A new mORMot user notified on our forum that he just made a short video, about authentication and security with our framework, from the perspective of an AJAX Client. Many thanks for sharing your experiences! This video illustrate how RESTful authentication is implemented by mORMot. It compares also […]
Tag - security
2013-01-05
Domain-Driven-Design and mORMot
2013-01-05. Open Source › mORMot Framework
Implementing Domain-Driven-Design (DDD) is one goal of our mORMot framework.
We already presented this particular n-Tier architecture.
It is now time to enter deeper into the material, provide some definition
and reference.
You can also search the web for reference, or look at the official web site.
A general
presentation of the corresponding concepts, in the .NET world, was used as
reference of this blog entry.
Stay tuned, and ride the mORMot!
2012-11-20
Authentication in mORMot using Windows credentials
2012-11-20. Open Source › mORMot Framework
By default, the hash of the user password is stored safely on the server side. This may be an issue for corporate applications, since a new user name / password pair is to be defined by each client, which may be annoying.
Since revision 1.18 of the framework, mORMot is able to use Windows Authentication to identify any user. That is, the user does not need to enter any name nor password, but her/his Windows credentials, as entered at Windows session startup, will be used.
Thanks a lot Chaa for making public your
code proposal!
Open Source is so great sometimes!
Keep the good work!
2012-09-03
Client-Server allowed back to XE3 pro
2012-09-03. Open Source › mORMot Framework
The attempt to restrict the XE3 professional license did evolve into an amazing discussion in Embarcadero forums, and Delphi-related blogs. David I announced the (reverted) EULA for Delphi Pro. Remote database access is again possible, with terms similar to Delphi Xe2. You can check the Software […]
2012-07-12
One ORM to rule them all
2012-07-12. Open Source › mORMot Framework
If you discovered the mORMot framework, you may have found out that its implementation may sound restricted, in comparison to other ORMs, due to its design. It would be easy to answer that "it is not a bug, it is a feature", but I suspect it is worth a dedicated article.
Some common (and founded) criticisms are the following (quoting from our
forum - see e.g. this
question):
- "One of the things I don't like so much about your approach to the ORM is the
mis-use of existing Delphi constructs like "index n
" attribute for
the maximum length of a string-property. Other ORMs solve this i.e. with
official Class
-attributes";
- "You have to inherit from TSQLRecord
, and can't persist any
plain class";
- "There is no way to easily map an existing complex database".
I understand very well those concerns.
Our mORMot framework is not meant to fit any purpose, but it is worth
understanding why it has been implemented as such, and why it may be quite
unique within the family of ORMs - which almost all are following the
Hibernate way of doing.
2012-05-28
Synopse mORMot Framework 1.16
2012-05-28. Open Source › mORMot Framework
Our Open Source mORMot framework is now available in revision 1.16.
The main new features are the following:
- Interface-based services, i.e. comparable to WCF, but with Delphi strengths;
- ORM cache which purpose is to enhance server scaling and client responsiveness;
- Automatic JOIN query to unleash the underneath DB power;
- SQLite3 engine updated to latest revision 3.7.12.1;
- Major update of the associated documentation (now more than 800 pages);
- A lot of bug fixes and enhancements, mainly from users requests - thanks you all for your feedback, patches and ideas!
Thanks to its features, mORMot is now able to provide a stand-alone Domain-Driven Design framework for Delphi.
Quite a long and nice road for a little mORMot, and more to come!
2012-04-20
WCF, mORMot and Event Sourcing
2012-04-20. Open Source › mORMot Framework
Our latest mORMot feature is interface-based service implementation.
How does it compare with the reference of SOA implementation (at least in the Windows world) - aka WCF?
"Comparaison n'est pas raison", as we use to say in France.
But we will also speak about Event Sourcing, and why it is now on our
official road
map.
Comparing our implementation with WCF is the opportunity to make our framework
always better.
2012-03-28
Return custom content from an interface-based service
2012-03-28. Open Source › mORMot Framework
As stated by this previous article, the default answer format is a valid JSON object.
In some cases, it may be useful to have a service operation (i.e. an interface method) returning any content, e.g. some plain TEXT, HTML or binary data (like a picture).
2012-03-07
Interface based services - sample code
2012-03-07. Open Source › mORMot Framework
SQLite3/Samples/14
- Interface based services
" folder of the supplied source code
distribution, a dedicated sample about this feature.
Purpose of this code is to show how to create a client-server service, using interfaces, over named pipe communication.
Interface based services - Implementation details
2012-03-07. Open Source › mORMot Framework
You will find out in SQLite3Commons.pas
all classes
implementing this interface communication.
There are two levels of implementation:
- A services catalog, available in TSQLRest.Services
property, declared as TServiceContainer
(with two
inherited
versions, for each side);
- A service factory for each interface, declared as
TServiceFactory
(also with two inherited
versions,
for each side).
In fact, TServiceFactory.Create constructor
will retrieve all
needed RTTI information of the given interface, i.e. GUID, name and all methods
(with their arguments). It will compute the low-level stack memory layout
needed at execution. And the corresponding "contract" will be computed, to
validate that both client and server expect the exact same
interface
.
On the server side, TServiceFactoryServer.ExecuteMethod
method
(and then a nested TServiceMethod.InternalExecute
call) is used to
prepare a valid call to the implementation class code from a remote JSON
request.
