mORMot Open Source

Hi, Thanks for the comments.

I've downloaded the 8 version at your suggestion.  I hope to play with it in the next few months, but for production purposes I think I'll stick with what works - using 10.3 + libraries which appears much more solid at this time and is still quite recent.  There is no compelling reason to upgrade.

Erick

Yes, I cut and pasted it exactly, and noted that it looked weird on the screen with the ' "ID ' part.

Erick

Hi Bob,

I purchased SMS for two years too, and did a bake-off to decide which I prefered before settling on EWB.  But my observations from that time are dated wouldn't be a fair comparison as each product has grown significantly since my evaluation time.  I know TMS also do nice things, I did own licenses for several Delphi components of theirs for a spell until I wrote my own replacement components.

I've known people who use each of these with RemObjects or Mormot, and many other open tools.  The interoperability and source code-access let you pick something that fits your budget, your scabability, your comfort zone, etc.  And that's great, more power to you.

There's so many good development models today - yet so many people are sure only THEIR method is officially sanctioned by the Gods, or Microsoft, or whomever.  I just got an earful from someone telling the client that anything not based on .Net is not valid.  Idiot!  Sure it's one choice, but to dismiss all others as invalid...

Erick

Hi, I have completed a new book, but it's more focused on a specific situation.  I felt there is now ample free material about mormot, but where I've invested a lot of time in the last few years was building a really good dev environment using Elevate Web Builder with mormot.

The benefits of using EWB is that it gives you a totally Pascal environment, which compiles to JavaScript.  The days of cross compiling to Android/IOS/OS/X LInux, etc are gladly mostly gone for me.  And the distribution nightmare.  EWB produces nice Web apps (or PWAs if you want to install on a desktop/android/etc/) and my users are preferring them to having to install native clients.  It also means I know everyone is running the current version.

With a modern web environment, you have something that produces an experience very similar to usual applications.  But without the nightmares.

In the book I cover external authentications (SAML, OpenID Connect, etc.) when used with EWB + Mormot.   Also how to avoid most web attacks (Cross Site Scripting, Cross SIte request Forgery) which most Mormot example JS scripts are vulernable to.

You can read more about it at https://www.erickengelke.com

But the average Momrot user looking to make Thick PC/Android/IOS/MacOS clients will not benefit from it.

Erick

I think I answered my own question.

First, I got it to compile with a few subtle changes... don't know where things went wrong before, maybe compiler at home is broke.

But the DLL idea probably wouldn't work because I have a feeling the graphical code cannot run in anything but the main thread.   

I'll look for another solution for my needs.  But it is certainly cool and could be handy.

Erick

I read that the Nano server was practically killed by the change to only support containers back in 2017.
Google death nano server for details.

Erick

Hi, I'll try to answer the questions posed.

VPS?  Should work, I can't see why it wouldn't.  In fact, I installed it on my development VM  over a VPN from home on the weekend, so that's effectively like a VPS.

Wine DOES require root permissions to install, normally, because it puts shared libraries, etc.  and the wine64 loader program into /usr/local.  So if you have root permissions of your computer or VM, you can install it.  For mormot applications, you do not normally need X windows to be installed or running.  So console root shell is generally sufficient.   Current Wine binaries are readily available, you don't need to MAKE the installation, and disk requirements are minor.  Yum or apt can be used.

The applications are all unprivileged, running as the current effective user.  It does not emulate a Windows computer or the Intel processor, like VirtualBox or similar do which use VT instructions and ring3 - your code runs natively on the Intel/AMD cpu without ring changes or device drivers.  Wine simply translates the Win64 API functions to Posix functions as it executes. 

I say "simply" because the system is not managed by device drivers and complicated ring transitions - I'm coming from a lifetime of writing deivce drivers which would do that.  Inside the wine DLLs there is certainly is a good amount of cleverness to emulate the registry, map in 'virtual drives' C:\ and Z:\, etc.  But these are all predictable user-mode translations.  Look in ~/.wine for the virtual registry, virtual drive mappings through symbolic links, etc.  Can you imagine, a worderful ANSI based registry you can parse with grep!

Many 'changes' to your environment, such as hiding error/warning messages spit out by the wine64 can be managed simply with environment variable switches.  However, I would say changes are not required for many or most mormot programs unless you want to hide the few warnings at startup and shutdown time.

The regression test fails on a few matters, (like HTTPD.SYS), but also because Unix is more cautious about somethings, like allowing TCP ports to be opened below 1024, etc. that Windows allows.  Another issue not handled as well is memory mapped files.  If you do them, you will want to test and read up on the subject.

I can vouch that Zeos and sqlite3 databases worked perfectly for me.  But I don't know that Window's file locking is translated to the posix level, I kind of think it is just emulated at the process level and applicable to only the current process.

Earlier I showed that wine64 is 10 times less CPU intensive than running Windows 10 VM.  I should note that I did not tune the systems or prune any processes in the installation, so Win10 was running all the annoying little services enabled by MS by default, just as my FreeBSD VM was.

