#1 Re: mORMot 1 » Sample 20 questions » 2014-02-04 05:25:38

esi

Had the request created - 8307f8a547998a54d3e433ae5198079cddf382dd

#2 Re: mORMot 1 » Sample 20 questions » 2013-11-07 05:56:26

esi

Thanks! Trying to digest this slowly ;-)

- sicClientDriven is probably precisely what I need ;-)
- Re-using the ID works, but it gives me a new random thread at every call. Is there any way to force the threads to be allocated to user-driven sessions? - I think this would make a lot of sense in this case.
- Now I'll need to figure out how to tell what session I'm running in from within my interface implementation.
- And then figure out how to control the timeout / explicit session termination.
- I do not seem to be able to provide a custom Create constructor to my class - it just never fires, unless I declare it as a "class constructor" and then some code inside it doesn't do anything, i.e.: logging would not log anything. It's not a big deal, though. But I could not yet confirm object creation/destruction pattern because of this.

I'll try to spend more time with this until I get something close to what I need...

#3 mORMot 1 » Sample 20 questions » 2013-10-31 04:16:22

esi
Replies: 4

I'm seeking some clarifications on how it all hangs together using the approach illustrated in this sample:
1) Is the service object only created/destroyed once per the entire server lifetime, or are there cases when it's re-created?
2) I have noticed that the service calls are happening in different threads from call to call, is this guaranteed, or can threads be re-used, i.e.: is there a fixed pool of threads? This would also have implications on how I call things from these service methods.
3) There's apparently no built-in session support with this approach, is this correct? I don't want to go root/Auth for this, but I will need session support, so if I'm correct, I'll need to write my own session support, probably within the context of this service class if that's a single instance that exists for the entire process lifetime.
4) All methods return JSON in the same format with "result" packed as an array (while I only want to return 1 value here), plus an extra "id"=0 parameter - can I have more control over this format with this approach and what is this last "id" parameter? In fact, I'd probably prefer to just have the automatic {}'s around my values.

TIA, Alex.

#4 Re: mORMot 1 » bypassing authentication » 2013-06-09 03:10:04

esi

And on a side topic, I've just tried Sample09 and it always processes all HTTP requests from the same single thread, which was not really what I expected. I.e.: I've added IntToStr(GetCurrentThreadID) to the end of html, then start a few dozen IE sessions to this URL all at once and they all show the same ID... I'll need to dig a lot more...

#5 Re: mORMot 1 » bypassing authentication » 2013-06-09 02:17:28

esi

Getting access violations on the server on any attempt to call auth?UserName=xxx (whether with an existing user name or not). - I'm mocking around with Sample14ServerHttp project.

BTW, with this implementation, I still have to maintain a local DB/file with at least one user name in it, right? No way to ignore it / accept any name?

#6 Re: mORMot 1 » bypassing authentication » 2013-06-09 01:59:28

esi

Correction: I think it's not "RegisterAuthentication", but instead "AuthenticationRegister"...

#7 Re: mORMot 1 » bypassing authentication » 2013-06-09 01:45:45

esi

Thanks! I'll need to play with this for a while...

#8 Re: mORMot 1 » bypassing authentication » 2013-06-05 05:52:46

esi

Thanks!

Say "Hi!" to all the mORMots up there for me, will you? ;-)

#9 Re: mORMot 1 » bypassing authentication » 2013-06-04 13:57:16

esi

Arnaud, do you think you would be in a position to do it over June, or is it looking bigger than that?

#10 Re: mORMot 1 » bypassing authentication » 2013-05-29 09:02:04

esi

Thank you very much, that would be fantastic! What sort of timeframe do you expect to need for this change?

#11 Re: mORMot 1 » bypassing authentication » 2013-05-29 02:46:47

esi

Arnaud,

Many thanks! Yes, it's a lot to read, I'll need to digest it all ;-)

Indeed, my needs look very close to this request. I think this request has a much wider scope. I was really hoping to be able to plug-in my own authentication code somewhere immediately, like overriding TSQLRestServer.Auth method, or something. But, of course, there are always so many different ways to skin the proverbial cat ;-)

Yes, I saw the Auth implementation details. Again, it's clearly suitable for a DB. And it's very easy to use from a Pascal client. For me, I'll need to get more details than just the name/password pair, will need to then authenticate these details externally (and before I do, I won't know if they are valid) and finally make it all very simple and usable for implementation in any language, or indeed for simple GET requests from a browser, including clear documentation on my side.

