Web aficionados - Not allow user to access file directly

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Web aficionados - Not allow user to access file directly

4D Tech mailing list
Hi Web Experts,

I don't want the web users to access html files directly, without going through ON WEB CONNECTION.

e.g.

http://myweb/foobar.html

If "foobar.html" exists in the web folder, Users can put in this in the address and it will pull up the web page, but will not process the 4D Tags, etc.
Very, very funky.

So, I'm probably being a dope, but does anyone know what I can do to prevent accessing html files directly?

Gracious thanks

Randy Engle


**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

AW: Web aficionados - Not allow user to access file directly

4D Tech mailing list
Use the so-called "Web decoy" technique. Basically you put your html files in another folder outside your html root. Then redirect all requests using ON WEB CONNECTION. For every http request 4D cannot serve directly, it uses ON WEB CONNECTION.

This is more elaborated e.g. here:

How to skip over HTTP and redirect to HTTPS
https://kb.4d.com/assetid=75313
How to skip over HTTP and redirect to HTTPS: Part 2 (The Web decoy folder)
https://kb.4d.com/assetid=75753

And there was a book "The Web Companion" by David Adams, it's a bit old now, but the technique remains the same. If you can get a copy ...

HTH

Regards
Lutz

-----Ursprüngliche Nachricht-----
Betreff: Web aficionados - Not allow user to access file directly

Hi Web Experts,

I don't want the web users to access html files directly, without going through ON WEB CONNECTION.

e.g.

http://myweb/foobar.html

If "foobar.html" exists in the web folder, Users can put in this in the address and it will pull up the web page, but will not process the 4D Tags, etc.
Very, very funky.

So, I'm probably being a dope, but does anyone know what I can do to prevent accessing html files directly?

Gracious thanks

Randy Engle


**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

Re: Web aficionados - Not allow user to access file directly

4D Tech mailing list
It's a shame that 4D's web server does not directly support something similar to Apache's .htaccess file in the web root. Securing direct access to html files/folders would then be trivial.

Regards,
 
Narinder Chandi,
ToolBox Systems Ltd.
 
I am available for new consulting opportunities…
http://4d.1045681.n5.nabble.com/ANN-4D-Developer-Available-td5765443.html
--

-----Original Message-----
From: 4D_Tech <[hidden email]> on behalf of 4D Tech Mailing List <[hidden email]>
Reply-To: 4D Tech Mailing List <[hidden email]>
Date: Tuesday, 1 October 2019 at 16:49
To: 4D Tech Mailing List <[hidden email]>
Cc: "Epperlein, Lutz (agendo)" <[hidden email]>
Subject: AW: Web aficionados - Not allow user to access file directly

    Use the so-called "Web decoy" technique. Basically you put your html files in another folder outside your html root. Then redirect all requests using ON WEB CONNECTION. For every http request 4D cannot serve directly, it uses ON WEB CONNECTION.
   
    This is more elaborated e.g. here:
   
    How to skip over HTTP and redirect to HTTPS
    https://kb.4d.com/assetid=75313
    How to skip over HTTP and redirect to HTTPS: Part 2 (The Web decoy folder)
    https://kb.4d.com/assetid=75753
   
    And there was a book "The Web Companion" by David Adams, it's a bit old now, but the technique remains the same. If you can get a copy ...
   
    HTH
   
    Regards
    Lutz
   
    -----Ursprüngliche Nachricht-----
    Betreff: Web aficionados - Not allow user to access file directly
   
    Hi Web Experts,
   
    I don't want the web users to access html files directly, without going through ON WEB CONNECTION.
   
    e.g.
   
    http://myweb/foobar.html
   
    If "foobar.html" exists in the web folder, Users can put in this in the address and it will pull up the web page, but will not process the 4D Tags, etc.
    Very, very funky.
   
    So, I'm probably being a dope, but does anyone know what I can do to prevent accessing html files directly?
   
