4D v13.4

On Web Authentication Database Method

Home

 
4D v13.4
On Web Authentication Database Method

On Web Authentication Database Method  


 

The On Web Authentication Database Method is in charge of managing Web server engine access. It is called by 4D or 4D Server when a Web browser request requires the execution of a 4D method on the server (method called using a 4DACTION URL, a 4DSCRIPT tag, etc.).

This method receives six Text parameters: $1, $2, $3, $4, $5, and $6, and returns one Boolean parameter, $0. The description of these parameters is as follows:

ParametersTypeDescription
$1TextURL
$2TextHTTP header + HTTP body (32 KB maximum)
$3TextIP address of the Web client (browser)
$4TextIP address of the server
$5TextUser name
$6TextPassword
$0BooleanTrue = request accepted, False = request rejected

You must declare these parameters as follows:

  ` On Web Authentication Database Method
 
 C_TEXT($1;$2;$3;$4;$5;$6)
 C_BOOLEAN($0)
 
  ` Code for the method

Note: All the On Web Authentication database method’s parameters are not necessarily filled in. The information received by the database method depends on the options that you have previously selected in the Database Settings dialog box (please refer to the section Connection Security).

  • URL

    The first parameter ($1) is the URL entered by the user in the location area of his or her Web browser, from which the host address has been removed.

    Let’s take the example of an Intranet connection. Suppose that the IP address of your 4D Web Server machine is 123.4.567.89. The following table shows the values of $1 depending on the URL entered in the Web browser:

    URL entered in Web browser Location areaValue of parameter $1
    123.4.567.89/
    http://123.4.567.89/
    123.4.567.89/Customers/Customers
    http://123.4.567.89/Customers/Customers
    http://123.4.567.89/Customers/Add/Customers/Add
    123.4.567.89/Do_This/If_OK/Do_That/Do_This/If_OK/Do_That
  • Header and Body of the HTTP request

    The second parameter ($2) is the header and the body of the HTTP request sent by the Web browser. Note that this information is passed to your On Web Authentication Database Method as it is. Its contents will vary depending on the nature of the Web browser which is attempting the connection.
    If your application deals with this information, it is up to you to parse the header and the body.

Notes:

  • For performance reasons, the size of data passing through the $2 parameter must not exceed 32 KB. Beyond this size, they are truncated by the 4D HTTP server.
  • For more information about this parameter, please refer to the description of the On Web Connection Database Method.
  • Web client IP address

    The $3 parameter receives the IP address of the browser’s machine. This information can allow you to distinguish between Intranet and Internet connections.

  • Server IP address

    The $4 parameter receives the IP address used to call the Web server. 4D since version 6.5 allows for multi-homing, which allows you to exploit machines with more than one IP address. For more information, please refer to the section Web Server Settings

  • User Name and Password

    The $5 and $6 parameters receive the user name and password entered by the user in the standard identification dialog box displayed by the browser. This dialog box appears for each connection, if a password management option has been selected in the Database Settings dialog box (see section Connection Security).

Note: If the user name sent by the browser exists in 4D, the $6 parameter (the user’s password) is not returned for security reasons.

The On Web Connection Database Method is only executed if the connection has been accepted by On Web Authentication.

WARNING: If no value is set to $0 or if $0 is not defined in the On Web Authentication Database Method, the connection is considered as accepted and the On Web Connection Database Method is executed.

Notes :

  • Do not call any interface elements in the On Web Authentication Database Method (ALERT, DIALOG, etc.) because otherwise its execution will be interrupted and the connection refused. The same thing will happen if an error occurs during its processing.
  • It is possible to prevent execution by 4DACTION or 4DSCRIPT for each project method via the “Available through 4D HTML tags and URLs (4DACTION...)” option in the Method properties dialog box. For more information about this point, please refer to the Connection Security section.

The On Web Authentication Database Method is automatically called, regardless of the mode, when a request or processing requires the execution of a 4D method. It is also called when the Web server receives an invalid static URL (for example, if the static page requested does not exist).

The On Web Authentication Database Method is therefore called in the following cases:

  • when 4D receives a URL beginning with 4DACTION/
  • when 4D receives a URL beginning with 4DCGI/
  • when 4D receives a URL beginning with 4DSYNC/
  • when 4D receives a URL requesting a static page that does not exist
  • when 4D processes a 4DSCRIPT tag in a semi-dynamic page
  • when 4D processes a 4DLOOP tag based on a method in a semi-dynamic page.

Compatibility note: The database method is also called when 4D receives a URL beginning with 4DMETHOD/. This URL is obsolete and is only kept for compatibility's sake.

Note that the On Web Authentication Database Method is NOT called when the server receives a URL requesting a valid static page.

Example of the On Web Authentication Database Method in BASIC mode:

  `On Web Authentication Database Method
 C_TEXT($5;$6;$3;$4)
 C_TEXT($user;$password;$BrowserIP;$ServerIP)
 C_BOOLEAN($4Duser)
 ARRAY TEXT($users;0)
 ARRAY LONGINT($nums;0)
 C_LONGINT($upos)
 C_BOOLEAN($0)
 
 $0:=False
 
 $user:=$5
 $password:=$6
 $BrowserIP:=$3
 $ServerIP:=$4
 
  `For security reasons, refuse names that contain @
 If(WithWildcard($user)|WithWildcard($password))
    $0:=False
  `The WithWildcard method is described below
 Else
  `Check to see if it’s a 4D user
    GET USER LIST($users;$nums)
    $upos:=Find in array($users;$user)
    If($upos >0)
       $4Duser:=Not(Is user deleted($nums{$upos}))
    Else
       $4Duser:=False
    End if
 
    If(Not($4Duser))
  `It is not a user defined 4D, look in the table of Web users
       QUERY([WebUsers];[WebUsers]User=$user;*)
       QUERY([WebUsers]; & [WebUsers]Password=$password)
       $0:=(Records in selection([WebUsers])=1)
    Else
       $0:=True
    End if
 End if
  `Is this an intranet connection?
 If(Substring($BrowserIP;1;7)#"192.100.")
    $0:=False
 End if

Example of the On Web Authentication Database Method in DIGEST mode:

  // On Web Authentication Database Method
 C_TEXT($1;$2;$5;$6;$3;$4)
 C_TEXT($user)
 C_BOOLEAN($0)
 $0:=False
 $user:=$5
  // For security reasons, refuse names that contain @
 If(WithWildcard($user))
    $0:=False
  // The <span class="rte4d_met">WithWildcard</span> method is described below
 Else
    QUERY([WebUsers];[WebUsers]User=$user)
    If(OK=1)
       $0:=WEB Validate digest($user;[WebUsers]password)
    Else
       $0:=False // User does not exist
    End if
 End if

The WithWildcard method is as follows:

  // WithWildcard Method
  // WithWildcard ( String ) -> Boolean
  // WithWildcard ( Name ) -> Contains a Wilcard character
 
 C_INTEGER($i)
 C_BOOLEAN($0)
 C_TEXT($1)
 
 $0:=False
 For($i;1;Length($1))
    If(Character code(Substring($1;$i;1))=Character code("@"))
       $0:=True
    End if
 End for

 
PROPERTIES 

Product: 4D
Theme: Web Server

 
SEE ALSO 

Connection Security
Database Methods
On Web Connection Database Method
URLs and Form Actions