That's if I do end up using this method of authentication. Because there are still other possible alternatives, i.e.: I could rely on Windows authentication, just as a simple way to obtain the user's Windows login name + start a session, but then I will want it to be more streamlined, with no nonces or hashes and I will want to always return success on any user name every time and then do my authentication separately as part of my REST implementation.

And thanks for the layout details, I did not see those. I'm not up to scratch with the REST ideology, so my first idea was to use GET for everything: what I need to do does not really translate into DB operations, so the distinction between GET/POST/... do not make direct sense to me. But under the same token, it would then make no difference to me if all my REST requests were POST's, only that I don't think they would still be directly accessible from a browser, which was what I was using to test my REST functions so far.

Ok, so to summarize: looks like I will need to wait for this enhancement, then. Right? I don't think anything like overriding TSQLRestServer.Auth with the current version is feasible (or simple). And then if these enhancements are not already under way, then I'll probably end up building up on Sample9 and just stick with the fast HTTP in mORMot. What do you think?

Thanks again, Alex.

#12 Re: mORMot 1 » bypassing authentication » 2013-05-27 08:22:46

esi

I'm basing all this around Sample 14. I have also noted that Sample 9 does not use any of the stuff that I worry about, but neither does it give me session support or automatic REST handling ;-(

#13 mORMot 1 » bypassing authentication » 2013-05-26 07:57:23

esi
Replies: 16

Hi!

I'm a total n00b with mORMot and still trying to figure out how things work, so please be patient with me ;-)

I'm trying to implement a rather simple REST server over HTTP(S), with no database access and no default authentication, but I do need session support (I just want to store a few session-specific values per session, as I could do in IntraWEB).

Now, since sessions require authentication, but the latest version of mORMot has Windows Authentication support, my idea was to let mORMot authenticate the user with SSPIAUTH specifying an empty user name. Of course, the next issue I'm hitting is that the Windows name needs to be pre-configured on the server to allow access and I'd like to avoid it. Is there any way to allow access to everyone somehow? I.e.: either with no configuration files/databases at all (preferably), or at least with a configuration file that has "*" or "ALL" or "EVERYONE" for a name?

The next thing is that I'm not going to use this server with a Delphi client, so
1) I need to document all URI's my server will expose for the users, who will then be able to implement the client in any language;
2) I would really like to drop this entire authentication process along with the root/Auth URI's, primarily to keep it short and simple, and
3) I'd like to keep it all in clear text as much as possible, to avoid requiring the users to use any hashing or encryption algorithms that may not be readily available in their language of choice.

I will need some authentication internally later on, but I will need to build it all myself, i.e.: I'll have additional methods exposed through REST for the users to provide their credentials. That's mostly because I need more than name/password values. But also because I will be authenticating the users against a third-party provider: I do not know what names/passwords may be valid there and cannot have a database of them pre-configured for this service in advance.

Incidentally, if the user can be authenticated transparently in the background via the Windows Authentication (SSPIAUTH), I will happily use their Windows User Names for logging and any kind of audit trail as may ne necessary.

So, to summarize:
1) I need to either disable and remove all and any authentication, including the need to go through root/Auth URI's, or
2) Use SSPIAUTH authentication, but somehow avoid using Auth URI's and also allow access to all and every connection.
plus additionally
3) I need to figure out the URI structures for all requests and so far I have not found any detailed reference about the URL structure. In fact, if there are any special internal URI's that can return such details, effectively making the server self-documenting, it would be even better.

Any pointers will be appreciated! Even if it turns out that I'm asking the wrong questions or even looking at this problem from a wrong point of view...

TIA, Alex.

#14 mORMot 1 » Sample 09 - HttpApiServer » 2013-02-10 09:30:55

esi
Replies: 1

Hi, trying this sample, but ran into problems:

Last stable 1.17 seems to work when I connect with IE to the server URL: the code is executed and I can see in the debugger that everything seems to work as expected and returns 200, but IE reports "cannot display the webpage" and that's it. I've tried it under W7 & 8, as administrator. No changes to the code.

And the new 1.18 just never fires the Process function at all, the IE error message is the same - "cannot display the webpage".

Clearly I must be missing something obvious ;-)

Board footer

Powered by FluxBB