How to use Security Provider with a Server Connect Action from another site

#1

Hi,

I try to explain what’s my problem.

I have a local Windows Server with local MS SQL Server and IIS.

I have a hosted Apache Webserver with MySQL. The company’s website is on the hosted Apache Webserver.

Our Intranet is on the local IIS.

Now my problem:

I would like to access a local Server Connect Action from my hosted Apache website. I know how to do this with Wappler and it works perfectly.

The only problem I have, is that I would like to secure the local Action file from Server Connect. How do I do this? My Security Provider Action file is on the Apache Website.

Any idea?

API authentication between 2 wappler sites
#2

Hi,
I don t know if it can be applied your case.
I had two different websites done both in wappler each one with his own Security Provider.

One day I had the need that people authenticated in the first website could access a folder in the second one.
(to upload files in a folder visible by the 2 website).

Then I re-created the same Security Provider in the second website as in the first. When people logged in the first website they have link to go in the second website but they do not see the difference because it is like they are already logged.

the second website then have 2 security provider. One for people who login normally to use only website 2 and one identical to the one of website 1.

Hope it helps (and hope it can be related to your problem)

#3

I beleive the security provider is based on server sessions therefore the permissions are server specific. you will have to add some additional mechanism to enable this

1 Like
#4

I think the problem is that the websites are not on the same server.
@updates
I will try to setup the same Security Provider on the local intranet site.
@Hyperbytes
do you have an other idea what I could do?

#5

I guess something like having a parallel login on the other server and sending the login credentials to the second server so that you log in to both simultaneously.

This could be done by POSTing the login data to the other server as part of the login action on the first server the processing then posted data on server 2 to auto-login via those details

2 Likes
#6

No need to send login to the second server if you replicate same security provider.

#7

Hmmm, interesting

I always thought the Security Provider worked by sending login parameters to a script on the server on which it is running. and on doing so setting session cookies on that server.
Authorisation was then validated by reference to those session cookies

For example the current user is stored in $_SESSION[‘siteSecurityId’] (where ‘SiteSecurity’ is the provider name)
I am not intrigued how the other server knows those session are set on the first server or maybe I an wrong on how the security model works

Comments welcome from all please

#8

I did It on different wappler websites but same server (but different sub domains). Will try on two different server what will happens

#9

Thank you for your suggestions. I think my problem is that I am on two totally different servers. Server 1 is on IIS/MSSQL with ASP.NET and Server 2 on Apache with PHP/MySQL. I can‘t copy the action file.

#10

That explains things, if the SESSIONS were in the same namespace then it would work, if different then it wouldn’t
@MH2ag Marcel, i don’t think the different platforms are the issue, just being two different servers (rather than 2 websites on 1 server) is enough as sessions are server specific.

What you would need to do is send login credentials as part of the cross server request and add a login stage to the server action to re-authenticate on the second server.
It may be possible to add this to the IIS server’s login stage i.e. to add an additional stage to send the login credentials to the Apache server also and that would keep the authorisations in sync. I confess I have never tried but i cant see why it couldn’t work on the face of it.

#11

Brian, I think I’m a little confused how to send the login credentials to the IIS. To do this I would need a second form submit with a Server Connect Form, is that correct?

That’s what I have now, but it doesn’t work:

<form id="Anmeldung" method="post" is="dmx-serverconnect-form" action="../../dmxConnect/api/Sicherheit/Anmeldung.php" site="undefined" dmx-on:success="IIS.Benutzername.setValue(inputBenutzername.value);IIS.Passwort.setValue(inputPasswort.value);browser1.goto('kundenportal')">
                    <div class="form-group has-feedback row">
                      <label for="inputBenutzername" class="col-md-3 text-md-right col-form-label col-form-label">Benutzername</label>
                      <div class="col-md-8">
                        <input type="text" class="form-control" id="inputBenutzername" placeholder="Benutzername eingeben" required="" data-msg-required="Dies ist ein Pflichtfeld." name="Benutzername">
                        <i class="fa fa-user form-control-feedback pr-4"></i>
                      </div>
                    </div>
                    <div class="form-group has-feedback row">
                      <label for="inputPasswort" class="col-md-3 text-md-right col-form-label col-form-label">Passwort</label>
                      <div class="col-md-8">
                        <input type="password" class="form-control" id="inputPasswort" placeholder="Passwort eingeben" required="" data-msg-required="Dies ist ein Pflichtfeld." name="Passwort">
                        <i class="fa fa-lock form-control-feedback pr-4"></i>
                      </div>
                    </div>
                    <div class="form-group row">
                      <div class="ml-md-auto col-md-9">
                        <div class="form-check form-check">
                          <input class="form-check-input" type="checkbox" name="RememberMe" id="inputRememberMe">
                          <label class="form-check-label">Benutzerdaten merken</label>
                        </div>
                        <button type="submit" class="btn btn-group btn-animated btn-default">anmelden <i class="fa fa-user"></i></button>
                        <ul class="space-top">
                          <li><a href="#">Passwort vergessen?</a></li>
                        </ul>
                      </div>
                    </div>
                  </form>
                </div>
                <p class="text-center space-top">Haben Sie sich bereits über die Erstanmeldung registriert? <a href="page-signup.html">Registrieren</a> Sie sich jetzt.</p>
              </div>
              <!-- main end -->
              <form is="dmx-serverconnect-form" id="AnmeldungIIS" method="post" action="https://intranet.domain.de/dmxConnect/api/Sicherheit/AnmeldungIIS.aspx" site="Intranet">
                <input id="Benutzername" name="Benutzername" type="hidden" class="form-control">
                <input id="Passwort" name="Passwort" type="hidden" class="form-control">
              </form>
#12