    Gracious thanks
   
    Randy Engle
   
   
    **********************************************************************
    4D Internet Users Group (4D iNUG)
    Archive:  http://lists.4d.com/archives.html
    Options: https://lists.4d.com/mailman/options/4d_tech
    Unsub:  mailto:[hidden email]
    **********************************************************************
    **********************************************************************
    4D Internet Users Group (4D iNUG)
    Archive:  http://lists.4d.com/archives.html
    Options: https://lists.4d.com/mailman/options/4d_tech
    Unsub:  mailto:[hidden email]
    **********************************************************************


**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

Re: Web aficionados - Not allow user to access file directly

4D Tech mailing list
In reply to this post by 4D Tech mailing list
Hey Randy,
The optimal way to achieve this is to set up the website with a different
web server functioning as the node publicly exposed to the internet. That
server deals with all the authentication and heavy protection stuff 4D
isn't very good at and communicates with your 4D server via API calls. Your
4D server can be locked down to only talk with something coming from a
specific IP address (the front facing server) on a specific port.

If you can't do that the 4D server will statically serve any pages in the
web folder with the one you identify as the index page being the default.
If you set the default page to a non-existent page, xxx.html for instance.
In this case

"The On Web Authentication Database Method is automatically called,
regardless of the mode, when a request or processing requires the execution
of a 4D method. It is also called when the Web server receives an invalid
static URL (for example, if the static page requested does not exist)."
https://doc.4d.com/4Dv17R5/4D/17-R5/On-Web-Authentication-Database-Method.300-4127485.en.html


So you can intercept and validate using On web auth. If you do nothing in
On web auth the request flows to On web connect. I generally deal with the
requests there.

You can use the scheme of serving web pages stored elsewhere and/or
construct the response in code. At this point you are really building and
API more than a web server - which I think is a good thing.

If you are going to use 4D code to actually construct html pages I really
encourage building the html as templates (stored outside the web folder).
Use Process 4D tags to populate them with data you develop in code. I find
attempting to construct anything more than the most trivial html in 4D code
the path to long hours and great unhappiness.


On Tue, Oct 1, 2019 at 8:38 AM Randy Engle via 4D_Tech <[hidden email]>
wrote:

> Hi Web Experts,
>
> I don't want the web users to access html files directly, without going
> through ON WEB CONNECTION.
>
> e.g.
>
> http://myweb/foobar.html
>
> If "foobar.html" exists in the web folder, Users can put in this in the
> address and it will pull up the web page, but will not process the 4D Tags,
> etc.
> Very, very funky.
>
> So, I'm probably being a dope, but does anyone know what I can do to
> prevent accessing html files directly?
>
> Gracious thanks
>
> Randy Engle
>
>
> **********************************************************************
> 4D Internet Users Group (4D iNUG)
> Archive:  http://lists.4d.com/archives.html
> Options: https://lists.4d.com/mailman/options/4d_tech
> Unsub:  mailto:[hidden email]
> **********************************************************************



--
Kirk Brooks
San Francisco, CA
=======================

What can be said, can be said clearly,
and what you can’t say, you should shut up about

*Wittgenstein and the Computer *
**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

RE: Web aficionados - Not allow user to access file directly

4D Tech mailing list
In reply to this post by 4D Tech mailing list
Hi Lutz,

Thanks for the info!

Yes, I've got a copy of "Web Companion" somewhere.

Will check it out.

Randy Engle

-----Original Message-----
From: 4D_Tech <[hidden email]> On Behalf Of Epperlein, Lutz (agendo) via 4D_Tech
Sent: Tuesday, October 1, 2019 8:49 AM
To: 4D iNug Technical <[hidden email]>
Cc: Epperlein, Lutz (agendo) <[hidden email]>
Subject: AW: Web aficionados - Not allow user to access file directly

Use the so-called "Web decoy" technique. Basically you put your html files in another folder outside your html root. Then redirect all requests using ON WEB CONNECTION. For every http request 4D cannot serve directly, it uses ON WEB CONNECTION.

This is more elaborated e.g. here:

How to skip over HTTP and redirect to HTTPS
https://kb.4d.com/assetid=75313
How to skip over HTTP and redirect to HTTPS: Part 2 (The Web decoy folder)
https://kb.4d.com/assetid=75753

And there was a book "The Web Companion" by David Adams, it's a bit old now, but the technique remains the same. If you can get a copy ...

