Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook
Devcon 2020 Goes Virtual! LEARN MORE >

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

JIT Security

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    JIT Security

    I am pleased to say that with alpha five and my databases I have been able to implement Just In Time security on a website I am building. And it was quite easy too. Using no other tutorials, largely guess work of my own, this is what i've come up with.

    Why I might do this has various reasons. I have mine which I'll keep to myself. (business confidentiality and all).

    But an application of this is maybe to say: to allow users control only under certain circumstances. i.e - a regular forum user may have more abilities under certain subforms that he regulars than someone who has only posted a small handful of times. These maybe certain columns/buttons etc on a grid/navsystem with their own Alpha security groups.

    Though my system is more complex than the following example, ( mine involves multiple databases with many to many relationships, mutiple scripts and functions) i thought i would at least share a simple version with forum-goers:


    Say for instance there is a page which a grid needs to be filtered on certain fields according to who is logged on. And say that within that filter only certain columns and controls are visible to certain users.

    You have already created some security groups in Alpha 5 to assign to people. i.e SuperUser, Administrator, GridEditor, GridAuditor, GeneralUser... etc

    So you set the column's and any other control's security accordingly in the fields editor or which ever method you choose relevant to what you want to secure. (could be a hyperlink, another page.. whatever..)

    Now take for instance someone who is a Administrator for one page, but you only want him to be a GeneralUser and a GridAuditor for this other page.

    Naturally it seems necessary to store this information somewhere. (this is not how i did it at all, but i'm simplifying)
    PageSecurty Database Column Requirements:
    ulink (i.e a uuid)
    page ( a link "magicsecuregrid.a5w")
    groupstring (i.e "GridAuditor, GeneralUser")

    before the page loads you are going to need a script of some sort to reassign security credentials to a user.

    In this case I would personally use a go between page. (which could be used as a link to any page) But there are other ways.
    So that when user clicks a link "magic secure grid page", it actually links to "gobetweenpage.a5w?redirectURL=magicsecuregrid.a5w"

    and this "gobetweenpage.a5w" may look something like this.

    Code:
    <%a5
'Set up necessary variables
dim MyConnection as SQL::Connection
dim ConnectionString as C = "<insert connectionstring here>"
dim MyArguments as SQL::Arguments
dim rsSecurity as SQL::ResultSet

'Create the select statement for your database, heres an example with SQL Server
selectSecurity = <<%str%
SELECT groupstring FROM PageSecurity WHERE ulink=:whatuser AND page=:whatpage
%str%

'Add your arguments getting the redirect variable passed to the page from the link
MyArguments.Add("whatuser",session.__protected__ulink)
MyArguments.Add("whatpage",redirectUrl)
'Connect and execute query
MyConnection.Open(ConnectionString)
MyConnection.Execute(selectSecurity,MyArguments)
rsSecurity = MyConnection.ResultSet
MyConnection.Close()

'Create variables needed to update users security credentials
dim output as p
dim output.controls as p
dim output.controls.guid.value as c
output.controls.guid.value = a5ws_get_guid_from_ulink(session.__protected__ulink)

dim uservalues as p
dim uservalues.guid as c = output.controls.guid.value
dim uservalues.ulink as c = session.__protected__ulink
dim uservalues.groups as c = rsSecurity.data("groupstring")

a5ws_save_webuser_values(output,uservalues)

'logout and login user to refresh their credentials
'**NB YOU WILL NEED TO ATTAIN THEIR PASSWORD AND USERID (for 'logon)
'EITHER FROM A DB OR GET THEM FROM THE A5 SYSTEM
'IM NOT INCLUDING THAT CODE HERE
a5ws_logoutuser()
a5ws_login_user([**USERID],[**PASSWORD])

'Finally redirect to the right page
response.redirect("magicsecuritygrid.a5w")

%>
    The groupstring in a datbase is an rough, but i feel somewhat 'elegant', way to implement JIT security. This groupstring could be hardcoded, or build dynamically through screens by a site administrator. If you double up (i.e groupstring = "GridAuditor, GridAuditor, GeneralUser") it doesn't seem to matter.

    This is not the most secure, nor complete example, but its a starting point for anyone curious about implementing their own Just In Time Security. There are many ways to do it (mine is quite different, but at least somewhat abstracted/deviated from this method)

    i hope this little tutorial makes sense. I hope i didn't leave anything out of the code box! I know i'm a terrible writer!
    Last edited by dparker; 10-27-2010, 06:41 PM. Reason: proofinf
    Tags: None
    #2
    Re: JIT Security

    Great job !

    some notes:
    there 3 basics in a functional security design

    keep it simple
    keep it in control
    keep it to track/follow in development/production

    overload of security groups will have impact on the technical design on your projects.

    Comment

      #3
      Re: JIT Security

      Cheers,
      Indeed it needs to manageable.
      One advantage i feel from it is it does allow for flexibility and easy assignment (through screens connected to the database building such a group string) - Which means if things change and new security features needs to be upgraded for a certain page this can easily be easily be done for users. or even groups of users (if you have a setup/database built like that). A far as technical design goes, JIT security can be restrictive to users, but expandable for developers control over them.

      Comment

        #4
        Re: JIT Security

        I have done a similar thing but in order to execute the logout/login I have the passwords (in sql table) not encrypted.
        It is then easy to lookup the user password.

        Is there a function to retrieve an encrypted password and use it in a5ws_login_user()?

        If not, maybe Alpha can provide a function to refresh user groups without the need to logout/login.
        Last edited by Garry Flanigan; 03-01-2012, 03:44 AM.

        Comment

        Previous template Next
        Working...
        X