Having thought about it in detail I am not 100% sure that you can do a “dual login” as the authorisation credentials will still not be shared.
Problem is that the security provider is server session based so the security credentials are not passed over with the query, they are looked for in the current servers session

I think you would have to store the login credentials as session variables on your Apache server then pass the credentials every time the IIS server connection was called (as POST or GET parameters) and re-authorise each time by doing a server connect login action before your data query.
It’s all a bit messy but at present I don’t see how else it could be done.

The only other option (which would be easier) would be to not use site security but to pass a secret access token with the query and check for it in the server connect action and generate stop the action and an error if it is absent or incorrect (via core actions=> response) as a security method

Normally I would do this sort of thing via AJAX, not easy in wappler

#13

Brian, I think that your solution with the access token is a great idea and should be secure enough.

Could you explain how that could be done in wappler?

assigned Hyperbytes #14
#15

Hi Marcel

Had a bit of a play with this and the biggest problem seems to be that when calling a server action from another server the result doesn’t seem to be returned to the calling routine

I can call a server action directly in a browser by typing its full path i.e.
https://mydomain.com/dmxConnect/api/myaction.php
and the full json is returned
However when i tried the same call inside App connect ii am not getting anything returned
Perhaps server connect prevents cross domain access? That’s something the developers will have to answer

The access token part is fairly straight forward if you can get this cross domain call working

Firstly on the Apache server create a server action, i shall call get_token
This action will generate a random string, anything will do, i will use “timestamp” from the server data picker
In server connect => core actions, select set variable and I will call it token
set it’s contents to {{timestamp}}
Check output!

Secondly we need an encryption salt which will be used on both servers
say Set value salt =‘mysecretsalt’
do not check output!
Lastly compute an encrypted string from those parameters, say called check. I shall use sha256
so
set check = token.sha256(‘salt’)
Check output!

You can secure the whole action with a security provider if you want, probably best to do that

So in your calling app page create a server connection to this action
image

This action will return the two values token and check

image

so when calling the action from the other server, send these parameters with your query

So for example
select myfield from mytable where id=$_GET.id
we would send the id parameter AND the additional token and check values
image

Lastly at the IIS end your server action would recompute the token via the same salt and compare with the check value.
If they match the source is valid

So use core actions=>Conditions

And compare $_GET.token.sha256(‘mysecretsalt’) === $_GET.check and generate an error if they do not match via Core Actions => Response

Should work with POST or GET

1 Like
unassigned Hyperbytes #16
#17

Hi Brian,

I tried to reproduce your example, but didn’t have success. It is probably because of what I did in IIS:

Thats how my Server Action in IIS looks:

image

Is this the way the Server Action should look like? I tried == and === in the condition but there was no difference.

#18

Yes, thats what i suggested. When you say didn’t have success, with which aspect?

You should be able to text that server action by calling it locally on your IIS server from app connect.

Is the page on your Apache server calling the IIS server connect action correctly?

Any error messages etc would be a big help

As to == vs ===, as both are 64 char long results I guess it wont make any difference. that was just habit

#19

I think that the Apache configuration should be fine.

I’ll send you the link to both servers via PM.

#20

In addition to Brian’s solution you need to know that IIS is producing upper case characters in the hash and you have to add .lowercase() to the condition:

{{$_GET.token.sha256(‘mysecretsalt’).lowercase() == $_GET.check}}

I had to delete one = because it did not work with 3 =

EDIT: I’m not sure if I was clear. The solution from @Hyperbytes (Post 15) with my changes (this Post) worked perfectly!