HTH

Regards
Lutz

-----Ursprüngliche Nachricht-----
Betreff: Web aficionados - Not allow user to access file directly

Hi Web Experts,

I don't want the web users to access html files directly, without going through ON WEB CONNECTION.

e.g.

http://myweb/foobar.html

If "foobar.html" exists in the web folder, Users can put in this in the address and it will pull up the web page, but will not process the 4D Tags, etc.
Very, very funky.

So, I'm probably being a dope, but does anyone know what I can do to prevent accessing html files directly?

Gracious thanks

Randy Engle


**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************

**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

RE: Web aficionados - Not allow user to access file directly

4D Tech mailing list
In reply to this post by 4D Tech mailing list
Hi Kirk,

Thanks for the info.
Most of our customers are resistant to proxy servers
They think that we should be handling all of it.

So... I'll need to go to plan "B"

😉

Randy Engle

-----Original Message-----
From: 4D_Tech <[hidden email]> On Behalf Of Kirk Brooks via 4D_Tech
Sent: Tuesday, October 1, 2019 8:55 AM
To: 4D iNug Technical <[hidden email]>
Cc: Kirk Brooks <[hidden email]>
Subject: Re: Web aficionados - Not allow user to access file directly

Hey Randy,
The optimal way to achieve this is to set up the website with a different web server functioning as the node publicly exposed to the internet. That server deals with all the authentication and heavy protection stuff 4D isn't very good at and communicates with your 4D server via API calls. Your 4D server can be locked down to only talk with something coming from a specific IP address (the front facing server) on a specific port.

If you can't do that the 4D server will statically serve any pages in the web folder with the one you identify as the index page being the default.
If you set the default page to a non-existent page, xxx.html for instance.
In this case

"The On Web Authentication Database Method is automatically called, regardless of the mode, when a request or processing requires the execution of a 4D method. It is also called when the Web server receives an invalid static URL (for example, if the static page requested does not exist)."
https://doc.4d.com/4Dv17R5/4D/17-R5/On-Web-Authentication-Database-Method.300-4127485.en.html


So you can intercept and validate using On web auth. If you do nothing in On web auth the request flows to On web connect. I generally deal with the requests there.

You can use the scheme of serving web pages stored elsewhere and/or construct the response in code. At this point you are really building and API more than a web server - which I think is a good thing.

If you are going to use 4D code to actually construct html pages I really encourage building the html as templates (stored outside the web folder).
Use Process 4D tags to populate them with data you develop in code. I find attempting to construct anything more than the most trivial html in 4D code the path to long hours and great unhappiness.


On Tue, Oct 1, 2019 at 8:38 AM Randy Engle via 4D_Tech <[hidden email]>
wrote:

> Hi Web Experts,
>
> I don't want the web users to access html files directly, without
> going through ON WEB CONNECTION.
>
> e.g.
>
> http://myweb/foobar.html
>
> If "foobar.html" exists in the web folder, Users can put in this in
> the address and it will pull up the web page, but will not process the
> 4D Tags, etc.
> Very, very funky.
>
> So, I'm probably being a dope, but does anyone know what I can do to
> prevent accessing html files directly?
>
> Gracious thanks
>
> Randy Engle
>
>
> **********************************************************************
> 4D Internet Users Group (4D iNUG)
> Archive:  http://lists.4d.com/archives.html
> Options: https://lists.4d.com/mailman/options/4d_tech
> Unsub:  mailto:[hidden email]
> **********************************************************************



--
Kirk Brooks
San Francisco, CA
=======================

What can be said, can be said clearly,
and what you can’t say, you should shut up about

*Wittgenstein and the Computer *
**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************

**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

Re: Web aficionados - Not allow user to access file directly

4D Tech mailing list
In reply to this post by 4D Tech mailing list
If you can't find it: http://www.island-data.com/downloads/books/4D_Web_Companion.pdf

Some hacker/pirate named David Adams has put David Adams book on the internet for all to see.


