DataSnap authentication scheme and mORMot using the HTTP transport layer. My first webservice using the framework mORMot.
AUTHENTICATION SCHEME WITH DATASNAP:
The DataSnap authentication scheme is the awful "Basic Authentication". This scheme is used by most web services (about 95% of webservices).
It is available by default "native" in all browsers, but has some known weaknesses, such as a) that terrible authentication window displayed by browsers b) no appeal to have the feature "logout-like" and c) the fact that the username and password are transmitted "in plain text" to the server (it would be safer to leave the password only stay on the client side, while the keyboard input, and be stored as a hash in secure Server).
The first time a JS client calls the DataSnap REST server, it creates a new session ID and returns it in a custom HTTP header "dssession." Subsequent requests from the client must include a header "Pragma" with the session ID to the server to recognize that the request comes from the same client. This session remains active until the time expires (by default is 20 minutes).
The support code generated by the DataSnap wizard manages the session ID with a JavaScript global variable "$$$$SessionID" and passes next to each AJAX call on the same page. If you change the page or refresh it the session ID is lost.
You can, however, force the code to add this support JavaScript session ID cookie to a browser, so that is still available on all pages. If you try to call a REST URL directly in the browser, you'll be prompted to login HTTP standard. Once the user is authenticated and its session, the method is not called again.
In short, a flexible architecture is always welcome, but the authentication scheme used by Embarcadero is really useless in any real situation, do not use adequate security. You are transmitting clear text, you are transmitting the password! No matter you encrypt the session, is a basic flaw send the password itself.
Another point is unpleasant is when the credentials "username and password" are wrong, you need to restart another session, reopen the browser to be challenged for a username and password dialog box Basic authentication, this is really terrible.
Tags: Datasnap authentication scheme; mORMot authentication; Javascript authentication;
Has anyone done Javascript authentication with a Delphi REST server application?
It makes sense to ask about authentication, since without authentication anyone will be able to connect to your web server and execute all server methods available.
In this mini-video, it shows the DataSnap authentication scheme and mORMot using the HTTP transport layer. My first webservice using the framework mORMot.
AUTHENTICATION SCHEME WITH DATASNAP:
The DataSnap authentication scheme is the awful "Basic Authentication". This scheme is used by most web services (about 95% of webservices).
It is available by default "native" in all browsers, but has some known weaknesses, such as a) that terrible authentication window displayed by browsers b) no appeal to have the feature "logout-like" and c) the fact that the username and password are transmitted "in plain text" to the server (it would be safer to leave the password only stay on the client side, while the keyboard input, and be stored as a hash in secure Server).
The first time a JS client calls the DataSnap REST server, it creates a new session ID and returns it in a custom HTTP header "dssession." Subsequent requests from the client must include a header "Pragma" with the session ID to the server to recognize that the request comes from the same client. This session remains active until the time expires (by default is 20 minutes).
The support code generated by the DataSnap wizard manages the session ID with a JavaScript global variable "$$$$SessionID" and passes next to each AJAX call on the same page. If you change the page or refresh it the session ID is lost.
You can, however, force the code to add this support JavaScript session ID cookie to a browser, so that is still available on all pages. If you try to call a REST URL directly in the browser, you'll be prompted to login HTTP standard. Once the user is authenticated and its session, the method is not called again.
In short, a flexible architecture is always welcome, but the authentication scheme used by Embarcadero is really useless in any real situation, do not use adequate security. You are transmitting clear text, you are transmitting the password! No matter you encrypt the session, is a basic flaw send the password itself.
Another point is unpleasant is when the credentials "username and password" are wrong, you need to restart another session, reopen the browser to be challenged for a username and password dialog box Basic authentication, this is really terrible.
AUTHENTICATION
SCHEME WITH MORMOT:
I did not understand
how mORMot Authentication scheme works fully yet. The authentication
process is quite secured and complex. It uses a nonce
and to increase security, add a salt at
the beginning of a SHA-256 hashed expression. The authentication
scheme require to exchange binary data, using “params” they are
encoded in strings. The connection handshaking requires more than a
single call to establish the security context.
The SHA hash functions
were designed by the National Security Agency (NSA). SHA-256 is one
of the four variants in the SHA-2 set. It isn't as widely used as
SHA-1, though it appears to provide much better security.
In mORMot, in order to create a new user
session, first of all:
a) a JS Client sends a GET ModelRoot/auth?UserName=... request to the remote server;
a) a JS Client sends a GET ModelRoot/auth?UserName=... request to the remote server;
b) Server answers with an hexadecimal
nonce contents (valid for about 5 minutes);
c) Client sends a GET
ModelRoot/auth?UserName=...&PassWord=...&ClientNonce=...
request to the remote server, in which ClientNonce
is a random value used as Client nonce, and PassWord
is computed from the log-on and password entered by the User, using
both Server and Client nonce as salt;
d) Server checks that the
transmitted password is valid, i.e. that its matches the hashed
password stored in its database and a time-valid Server nonce - if
the value is not correct, authentication failed;
e) On success,
Server will create a new in-memory session (sessions are not stored
in the database, for lighter and safer process) and returns the
session number and a private key to be used during the session;
f)
On any further access to the Server, a &session_signature=
parameter is added to the URL, and will be checked against the valid
sessions in order to validate the request;
g) When the Client is
about to close (typically in TSQLRestClientURI.
