#1 2016-05-27 08:28:56

CycleSoft
Member
Registered: 2013-01-18
Posts: 34

JavaScritp authentication stopped working after a November commit

Hi Arnaud,
I'm working on a project where mORMot serves interface based requests to a JavaScript client, auth enabled.

Last autumn I noticed that updating to the latest mORMot sources, JS side of authenticatio stopped working.
I finally found the time to track down the exact commit that introduced the anomaly, and it is the

5489231f2a34fda71b22f6f8a00a8cd1d6d209d0 dated November, 2 2015

The only change introduced in this commit is from:

  TSQLRestServerAuthenticationSSPI = class(TSQLRestServerAuthenticationURI)

to:
  TSQLRestServerAuthenticationSSPI = class(TSQLRestServerAuthenticationSignedURI)

I'm not using integrated security, so I'm wondering how this change can stop the server authorizing my requests.
Note that the first 2 requests that authenticate the user ( auth?UserName= and auth?UserName= &Password= ) are succesfull.

Probably I can solve my problem easly and disable SSPI authentication undefining SSPIAUTH, but I'd like to learn more of this wonderful piece of code that is mORMot and master each aspect of it!

Offline

#2 2016-05-27 10:28:10

Chaa
Member
Registered: 2011-03-26
Posts: 244

Re: JavaScritp authentication stopped working after a November commit

TSQLRestServerAuthenticationURI (in contrast with TSQLRestServerAuthenticationSignedURI) does not check session signature.

And before commit http://synopse.info/fossil/info/a336f3a … 217561f31d there was a bug: session signature not checked. So you can pass invalid session_signature parameter with your JavaScript and all worked fine.

Try to remove {$define SSPIAUTH} from your old mORMot.pas source and check authentication.

P.S.
Commit that introduces bug: http://synopse.info/fossil/info/f1e7198 … 797ae83041

Last edited by Chaa (2016-05-27 10:38:06)

Offline

#3 2016-05-27 10:55:10

CycleSoft
Member
Registered: 2013-01-18
Posts: 34

Re: JavaScritp authentication stopped working after a November commit

Thank you very much Chaa, very usefull hints!

Offline

#4 2016-05-27 11:05:16

Chaa
Member
Registered: 2011-03-26
Posts: 244

Re: JavaScritp authentication stopped working after a November commit

Offline

Board footer

Powered by FluxBB