> On Oct 1, 2019, at 8:55 AM, Randy Engle via 4D_Tech <[hidden email]> wrote:
>
> Hi Lutz,
>
> Thanks for the info!
>
> Yes, I've got a copy of "Web Companion" somewhere.
>
> Will check it out.
>
> Randy Engle
>
> -----Original Message-----
> From: 4D_Tech <[hidden email]> On Behalf Of Epperlein, Lutz (agendo) via 4D_Tech
> Sent: Tuesday, October 1, 2019 8:49 AM
> To: 4D iNug Technical <[hidden email]>
> Cc: Epperlein, Lutz (agendo) <[hidden email]>
> Subject: AW: Web aficionados - Not allow user to access file directly
>
> Use the so-called "Web decoy" technique. Basically you put your html files in another folder outside your html root. Then redirect all requests using ON WEB CONNECTION. For every http request 4D cannot serve directly, it uses ON WEB CONNECTION.
>
> This is more elaborated e.g. here:
>
> How to skip over HTTP and redirect to HTTPS
> https://kb.4d.com/assetid=75313
> How to skip over HTTP and redirect to HTTPS: Part 2 (The Web decoy folder)
> https://kb.4d.com/assetid=75753
>
> And there was a book "The Web Companion" by David Adams, it's a bit old now, but the technique remains the same. If you can get a copy ...
>
> HTH
>
> Regards
> Lutz
>
> -----Ursprüngliche Nachricht-----
> Betreff: Web aficionados - Not allow user to access file directly
>
> Hi Web Experts,
>
> I don't want the web users to access html files directly, without going through ON WEB CONNECTION.
>
> e.g.
>
> http://myweb/foobar.html
>
> If "foobar.html" exists in the web folder, Users can put in this in the address and it will pull up the web page, but will not process the 4D Tags, etc.
> Very, very funky.
>
> So, I'm probably being a dope, but does anyone know what I can do to prevent accessing html files directly?
>
> Gracious thanks
>
> Randy Engle
>
>
> **********************************************************************
> 4D Internet Users Group (4D iNUG)
> Archive:  http://lists.4d.com/archives.html
> Options: https://lists.4d.com/mailman/options/4d_tech
> Unsub:  mailto:[hidden email]
> **********************************************************************
> **********************************************************************
> 4D Internet Users Group (4D iNUG)
> Archive:  http://lists.4d.com/archives.html
> Options: https://lists.4d.com/mailman/options/4d_tech
> Unsub:  mailto:[hidden email]
> **********************************************************************
>
> **********************************************************************
> 4D Internet Users Group (4D iNUG)
> Archive:  http://lists.4d.com/archives.html
> Options: https://lists.4d.com/mailman/options/4d_tech
> Unsub:  mailto:[hidden email]
> **********************************************************************

**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

Re: Web aficionados - Not allow user to access file directly

4D Tech mailing list
In reply to this post by 4D Tech mailing list
Randy,
On Tue, Oct 1, 2019 at 9:05 AM Randy Engle via 4D_Tech <[hidden email]>
wrote:

> Most of our customers are resistant to proxy servers
> They think that we should be handling all of it.
>
Are these the same guys who do such a great job protecting themselves from
ransom ware?


--
Kirk Brooks
San Francisco, CA
=======================

What can be said, can be said clearly,
and what you can’t say, you should shut up about

*Wittgenstein and the Computer *
**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

Re: Web aficionados - Not allow user to access file directly

4D Tech mailing list
Hi Randy, the setup you are looking for is what I have done for all my projects.

I have two folders: “WEB_Public” and “WEB_Private”.

WEB_Public contains all my static assets like images, javascript, css, etc. There are no 4D tags in any of these files.

WEB_Private contains all my application specific code. When a URL comes in, if it is for a static file, 4D servers it directly. If it is not then the On Web Connection method is triggered and my application log runs. From there I can ensure that the session is loaded and I process the request and eventually send one of the files out of the WEB_Private folder.

It works very nicely and I have my static and dynamic files separated into different folders.

Feel free to reach out directly if you want some more information on my approach.