The fact that you aren't running any extra services probably does reduce your attack space compared to having a whole Microsoft OS VM loaded.

Something that is available, but I haven't explored, is that you can link Wine's dlls directly into your binary, and thus ship a read-to-use Linux, etc. programs that I BELIEVE does not require Wine to be root-installed.  I don't need this functionality so I'm not going there, but maybe others with limited shell accounts might want to investigate further.

msvcr100.dll is used for ... I believe... MS Visual C compiled DLLs in multithreaded environments.  I think you need to run the MS installer for msvcr100.dll, and I believe it checks compatibility with 'genuine' licensed Windows.  I didn't explore further, because I found alternate libraries which didn't require msvcr100.dll, which was a more attractive solution to me.

Since you are curious about FreeBSD.  Please take all the following with a grain of salt, I don't speak for FreeBSD but I have used it since Version 1.0.

The choice is really six of the pros and a half dozen of the cons.  A talented computing professional can work as easily in Linux as FreeBSD.  The real answer is history, we ran FreeBSD before Linux was reliable and popular, and there is some inertia and a large infrastucture with little reason to change, but also other things I will describe below.

In web servers in 2019, there were 1.2 billion sites and many more private servers.  Linux had about a 70% Web market share, FreeBSD had a 1% market share, but it's still in the order of Millions of installations when you realize all the routers, servers, VMs etc.   But that's not a complete picture, Linux is fragmented among its adherents so each distro's share is less than the total 70%.  I don't know the breakdown between Linuxes today, it's not possible to tell from Web site visits.

Having set up numerous Linux systems, there is an occasional bit of frustration that programs you want are not always readily available for your distribution.  They have to be ported due to differences in the distributions. Sometimes you need a RedHat, sometimes Ubuntu, sometimes Raspberian, etc., and sometimes specific versions.   And sometimes you end up running multiple versions of the OS for different applications because you gave up after hours or days of trying to port it.

FreeBSD offers a few advantages (and a few disadvantages).  It offers ZFS as the primary stock filesystem and OS jails which run read-only virtualized versions of FreeBSD where root is not really all-powerful, and BHyve virtuatlizaiton of any OS, and there are certain other features that are available because of its licensing that don't allow stock in GNU licensed products due to copyleft.  But where it is also nice is that everyone running a particular version is compatible with all the packages - you don't have the same splinterring as in the linux community.

There is no perfect OS for compatibility.   But with virtualization, who cares, we can run them all.

I find some linux distros are bleeding edge, with alpha quality drivers frequently showing up for bleeding edge hardware - so they run on the widest selection of hardware, but at the cost of reliability.  Others linuxes are very conservative, like RHEL (I believe), which presents other issues as we couldn't get it to work with some packages that are too new.  FreeBSD has a slightly different balance, not running on the most esoteric hardware, not having the most packages available, but reasonable compromises on both.

If you hand pick your hardware and sofware (which you should for any server), you will probably find no difference between the BSDs and the Linuxes for speed or reliabilty.  And if you are a complicated site, you probably have several different Linux distros virtualized for some compatibility, and indeed, we run a few linux VMs, its just easier that way. 

Mind you, we use a common file server and the virtualizaiton lets us use one firewall ruleset for all VMs, which makes it simpler than rememberring each OS's firewall rule languages.

Don't believe speed tests, people are always comparing the two and each release from both FreeBSD and Linux are faster and better than the last.   The tiny margin one has over the other is short-lived.   And I believe the friendly competition is good for the community to strive to be better and constantly innovate, but in reality they share so much from the development community and cross pollination.

So FreeBSD is not a worse choice, and not a better choice, just a reasonable choice.  There is no one Linux which can serve all software needs, or we would all migrate to it and that would be the end of all other distros and FreeBSD.

Erick

I got the security audit report yesterday.  I spent Wednesday patching up the few remaining issues. 

The good news is that:
  1. Mormot marshalling of data appeared to work perfectly
  2. The IBM scanners could not get at data not intended for it, nor could they break the database
  3. Momot application survived an onslaught of hacking wisdom

But to get to that state I had to harden it beyond what is stock or it would be vulnerable to a large number of attacks.

The things I had to address before and/or after the audit were XSS, XSRF, content policies, XSS headers, cookies, etc. etc.  I'm updating my examples to include all the tidbits I've learned.  I will complete this over the Christmas holidays.   

I will document them in the 3rd edition of my book.  And I will, as always, send a copy to AB.    Copies of the software will be available without requiring a purchase, but I encourage one to buy the Ebook to gain full knowledge, and also to help sponsor the work.

Erick

http://blog.marcocantu.com/blog/2018-oc … tions.html

This is very positive news.  I would really love Delphi support for LInux with mormot together. 
.
Erick

Almost, very close, I've got externalize authentication working for HTMl5/AJAX web clients.  I've tested it with SAML and CAS, but I do not have a production OIDC server to ensure I've got it all working perfectly.  My site is preparing an ADFS system which is in beta testing right now, and I hope to have completed against it by Christmas.