Destroy), the GET
ModelRoot/auth?UserName=...&Session=...
request is sent to the remote server, in order to explicitly close
the corresponding session in the server memory (avoiding most re-play
attacks);
Looks like Embarcardero is unable to understand what security means in
today's world. Please go back to drawing board and design a more modern
solution - and not one of the 80's.
Tags: Datasnap authentication scheme; mORMot authentication; Javascript authentication;
quarta-feira, 26 de dezembro de 2012
DBgrid for HTML5 Builder - JQgrid component
POST #010
============================================================================= Nota:
DBGrid component is not provided as part of the HTML5 Builder installation.
How to implement DBgrid kind of functionality in HTML5 Builder?
How about a built-in jQuery-based grid component for HTML5 Builder?
Image a component that one just make some settings and give data source to it and it will render it for you. This video is regarding to those questions.
The cure for boredom is curiosity. There is no cure for curiosity.
Tags: DBGrid for HTML5 Builder; H5B dbgrid; HTML 5 Builder grid component;
How to implement DBgrid kind of functionality in HTML5 Builder?
How about a built-in jQuery-based grid component for HTML5 Builder?
Image a component that one just make some settings and give data source to it and it will render it for you. This video is regarding to those questions.
The cure for boredom is curiosity. There is no cure for curiosity.
Tags: DBGrid for HTML5 Builder; H5B dbgrid; HTML 5 Builder grid component;
sexta-feira, 14 de dezembro de 2012
HTML5 Builder using ExtJS DBGrid component
POST #009
=============================================================================
Objetivo:
This quick video I'm going to show you how to build an HTML5 Builder Server Web Application and connect it to DBGrid based on ExtJS 4. Pretty cool, isn't it?
Tags: HTML5 Builder using ExtJS DBGrid; HTML5 Builder grid component;
This quick video I'm going to show you how to build an HTML5 Builder Server Web Application and connect it to DBGrid based on ExtJS 4. Pretty cool, isn't it?
Tags: HTML5 Builder using ExtJS DBGrid; HTML5 Builder grid component;
sexta-feira, 12 de outubro de 2012
Webservice com Sencha Architect - FishFacts
POST #008
=============================================================================
Objetivo:
Na pasta DEMOS do Delphi, existe um pequeno projeto chamado FishFacts.
Com o objetivo de portar o aplicativo win32 para a plataforma web, utilizei o Sencha Architect, como ferramenta de criação de interfaces.
Tags: Sencha Architect webservice; Extjs 4 webservice datasnap;
Na pasta DEMOS do Delphi, existe um pequeno projeto chamado FishFacts.
Com o objetivo de portar o aplicativo win32 para a plataforma web, utilizei o Sencha Architect, como ferramenta de criação de interfaces.
Tags: Sencha Architect webservice; Extjs 4 webservice datasnap;
quarta-feira, 29 de agosto de 2012
Extjs web service - datasnap
Eu estava folheando umas revistas antigas aqui em casa "Informática Exame hoje Revista Info", quando deparei com o artigo Função por extenso no Excel. Tratava-se de uma macro VBA, a qual gerava o extenso de um valor numérico qualquer. Esta função retornava um valor, dinheiro ou quantidade, por extenso, usada para a impressão de cheques, valor de duplicatas, entre outros. Surgiu a seguinte questão: Como converter números em texto por extenso no ExtJS 4 consumindo um webservice feito no Delphi? Aí são outros quinhentos (anos?).
A pesquisa mostrou que aplicações clientes javascript (ExtJS) pode ter boa parte dos processos realizados remotamente no servidor (Delphi) de maneira muito veloz, efetuando solicitações e recebendo respostas através dos métodos disponibilizados pelo servidor de aplicação com base no protocolo TCP/IP + HTTP para possibilitar a comunicação. Pretty cool, isn't it?
Mostrou a possibilidade de clientes em javascript (aqui ExtJS) consumir, invocar, chamar métodos remotamente em servidores de aplicações Win32 implementados no Delphi. O Delphi não está restrito a clientes Desktop win32, pode-se criar aplicações distribuídas baseadas em REST, onde o tráfego de dados são realizados via JSON.
O servidor de aplicação baseado no REST recebe a solicitação de uma aplicação cliente, processa e retorna uma resposta com relação a tal requisição de uma maneira automática. Por ser baseado em padrões comuns, mais especificamente na notação JSON.
Quanto ao JSON, o mesmo pode ser definido como uma notação padrão que dentro deste contexto deve ser adotada para a transferência das informações pelo fato de ser mais leve e simples se comparado a outros padrões presentes na atualidade, como é o caso do XML. Neste cenário, utilizei o Sencha Architect, como ferramenta de apoio.
No Sencha, são invocados dois métodos: a função Extenso (converte valores numéricos para extenso) e a função inverte strings. Estas funções foram implementadas no Delphi.
Keywords: Sencha Architect consuming webservice; Datasnap with ExtJS; Datasnap javascript client. Função extenso no ExtJS; ExtJS web service.
Assinar:
Postagens (Atom)