开发者

How to authenticate a user on the middle tier using Windows authentication

问答 作者:

We have a s开发者_运维问答erver written in Delphi that uses RemObjects DataAbstract/SDK. We would like to use Windows authentication to authenticate users to allow them access to our server.

Currently we do the following:

1) Client application sends the Windows username and password in clear text to the server. 2) The server checks the credentials using the following function:

function ValidateUserLogonAPI(const UserName: string; const Domain: string;
  const PassWord: string) : boolean;
var
  Retvar: boolean;
  LHandle: THandle;
begin
  Retvar := LogonUser(PWideChar(UserName),
                                PWideChar(Domain),
                                PWideChar(PassWord),
                                LOGON32_LOGON_NETWORK,
                                LOGON32_PROVIDER_DEFAULT,
                                LHandle);

  if Retvar then
    CloseHandle(LHandle);

  Result := Retvar;
end;

Of course, this method has the disadvantage that the user credentials are passed over the network in clear text. We could encrypt them, but the encryption/decryption keys would have to be shipped within the application.

I'm sure there must be a better way of achieving our goal. I've read a bit about tokens, but don't really understand how they would work in this situation.

Note that she solution must work for both a Delphi Windows client and a Delphi Prism ASP.NET client.

Thanks for any help you can give.

That's something DataAbstract should handle itself, and if it doesn't it's a half backed library as Datasnap is :) When it comes to remoting, authenticating/authorizing endpoints and protecting the data exchange is really critical.

Basically, you have to send not the user credentials, but exchange a "token" which both the client and the server know how to authenticate. A full explanation can be complex. You can start from MSDN (look for AcceptSecurityContext() and InitializeSecurityContext()). A possibile issue is if DataAbastract has the proper hooks to implement the authentication phase, which may require more than one roundtrip.

As a stopgap measure you can enable IPSec to protect the communication channel and don't let whole user account be "sniffed" easily.

继续阅读:authenticationdelphiwinapiwindowswindows-authentication

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9