Erick

Is there a way to tell mormot to encrypt the MySQL connection.  I'm currently using ZEOS as the Mysql driver, is that still a good choice.

Thanks in advance.  I still intend to write a summary here when we are done pen testing.

Erick

Right, it was 4am here and so I mistyped.

I get errors, maybe it's because I'm using contracts with the correct JSON.

I'll try without.

Erick

I figured I should give an update.

As I said before, using externalized authentication CAS or OpenID Connect allows us to prevent leakage of passwords and use smart cards and cell phone apps to authetnicate.  Mormot's SHA256 password stores are sort of, maybe, okay today, but not for much longer as CPU power is always increasing, and not a good solution in a world that needs multifactor authentication to prevent users from leaking passwords.

When writing web applications, ie. Javascript/HTML5/AJAX, using cookies with the SECURE and HTTPONLY flag set is typically required to prevent cross site scripting (XSS) and cross-site request forgery (XSRF).  If you are writing a web app, you should not be just using mormot's otherwise good security, because someone in javascript can read the copy of the password in the browser's memory that you have to keep around for message signing.  And if you don't know, XSS and XSRF are big attack vectors that took out Facebook and others.

The HTTPONLY flag on a cookie means the browser does not expose that cookie to javascript.  Attacking programs cannot steal the cookie (except if the browser is super buggy), and so they cannot present your credenitals.  The secure flag means it will never be exposed using HTTP, whereas HTTPS or better or allowed.

In my implementation I use CAS or soon OpenID Connect to indicate logins to a server, then set a secure httponly cookie to the value of a JSON Web Token (JWT).   Before any packet is passed to any RPC's, my code uses Mormot to evaluate the JWT.  Encoded in the JWT is the userid, the time the token was issued, and the expiry time of the token, as well as some other info, and hashed with a mormot-supported crypto-hash function.  If the hash works using our secret, the cookie was set by a trusted server.  Otherwise, I return an HTTP error.  Offhand, I think I return 403.  Maybe there is a better choice. 

After the expiration time, mormot automatically fails the JWT token, and the connection is cut off, no more requests can make it through with out re-authenticating.

If you can imagine, the Javascript app is oblivious to the JWT knowledge, it cannot read it (due to httponly flag).  So it actually has to call an RPC of the mormot app called WhoAmI that tells it which userid it is logged in as.  That is advisory only, the actual login happend back when CAS or OpenID Connect were called.

There is also logic to allow logouts, because you need to register the logout or you would just be autologged in again, and could never change userids until the timeout happens.  So that was another hour of work.

My work is still being evaluated by a fellow with >10 years pentesting experience.  He usually finds flaws with everything, so I realistically expect him to find flaws with my work too.  Security testing is a humbling experience for the developer.

After we pass our tests (hopefully), I will bundle up what I've done.

Erick

Oh, if you're interested in seeing what it looks like, the student part (the simplest part) is demonstrated here: https://www.youtube.com/watch?v=3JzjlOpC_vo&ar=1
Much more complex screens are available for staff to manage the students.

E

Hmmm, given the pointer to use fpcupdeluxe, I used it.  I tried to upgrade to 3.1.1 but it left me with 3.0.4, and indicated to add mormot, and still get the error when compiling.

Erick

When you define props, set something like:
    props.ConnectionTimeOutMinutes := 5;

There were a couple of questions sent by Email so I'd like to share the answers here.

Mormot and EWB are currently not large markets, no publisher would finance a project with that number of potential sales.  I'm hoping that my various books will help bring additional interest to these fine products, particularly in terms of new developers and management buy-in at companies. 

I chose Amazon for print because they offer trusted, fast world-wide distribution.  It is a non-exclusive contract, I can sell in other channels, such as my own EStore powered by PayPal.

Amazon charges authors a bunch of fees on book sales, and somehow the author actually makes less on Amazon Ebook sales - which is why you often see full prices for Amazon Ebooks even though it obviously should cost less with no printing or shipping required.  But they allow us to offer Ebook companions for $0, $0.99, $1.99, or more.  I chose to offer it as a free upgrade.

A fact of the world in 2017 is that various people have pirated the books within days of release, and that may seem tempting to some, but by offering a reasonably priced legal option, I'm hoping people will support those who work to help you.

I gladly answer technical questions by Email too, but it's frustrating when people write for help when they obviously pirated the book.

I became a convert to Ebooks.  They are easily searchable, they support cut-n-paste, they are light to carry and have other benefits including no shelf space.  I'm trying to offer them as low cost alternatives too. 

Thanks for reading.

Erick

Hi,

Sorry, I've been absent for a bit.

I've got it compilable for Win32 NewPascal but I haven't quite merged that back in - doing that broke the delphi compile.  While I work on merging the two sources you can download the NewPascal variant at  http://www.erickengelke.com/enterprise3.zip

I'll post more about that sample in a separate thread.