On the client side, a TInterfacedObjectFake
class will be
created, and will emulate a regular Delphi interface call using some on-the-fly
asm code generated in the TServiceFactoryClient.Create
constructor.
Interface based services - Using services on the Client or Server sides
2012-03-07. Open Source › mORMot Framework
Once the service is registered on the server side, it is very easy to use it in your code.
In a complex Service Oriented Architecture, it is pretty common to have services calling each other. Code re-usability is a key here. So you'll have to consume services on the server side. According to the SOLID design principles, you'd better rely on abstraction in your code, i.e. not call the service implementation, but the service abstract interface.
You can use the following method of your TSQLRest.Services
instance (note that this method is available on both client and server sides,
so is the right access point to all services):
function TServiceFactory.Get(out Obj): Boolean;
Interface based services - Server side
2012-03-07. Open Source › mORMot Framework
In order to have an operating service, you'll need to implement a Delphi
class which matches the expected interface
.
Interface based services - defining a data contract
2012-03-07. Open Source › mORMot Framework
In a Service Oriented Architecture, services tend to create a huge
list of operations.
In order to facilitate implementation and maintenance, operations shall be
grouped within common services.
The data contract is to be defined as a plain Delphi interface
type.
In fact, the sample type as stated in a previous blog article can be
used directly:
type ICalculator = interface(IInvokable) ['{9A60C8ED-CEB2-4E09-87D4-4A16F496E5FE}'] /// add two signed 32 bit integers function Add(n1,n2: integer): integer; end;
This ICalculator.Add
method will define one "Add"
operation, under the "ICalculator" service (which will be named
internally 'Calculator'
by convention).
This operation will expect two numbers as input, and then return the sum of
those numbers.
Interface based services
2012-03-07. Open Source › mORMot Framework
The
Client-Server services via methods implementation (our DataSnap-like
feature) gives full access to the lowest-level of the mORMot's core,
so it has some advantages:
- It can be tuned to fit any purpose (such as retrieving or returning some HTML
or binary data, or modifying the HTTP headers on the fly);
- It is integrated into the RESTful URI model, so it can be related to any
table/class of our ORM framework (like DataAsHex
service above),
or it can handle any remote query (e.g. any AJAX or SOAP requests);
- It has a very low performance overhead, so can be used to reduce server
workload for some common tasks.
But this implementation pattern has some drawbacks:
- Most content marshaling is to be done by hand, so may introduce
implementation issues;
- Client and server side code does not have the same implementation pattern, so
you will have to code explicitly data marshaling twice, for both client and
server;
- The services do not have any hierarchy, and are listed as a plain list, which
is not very convenient;
- It is difficult to synchronize several service calls within a single context,
e.g. when a workflow is to be handled during the application process (you have
to code some kind of state machine on both sides);
- Security is handled globally for the user, or should be checked by hand in
the implementation method (using the aParams.Context
values).
You can get rid of those limitations with the interface-based service implementation of mORMot. For a detailed introduction and best practice guide to SOA, you can consult this "classic" article.
According to this document, all expected SOA features are now available in the current implementation of the mORMot framework (including service catalog aka "broker").
2012-02-06
Modification of TSQLRestServerCallBack method prototype (bis)
2012-02-06. Open Source › mORMot Framework
The prototype of these methods has been modified one more time, to supply an
unique parameter:
This is a CODE BREAK change and you shall refresh ALL your server-side
code to match the new signature.
This unique parameter will let the signature remain untouched in your code implementation, even if the framework evolves (like adding a new parameter).
2011-12-30
Hash collision attack
2011-12-30. Open Source › mORMot Framework
A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms.
The issue finds particular exposure in web server applications and/or frameworks. In particular, the lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision properties in the hashing functions of the underlying languages can render web applications vulnerable to the DoS condition. The attacker, using specially crafted HTTP requests, can lead to a 100% of CPU usage which can last up to several hours depending on the targeted application and server performance, the amplification effect is considerable and requires little bandwidth and time on the attacker side.
Source: #2011-003 multiple implementations denial-of-service via hash algorithm collision
2011-11-30
AJAX authentication
2011-11-30. Open Source › mORMot Framework
A nice framework user, named esmondb, did write and publish some JavaScript code to handle our RESTful authentication mechanism.
It seems to work well, and implements all secure hashing and
challenging.
Our authentication mechanism is much more advanced than the one used by
DataSnap - which is a basic HTTP authentication with the password
transmitted in clear (this is the reason why it shall better be used over
HTTPS, whereas mORMot can be used over plain HTTP).
Resulting JavaScript code seems not difficult to follow, even for a no
JS expert like me.
2011-05-24
How to implement RESTful authentication
2011-05-24. Open Source › mORMot Framework
Commonly, it can be achieved, in the SOA over HTTP world via:
- HTTP basic auth over HTTPS;
- Cookies and session management;
- Query Authentication with additional signature parameters.
We'll have to adapt, or even better mix those techniques, to match our framework architecture at best.
Each authentication scheme has its own PROs and CONs, depending on the purpose of your security policy and software architecture.
2010-07-04
Named Pipe, Vista, Seven and Service
2010-07-04. Pascal Programming
If you want some local communicate between a service software and a front-end GUI application, named pipes are a viable mechanism for this communication. It worked fine until Windows XP, then came Vista, Seven, and the UAC...
page 2 of 2 - next entries »