Dani Beaubien
Open Road Development

> On Oct 1, 2019, at 10:33 AM, Kirk Brooks via 4D_Tech <[hidden email]> wrote:
>
> Randy,
> On Tue, Oct 1, 2019 at 9:05 AM Randy Engle via 4D_Tech <[hidden email]>
> wrote:
>
>> Most of our customers are resistant to proxy servers
>> They think that we should be handling all of it.
>>
> Are these the same guys who do such a great job protecting themselves from
> ransom ware?
>
>
> --
> Kirk Brooks
> San Francisco, CA
> =======================
>
> What can be said, can be said clearly,
> and what you can’t say, you should shut up about
>
> *Wittgenstein and the Computer *
> **********************************************************************
> 4D Internet Users Group (4D iNUG)
> Archive:  http://lists.4d.com/archives.html
> Options: https://lists.4d.com/mailman/options/4d_tech
> Unsub:  mailto:[hidden email]
> **********************************************************************

**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

Re: Web aficionados - Not allow user to access file directly

4D Tech mailing list
In reply to this post by 4D Tech mailing list
I place nginx as a proxy in front of 4d. Its very straightforward and can run
on linux and windows. Nginx runs the public port and can serve all static
resources images css etc.  You can use lets encrypt for free ssl. This way
the proxy to 4D can run on http to say port 8080 which is faster and 4D
server is not exposed to internet. There sould be some toer posts on Nug
about this.
Cheers
Paul



--
Sent from: http://4d.1045681.n5.nabble.com/4D-Tech-f1376241.html
**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

Re: Web aficionados - Not allow user to access file directly

4D Tech mailing list
In reply to this post by 4D Tech mailing list
Hi,


A few commenters have suggested placing a 4D Web server behind a proxy server.

The problem as described can be very easily solved with very little change in complexity and without involving other technologies. One of the reasons we all use 4D is that it allows us to solve problems with less complexity. I suggest that developers should try to use just the 4D web server unless you have a good reason not to.  

Most of the time when I’ve encountered more complex web architectures involving 4D and other technologies, it didn’t solve much of anything and just made maintenance and development more difficult.

Can anyone come up with an anecdote of any actual exploited vulnerabilities of a well constructed 4D web site?



Tom DeMeo
**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

Re: Web aficionados - Not allow user to access file directly

4D Tech mailing list
In reply to this post by 4D Tech mailing list
Hi

For the HTML markup files, I suggest using the extension .shtml rather than .html

For us any direct request for a .shtml file will trigger On Web Authentication and you can catch and reject the request.

Doing that allows you to keep things simpler in a single folder and you don't have to worry about serving stuff outside the web folder.  Personally I don't like the idea of having any code in play that can retrieve a file on disk from outside the default web folder.  Not a problem if coded correctly of course.

Hope that helps.

Best regards

Keith White
Synergist Express Ltd, UK.
4697775

**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

Re: Web aficionados - Not allow user to access file directly

4D Tech mailing list
In reply to this post by 4D Tech mailing list
Hello Tom,

The advantage of the nginx proxy approach is speed and serving multiple
domains or sites. For example we have our main site running under the Joomla
CMS (no point reinventing the wheel). Nginx proxies requests between joomla
and 4D for our 4D Quote system and it is transparent to the user.  See
https://www.youdopet.com/  With Nginx on the public IP address gives a lot
of flexibility if developing as you can redirect easily to different
servers.

Paul



--
Sent from: http://4d.1045681.n5.nabble.com/4D-Tech-f1376241.html
**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

4D Web Application and SAML or OpenID Connect

4D Tech mailing list
In reply to this post by 4D Tech mailing list
Hi

Has anyone done work on implementing either SAML or OpenID Connect protocol in native 4D code for single sign-on in 4D Web Applications?   I know about 4D's work on single sign on using Active Directory and/or LDAP etc, but this question is specifically for SAML or OpenID Connect.

Services like https://www.onelogin.com/ support these protocols and we're being asked more about it.

PHP is one way I suppose, but we currently don't use PHP and I'd prefer a native 4D solution.

Many thanks.

Best regards

Keith White
Synergist Express Ltd, UK.
4697775
**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

Re: 4D Web Application and SAML or OpenID Connect

4D Tech mailing list
Keith,

Hi. It looks like it would be a lot of work to do a native implementation of OIDC in 4D?

Why not instead look at providing support for services such as OneLogin, Auth0, AWS Cognito instead? Certainly the former 2 of those appear to offer REST APIs to. Cognito doesn't offer a REST API but there is a PHP library (I did an integration with that last year, non-4D solution) but for your purposes you can avoid PHP I think by integrating with the aws-cli and LEP?

Regards,
Narinder Chandi,
ToolBox Systems Ltd.
https://toolbox.systems
 
I am available for new consulting opportunities…
http://4d.1045681.n5.nabble.com/ANN-4D-Developer-Available-td5765443.html
--

-----Original Message-----
From: 4D_Tech <[hidden email]> on behalf of 4D Tech Mailing List <[hidden email]>
Reply-To: 4D Tech Mailing List <[hidden email]>
Date: Monday, 4 November 2019 at 18:01
To: 4D Tech Mailing List <[hidden email]>
Cc: Keith White <[hidden email]>
Subject: 4D Web Application and SAML or OpenID Connect

    Hi
   
    Has anyone done work on implementing either SAML or OpenID Connect protocol in native 4D code for single sign-on in 4D Web Applications?   I know about 4D's work on single sign on using Active Directory and/or LDAP etc, but this question is specifically for SAML or OpenID Connect.
   
    Services like https://www.onelogin.com/ support these protocols and we're being asked more about it.
   
    PHP is one way I suppose, but we currently don't use PHP and I'd prefer a native 4D solution.
   
    Many thanks.
   
    Best regards
   
    Keith White
    Synergist Express Ltd, UK.
    4697775
    **********************************************************************
    4D Internet Users Group (4D iNUG)
    Archive:  http://lists.4d.com/archives.html
    Options: https://lists.4d.com/mailman/options/4d_tech
    Unsub:  mailto:[hidden email]
    **********************************************************************


**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

AW: 4D Web Application and SAML or OpenID Connect

4D Tech mailing list
Hi,

we do something in this area. We use an Apache webserver in front of the 4D web server as a reverse proxy or gateway. There is an Apache module called mod_auth_openidc (https://github.com/zmartzone/mod_auth_openidc) which is configured to use an external identity provider (IP). In our case this is a Keycloak server (https://www.keycloak.org/).
On the 4D side you have to check the additional headers delivered by the module only.
Further questions regarding the configuration of the module I'm not able to answer, this were done by external colleagues. There is comprehensive documentation on the mentioned websites.

Regards
Lutz Epperlein






**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

Re: 4D Web Application and SAML or OpenID Connect

4D Tech mailing list
In reply to this post by 4D Tech mailing list


> On 5 Nov 2019, at 17:53, Narinder Chandi via 4D_Tech <[hidden email]> wrote:
>
> Has anyone done work on implementing either SAML or OpenID Connect protocol in native 4D code for single sign-on in 4D Web Applications?   I know about 4D's work on single sign on using Active Directory and/or LDAP etc, but this question is specifically for SAML or OpenID Connect.

Hi Keith,

Yes, I have experience with Open ID Connect. A customer of mine got the requirement to handle user authentication through an OpenID Connect provider. I think the customer was using Microsoft’s Azure Active Directory. So basically I had to replace the login screen of their desktop application with the login screen of the OpenID provider. If you are familiar with OAuth2, then it works quite the same. In a web area we show the provider’s login screen. Upon successful login, the 4D app receives a JSON Web Token (JWT), that contains the user’s information with a digital signature on it. This JWT then needed to be verified against X509 digital certificates in the JWKS format. That was a bit more of a technical challenge, but I developed this functionality for NTK Plugin.

I do not remember the exact details because it is almost 2 years ago that I have developed this.
But let me know if you have any questions or need help.

Kind regards,

- Rob Laveaux

--------------------------------------------------------
Pluggers Software
Scholekstersingel 48
2496 MP  Den Haag
The Netherlands

Email: [hidden email]
Website: http://www.pluggers.nl

--------------------------------------------------------



**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|

Re: 4D Web Application and SAML or OpenID Connect

4D Tech mailing list
In reply to this post by 4D Tech mailing list
Hi

Thanks for all the responses.   As always, there is more than one way to do it.

Looks like OpenID Connect may be simpler.  We've already got some OAuth code in use for external application interfaces.

Best regards

Keith White
Synergist Express Ltd, UK.
4697775
**********************************************************************
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************