I have a DataSnap server (Delphi) which currently has one server class, with HTTP Basic Authentication implemented via the TDSAuthenticationManager.OnUserAuthenticate event. What I want to do next is add a second server class, but the methods in this one will not require any authentication. I can't see how I can link the new server class to a different authentication manager, without running it on a separate TDSServer component. So my question is how can I write code in the TDSAuthenticationManager.OnUserAuthenticate event to check which server class is being invoked? Is there maybe a data item in TDSSession that I can examine? Or is there a better way?
Related
I've read through all the docs for Nuxt.js environment variables and the Axios module but I'm still quite confused on how to properly set them up for my use case.
I want to query 2 separate APIs:
my own backend with user authentication (e.g. JWT) built with Nuxt serverMiddleware
a public API that requires an account and provides an API key (e.g. TMDB)
My own backend serves as an "extension" of the public API so that I can store additional data for my users.
Now my question is how do I set up my environment variables so that I can safely send dynamic requests to the public API without exposing its private API key? Do I need to use my own backend as a "proxy" and forward client side requests to the public API from there? Or can I directly send requests inside asyncData and fetch when running in SSR mode?
I think I need a general explanation on how Nuxt publicRuntimeConfig and privateRuntimeConfig, and Axios baseURL and browserBaseURL all work together. The docs didn't explain them clearly enough for me.
This question is mixing a lot of stuff at the same time but in no specific order:
you need to run your private call on the server and use privateRuntimeConfig which is available only on the server
fetch() and asyncData() will run both on server and client side (can be forced to be run only on client side with fetchOnServer: false), and it's not a good idea to have those on client since everything there can be publicly seen
if you want to have several instances of axios, a quick search can be helpful to setup this
if you want to use axios in serverMiddleware you'll need to install and import a regular axios since it will be out of the scope of Nuxt
for the most part, if an API is supposed to be used from a front-end you can sometimes use the public API key provided (can be stored in publicRuntimeConfig), if it should remain secret, you'll need a backend to hide it in-between
baseURL is pretty much the default value, browserBaseURL as explained in the docs is mainly an override specific to client-side requests, use it if you need to have something different and that overrides the baseURL one
there are several questions that can be found about how to hide some calls when using an SPA (common question), the incoming edge-side rendering of Nuxt3 may maybe help on this one
one thing to bear in mind is that only the first initial reach to the server will run a server query, everything else will be a hydrated-SPA app meaning that you will not reach back the server after the hydration step (like a MPA Wordpress server would do)
You should send requests only to your private server and it should:
Perform the logic and send the result if it's your custom endpoint
Add API KEY to query and forward the query to the public API if it's public API endpoint.
I developed chat application for mobile platform which uses eJabberd xmpp chat server configured in my public Ubuntu machine.
To make the server connection i used https://mydomainname.com:5280/http-bind so how to protect this to access only by my client application not others.
Now my serverĀ is accessible by any client like pidgin, adium etc How to block this.
You can modify ejabberd to have a custom authentication that integrate a variation from the specification and implement that in your client. That way, unmodified standard client will not be able to read it.
However, as your client is Javascript and code is visible, it will still be possible to patch existing client to implement your variation, but there is not way around this. The approach of "shared secret" means that if the secret is found, other clients could find a way to connect. The secret is even less difficult to find when your code is public (even if obfuscated).
We have come across similar problem, need your help to resolve this.
Can you please either let us know your contact number so that we can reach out to you or if you can provide your script if possible so that we can refer to
Here is the problem we are stuck with:
I am trying to test a Rest service through HTTP sampler using Jmeter. Not sure how to capture token from the sampler generates a token and to use this token for authorization in the header manager of another HTTP.
Loadrunner is not displaying the web address when trying to enter in the truclient browser. Below is the problem as this web address automatically redirect to another web address which is the authentication server.
Can you please suggest another solution for the below issue?
Here is the exact scenario we are trying to achieve
we want to loadtest the portal however due to redirect and different authentication method being used we are unable to do it using truclient protocol in loadrunner. Also tried Multiple protocol selecting LDAP, SMTP, HTTP/HTML etc but no luck.**
Thank You,
Sonny
JMETER is going to architecturally be the HTTP protocol layer equivalent with LoadRunner, with the exception of the number of threads per browser emulation.
In contrast to the code request, I want to architecturally visualize the problem. You mention redirect, is this an HTTP 301/302 redirect or one which is handled with information passed back to the client, processed on the client and then redirected to another host? You mention dynamic authentication via header token, have you examined the web_add_header() and web_add_auto_header() in Laodrunner web virtual users for passing of extra header messages, including ones which have been correlated from previous requests, such as the token being passed back as you note?
This authentication mechanism is based upon? LDAP? Kerberos? Windows Integrated Authentication? Simple Authentication based upon username/password in header? Can you be architecturally more specific and when this comes into play, such as from the first request to gain access to the test environment through the firewall or from a nth request to gain access within a business process?
You mention RESTFul services. These can be transport independent, such as being passed over SMTP using a mailbox to broker the passing of data between client and server, or over HTTP similar to SOAP messages. Do you have architectural clarity on this? Could it be that you need to provide mailbox authentication across SMTP and POP3 to send and receive?
I currently have:
a REST API (Jersey) that runs as a seperate application
a GUI application (JSF) that is a client of the REST API
I'm wondering what the best way is to talk to the REST API from the GUI application. The REST API is stateless, but the GUI application is stateful and has to pass authentication info (basic auth) with every rest request. Because we have to support hundreds of simultaneous users, we want to configure our Jersey client for connection pooling.
We can handle connection pooling by configuring the Jersey client with Apache's HTTP client. Authentication can be handled by using the HTTPBasicAuthFilter, which will automatically send the same credentials with every request.
However, I'm not sure if it is best to configure 1 client for the entire GUI application, or to create a new client per session.
With 1 client for the application, connection pooling makes sense, but then I have to find a way to set the correct authentication info on every request. The HTTPBasicAuthFilter assumes that the credentials never change, which is not the case our app.
If I create a client with a new HTTPBasicAuthFilter per session, then authentication is trivial, but I don't get any benefit from connection pooling, since every client will have its own pool.
I doubt I'm the first one to run into this, so I am curious how other people have solved this.
Kind regards,
Glenn
You can attach client filters at the WebResource level. So you can have a single shared client and per-session WebResource objects that you attach the HTTPBasicAuthFilter to.
We've a custom rigging of Sugar (using GWT for various front end stuff), and we use the SOAP API for much of our querying (vs. directly to the DB).
One of the API calls to check credentials is get_available_modules, which returns all available modules for a given user. How could a user have access to a module in the web interface, but not via a SOAP call (same session id?).
Not entirely sure on your question. Do you want a user to hve access to one set of modules from web and another set via soap? Or is there a difference on you setup?
First off, there should not be a difference between a user's available modules on web and soap calls.
If you want a different set for each access method, you need to change e.g. "get_available_modules" in the soap web service. One crude approch could be to make an override array in config_override.php abd check against that array in the soap function.