Auth_Custom, Auth_Prompt or…..

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Auth_Custom, Auth_Prompt or…..

Steve Upton

Hi All,

        Lasso 8.5 (for the time being, a solution that will work in 9.x would be great as well)

We're developing a RESTful interface and I'm working on authentication.

At some point I think I'd like to support OAuth but for the time being I just want digest-based authentication to work.

All the Lasso tags seem to want to access the Lasso user and group stuff, we don't want that.

We want to be able to use normal http auth stuff, ask the user for their u/n and password (or have it passed by the app), search our DB & respond accordingly.

Should I be using the Auth_Custom or Auth_Prompt tags or something else. Both of them keep prompting the user rather than returning control back to our code...

thanks,

Steve Upton



#############################################################

Attend the Lasso Developer Conference 2013!
Sept 12-14, 2013 in Niagara Falls, Canada
http://www.lassosoft.com/LDC-niagara-falls-2013

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Auth Custom, Auth Prompt or…..

stevepiercy
I don't think it is possible to do all you want in 8, if I read
the Language Guide p. 289 correctly:

     In order to support digest authentication Lasso must have
the password
     for each user in the security_user table stored in plain
text. In prior
     versions of Lasso all passwords were stored as MD5 hashes. Digest
     authentication will only work for users created or modified
with Lasso
     Professional 8 so the plaintext password is stored
properly. Lasso will
     fall back on basic authentication for users who do not have
a plaintext
     password.

     The [Client_Authorization] tag can be used to see what type of
     authentication is being used for the current site visitor.

In 9, syntax is pretty much the same, but I don't quite grok how
one would store u/p and how to call auth_user with the proper
parameters.  It's probably the same as 8, except in 8 there was
a -digest=boolean flag.
http://lassoguide.com/operations/authentication.html
http://www.lassosoft.com/lassoDocs/languageReference/obj/auth_user

I'll defer to others.  I never use digest auth in Lasso.

--steve


On 6/26/13 at 7:11 PM, [hidden email] (Steve Upton) pronounced:

>Hi All,
>
>Lasso 8.5 (for the time being, a solution that will work in 9.x
>would be great as well)
>
>We're developing a RESTful interface and I'm working on authentication.
>
>At some point I think I'd like to support OAuth but for the
>time being I just want digest-based authentication to work.
>
>All the Lasso tags seem to want to access the Lasso user and
>group stuff, we don't want that.
>
>We want to be able to use normal http auth stuff, ask the user
>for their u/n and password (or have it passed by the app),
>search our DB & respond accordingly.
>
>Should I be using the Auth_Custom or Auth_Prompt tags or
>something else. Both of them keep prompting the user rather
>than returning control back to our code...
>
>thanks,
>
>Steve Upton
>
>
>
>#############################################################
>
>Attend the Lasso Developer Conference 2013!
>Sept 12-14, 2013 in Niagara Falls, Canada
>http://www.lassosoft.com/LDC-niagara-falls-2013
>
>#############################################################
>This message is sent to you because you are subscribed to
>the mailing list Lasso
>[hidden email]
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
-- --
Steve Piercy               Web Site Builder              
Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>


#############################################################

Attend the Lasso Developer Conference 2013!
Sept 12-14, 2013 in Niagara Falls, Canada
http://www.lassosoft.com/LDC-niagara-falls-2013

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Auth Custom, Auth Prompt or…..

Bil Corry-3
Use [auth_custom] with the -authTag param.  I don't have a simple example
handy, but Marc Vos said he uses it like this:

auth_custom(-AuthTag='zz_auth_check',
-AuthTagParams=array(-group='zz_sys'), -realm='GDTG Logistics');

(from
http://lasso.2283332.n4.nabble.com/Set-realm-username-password-tp3697659p3698444.html
)


- Bil


On Thu, Jun 27, 2013 at 4:38 AM, Steve Piercy - Web Site Builder <
[hidden email]> wrote:

> I don't think it is possible to do all you want in 8, if I read the
> Language Guide p. 289 correctly:
>
>     In order to support digest authentication Lasso must have the password
>     for each user in the security_user table stored in plain text. In prior
>     versions of Lasso all passwords were stored as MD5 hashes. Digest
>     authentication will only work for users created or modified with Lasso
>     Professional 8 so the plaintext password is stored properly. Lasso will
>     fall back on basic authentication for users who do not have a plaintext
>     password.
>
>     The [Client_Authorization] tag can be used to see what type of
>     authentication is being used for the current site visitor.
>
> In 9, syntax is pretty much the same, but I don't quite grok how one would
> store u/p and how to call auth_user with the proper parameters.  It's
> probably the same as 8, except in 8 there was a -digest=boolean flag.
> http://lassoguide.com/**operations/authentication.html<http://lassoguide.com/operations/authentication.html>
> http://www.lassosoft.com/**lassoDocs/languageReference/**obj/auth_user<http://www.lassosoft.com/lassoDocs/languageReference/obj/auth_user>
>
> I'll defer to others.  I never use digest auth in Lasso.
>
> --steve
>
>
> On 6/26/13 at 7:11 PM, [hidden email] (Steve Upton) pronounced:
>
>  Hi All,
>>
>> Lasso 8.5 (for the time being, a solution that will work in 9.x would be
>> great as well)
>>
>> We're developing a RESTful interface and I'm working on authentication.
>>
>> At some point I think I'd like to support OAuth but for the time being I
>> just want digest-based authentication to work.
>>
>> All the Lasso tags seem to want to access the Lasso user and group stuff,
>> we don't want that.
>>
>> We want to be able to use normal http auth stuff, ask the user for their
>> u/n and password (or have it passed by the app), search our DB & respond
>> accordingly.
>>
>> Should I be using the Auth_Custom or Auth_Prompt tags or something else.
>> Both of them keep prompting the user rather than returning control back to
>> our code...
>>
>> thanks,
>>
>> Steve Upton
>>
>>
>>
>> ##############################**##############################**#
>>
>> Attend the Lasso Developer Conference 2013!
>> Sept 12-14, 2013 in Niagara Falls, Canada
>> http://www.lassosoft.com/LDC-**niagara-falls-2013<http://www.lassosoft.com/LDC-niagara-falls-2013>
>>
>> ##############################**##############################**#
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso
>> [hidden email]
>> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.**lassosoft.com<[hidden email]>
>> >
>> Send administrative queries to  <Lasso-request@lists.**lassosoft.com<[hidden email]>
>> >
>>
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy               Web Site Builder               Soquel, CA
> <[hidden email]>                  <http://www.StevePiercy.com/>
>
>
> ##############################**##############################**#
>
> Attend the Lasso Developer Conference 2013!
> Sept 12-14, 2013 in Niagara Falls, Canada
> http://www.lassosoft.com/LDC-**niagara-falls-2013<http://www.lassosoft.com/LDC-niagara-falls-2013>
>
> ##############################**##############################**#
> This message is sent to you because you are subscribed to
>  the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.**lassosoft.com<[hidden email]>
> >
> Send administrative queries to  <Lasso-request@lists.**lassosoft.com<[hidden email]>
> >
>

#############################################################

Attend the Lasso Developer Conference 2013!
Sept 12-14, 2013 in Niagara Falls, Canada
http://www.lassosoft.com/LDC-niagara-falls-2013

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Auth Custom, Auth Prompt or…..

Marc Vos
Bil's right - he made it possible back then ;-)
it's our way of bypassing Lasso Security and still being able to log in via HTTP-AUTH and it works great!

zz_auth_check is a tag, loaded via LassoStartup that logs you in:

/*
        Login Auth scripts
       
        zz_auth_check is passed to auth_custom:
        auth_custom(-AuthTag='zz_auth_check', -AuthTagParams=array(-group='somegroup'), -realm='Your site name');

        ------------------------------------------------------------------------
        Check username in AUTH tables
*/

define_tag('zz_auth_check',-required='username',-required='realm',-required='group');

        local('l_sql' = "
                (
                        SELECT
                                usrs.uspassw
          FROM
          grps,
          usrs
          WHERE
          grps.grusid = usrs.usid
          AND grps.grid = '" + encode_sql(#group) + "'
          AND grps.grusid = '" + encode_sql(#username) + "'
          )
          UNION
          (
                        SELECT
                                sys.uspassw
          FROM
          grps,
          sys
          WHERE
          grps.grusid = sys.usid
          AND grps.grid = '" + encode_sql(#group) + "'
          AND grps.grusid = '" + encode_sql(#username) + "'
                )");

        inline(-username='blabla', -password='hophop', -database='user_auth', -sql=#l_sql);
                if(found_count == 1);
                        return(column('passw'));
                /if;
        /inline;
        return(NULL);
/define_tag;

- -
Marc


On 27 jun. 2013, at 09:57, Bil Corry <[hidden email]> wrote:

> Use [auth_custom] with the -authTag param.  I don't have a simple example
> handy, but Marc Vos said he uses it like this:
>
> auth_custom(-AuthTag='zz_auth_check',
> -AuthTagParams=array(-group='zz_sys'), -realm='GDTG Logistics');
>
> (from
> http://lasso.2283332.n4.nabble.com/Set-realm-username-password-tp3697659p3698444.html
> )
>
>
> - Bil
>
>
> On Thu, Jun 27, 2013 at 4:38 AM, Steve Piercy - Web Site Builder <
> [hidden email]> wrote:
>
>> I don't think it is possible to do all you want in 8, if I read the
>> Language Guide p. 289 correctly:
>>
>>    In order to support digest authentication Lasso must have the password
>>    for each user in the security_user table stored in plain text. In prior
>>    versions of Lasso all passwords were stored as MD5 hashes. Digest
>>    authentication will only work for users created or modified with Lasso
>>    Professional 8 so the plaintext password is stored properly. Lasso will
>>    fall back on basic authentication for users who do not have a plaintext
>>    password.
>>
>>    The [Client_Authorization] tag can be used to see what type of
>>    authentication is being used for the current site visitor.
>>
>> In 9, syntax is pretty much the same, but I don't quite grok how one would
>> store u/p and how to call auth_user with the proper parameters.  It's
>> probably the same as 8, except in 8 there was a -digest=boolean flag.
>> http://lassoguide.com/**operations/authentication.html<http://lassoguide.com/operations/authentication.html>
>> http://www.lassosoft.com/**lassoDocs/languageReference/**obj/auth_user<http://www.lassosoft.com/lassoDocs/languageReference/obj/auth_user>
>>
>> I'll defer to others.  I never use digest auth in Lasso.
>>
>> --steve
>>
>>
>> On 6/26/13 at 7:11 PM, [hidden email] (Steve Upton) pronounced:
>>
>> Hi All,
>>>
>>> Lasso 8.5 (for the time being, a solution that will work in 9.x would be
>>> great as well)
>>>
>>> We're developing a RESTful interface and I'm working on authentication.
>>>
>>> At some point I think I'd like to support OAuth but for the time being I
>>> just want digest-based authentication to work.
>>>
>>> All the Lasso tags seem to want to access the Lasso user and group stuff,
>>> we don't want that.
>>>
>>> We want to be able to use normal http auth stuff, ask the user for their
>>> u/n and password (or have it passed by the app), search our DB & respond
>>> accordingly.
>>>
>>> Should I be using the Auth_Custom or Auth_Prompt tags or something else.
>>> Both of them keep prompting the user rather than returning control back to
>>> our code...
>>>
>>> thanks,
>>>
>>> Steve Upton
>>>
>>>
>>>
>>> ##############################**##############################**#
>>>
>>> Attend the Lasso Developer Conference 2013!
>>> Sept 12-14, 2013 in Niagara Falls, Canada
>>> http://www.lassosoft.com/LDC-**niagara-falls-2013<http://www.lassosoft.com/LDC-niagara-falls-2013>
>>>
>>> ##############################**##############################**#
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso
>>> [hidden email]
>>> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.**lassosoft.com<[hidden email]>
>>>>
>>> Send administrative queries to  <Lasso-request@lists.**lassosoft.com<[hidden email]>
>>>>
>>>
>>
>> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>> Steve Piercy               Web Site Builder               Soquel, CA
>> <[hidden email]>                  <http://www.StevePiercy.com/>
>>
>>
>> ##############################**##############################**#
>>
>> Attend the Lasso Developer Conference 2013!
>> Sept 12-14, 2013 in Niagara Falls, Canada
>> http://www.lassosoft.com/LDC-**niagara-falls-2013<http://www.lassosoft.com/LDC-niagara-falls-2013>
>>
>> ##############################**##############################**#
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso
>> [hidden email]
>> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.**lassosoft.com<[hidden email]>
>>>
>> Send administrative queries to  <Lasso-request@lists.**lassosoft.com<[hidden email]>
>>>
>>
>
> #############################################################
>
> Attend the Lasso Developer Conference 2013!
> Sept 12-14, 2013 in Niagara Falls, Canada
> http://www.lassosoft.com/LDC-niagara-falls-2013
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################

Attend the Lasso Developer Conference 2013!
Sept 12-14, 2013 in Niagara Falls, Canada
http://www.lassosoft.com/LDC-niagara-falls-2013

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Auth Custom, Auth Prompt or…..

Steve Upton

On Jun 27, 2013, at 1:24 AM, Marc Vos <[hidden email]> wrote:

> Bil's right - he made it possible back then ;-)
> it's our way of bypassing Lasso Security and still being able to log in via HTTP-AUTH and it works great!

Thanks,

That's an odd process but it works

regards,

Steve


#############################################################

Attend the Lasso Developer Conference 2013!
Sept 12-14, 2013 in Niagara Falls, Canada
http://www.lassosoft.com/LDC-niagara-falls-2013

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>