tags:

views:

382

answers:

3
Q: 

Delphi 7 SOAP Authentication and SessionID HowTo

Hello All,

I am developing a 3 tier database application. 1.) MS SQL DB 2.) Middle tier SOAP Server (with Delphi 7) connected to the DB 3.) Clients (first win32 gui (with Delphi 7) - later other platfomrs) connected to the SOAP server

I chose a SOAP Server to be open to various clients at a later stage (also some of the win32 gui clients will be stationed abroad - so the clients need to be thin) (this as suggested by Dr. Bob).

I am new to SOAP and have been looking at different examples and papers about authentication. But cant quite get my head around it.

I have made a SOAP server and client with Delphi's SOAP Server Application Wizard and added a SOAP SERVER Data Module, added a database connection and some datasets and providers. Connected the client with dbgrid etc and that part works fine.

But I want the client first to login and then be able to access data and I want the server to log each connection and also when the client logs off or is disconnected, so I am guessing I need the sessionID and a timeout. I also want the server to be able to tell the clients who else is "connected" (or whos session is still active) at any given time. I have gathered that I need to make a authentication header, but cant figure out where or who I can get a sessionID. I presume that each time a client connectes to the server the server generates a sessionID? How do I get this?

Any help or suggestions/pointer would be appreciated,

thanks Justin

A: 

OK take 2:

OK, I have done the following so far (this is used from the example Bank Account SOAP application that comes with Delphi 7):

procedure TForm1.btnLoginClick(Sender: TObject);
var
 H: TAuthHeader;
 Headers: ISOAPHeaders;
 SoapData: IThorPayServerDB;
begin
 SoapData := HTTPRIOOnForm as IThorPayServerDB; 
  if not(SoapData.login(edtUser.Text,edtPassword.Text)) then
 begin
   showmessage('Not correct login');
   exit;
 end; 
  Headers := SoapData as ISoapHeaders; 
  { Get the header from the incoming message }
 Headers.Get(TAuthHeader, TSoapHeader(H));
 try
   if H <> nil then
   begin
     FIdKey := H.IdNumber;
     FTimeStamp := H.TimeStamp;
   end
   else
     ShowMessage('No authentication header received from server');
 finally
   H.Free;
 end;
 if FIdKey > 0 then showmessage('Authenticated');;
end;

The SoapData.login returns the correct result, but for some reason I cant get hold of the header. In this case H is nil and the result becomes 'No authentication header received from server'.

If I intersept the SOAP xml I can see that the header is there, here is the returned package:

<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"&gt; 
<SOAP-ENV:Header SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:NS1="urn:ThorPayServerDB_Unit">
<NS1:TAuthHeader xsi:type="NS1:TAuthHeader">
<SessionID xsi:type="xsd:int">1</SessionID>
<IdNumber xsi:type="xsd:int">1</IdNumber>
<UserName xsi:type="xsd:string"></UserName>
<LoginName xsi:type="xsd:string"></LoginName>
<UserLevel xsi:type="xsd:int">4208687</UserLevel>
<TimeStamp xsi:type="xsd:dateTime">2010-05-14T10:03:49.469+03:00</TimeStamp>
</NS1:TAuthHeader>
</SOAP-ENV:Header> 
<SOAP-ENV:Body SOAP-ENC:encodingStyle="http://schemas.xmlsoap.org/soap/envelope/"&gt;
<NS2:loginResponse xmlns:NS2="urn:ThorPayServerDB_Unit-IThorPayServerDB">
<return xsi:type="xsd:boolean">true</return></NS2:loginResponse>
</SOAP-ENV:Body> 
</SOAP-ENV:Envelope

>

Anyone any idea? In this case I am not using the SOAPConnetion that I am using for the DB, but a seperate HTTPTRIO component.

Justin Philbrow  2010-05-14 08:45:36
A: 

OK - figured it out - I had not:

InvRegistry.RegisterHeaderClass(TypeInfo(IThorPayServerDB), TAuthHeader);

in the initialization

But I still cant figure out how to get the session ID - or some unique way of know which client session is loged in to the server - any ideas?

Justin Philbrow  2010-05-14 09:41:12
+1  A: 

Soap servers do not provide sessions by default. Your server has to implement Session life cycle managment (Login / Logout) etc.

A basic solution is documented here: Managing sessions with Delphi 6 Web services

Note however that this solution is far from perfect (see comments), for example it does not provide a session timeout mechanism.

mjustin  2010-05-17 20:38:01
thanks I have implemented a similar solution already.
Justin Philbrow  2010-05-18 11:34:10
feel free to me some some reputation points :)
mjustin  2010-05-18 13:18:49

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication