On Web Authentication Database Method

version 2004 (Modified)

The On Web Authentication Database Method is in charge of managing Web server engine access. It is called by 4th Dimension, 4D Server or 4D Client when a Web browser request requires the execution of a 4D method on the server (method called using a 4DACTION or 4DCGI URL, a 4DSCRIPT tag, etc.).

This method receives six Text parameters: $1, $2, $3, $4, $5, and $6, and returns one Boolean parameter, $0. The description of these parameters is as follows:

$0 Boolean True = request accepted, False = request rejected

You must declare these parameters as follows:

      ` On Web Authentication Database Method

   C_TEXT($1;$2;$3;$4;$5;$6)
   C_BOOLEAN($0)

      ` Code for the method

Note: All the On Web Authentication database method's parameters will not eventually be filled in. The information received by the database method depends on the options that you have previously selected in the Preferences dialog box (please refer to the section Connection Security).

The first parameter ($1) is the URL entered by the user in the location area of his or her Web browser, from which the host address has been removed.

Let's take the example of an Intranet connection. Suppose that the IP address of your 4D Web Server machine is 123.4.567.89. The following table shows the values of $1 depending on the URL entered in the Web browser:

The second parameter ($2) is the header and the body of the HTTP request sent by the Web browser. Note that this information is passed to your On Web Authentication database method as it is. Its contents will vary depending on the nature of the Web browser which is attempting the connection.

If your application deals with this information, it is up to you to parse the header and the body.

Note: For more information about this parameter, please refer to the description of the On Web Connection Database Method.

• Web client IP address

The $3 parameter receives the IP address of the browser's machine. This information can allow you to distinguish between Intranet and Internet connections.

• Server IP address

The $4 parameter receives the IP address used to call the Web server. 4D since version 6.5 allows for multi-homing, which allows you to exploit machines with more than one IP address. For more information, please refer to the section Web Server Settings.

• User Name and Password

The $5 and $6 parameters receive the user name and password entered by the user in the standard identification dialog box displayed by the browser. This dialog box appears for each connection, if the Use Passwords option has been selected in the Preferences dialog box (see section Connection Security).

Note: If the user name sent by the browser exists in 4D, the $6 parameter (the user's password) is not returned for security reasons.

The On Web Authentication Database Method returns a boolean in $0:

• If $0 is True, the connection is accepted.

• If $0 is False, the connection is refused.

The On Web Connection Database Method is only executed if the connection has been accepted by On Web Authentication.

WARNING: If no value is set to $0 or if $0 is not defined in the On Web Authentication Database Method, the connection is considered as accepted and the On Web Connection Database Method is executed.

• Do not call any interface elements in the On Web Authentication Database Method (ALERT, DIALOG, etc.), otherwise it will be interrupted and the connection will be refused. The same is true if an error occurs while the database method is being executed.

• It is possible to forbid execution by 4DACTION or 4DMETHOD for each project method using the "Available through 4DACTION, 4DMETHOD and 4DSCRIPT" option in the Method properties dialog. For more information about this point, refer to the Connection Security section.

The On Web Authentication Database Method is automatically called, regardless of the mode, when a request or processing requires the execution of a 4D method. It is also called when the Web server receives an invalid static URL (for example, if the static page requested does not exist).

The On Web Authentication Database Method is therefore called in the following cases:

• when 4D receives a URL beginning with 4DACTION/

• when 4D receives a URL beginning with 4DMETHOD/

• when 4D receives a URL beginning with 4DCGI/

• when 4D receives a URL requesting a static page that does not exist

• when 4D processes a 4DSCRIPT tag in a semi-dynamic page

• when 4D processes a 4DLOOP tag based on a method in a semi-dynamic page.

Note that the On Web Authentication Database Method is NOT called when the server receives a URL requesting a valid static page.

Here is a typical example of the On Web Authentication Database Method that filters connections using a Users and a Password table:

      `On Web Authentication Database Method
   C_TEXT($5;$6;$3;$4)
   C_TEXT($user;$password;$BrowserIP;$ServerIP)
   C_BOOLEAN($4Duser)
   ARRAY TEXT($users;0)
   ARRAY LONGINT($nums;0)
   C_LONGINT($upos)
   C_BOOLEAN($0)

   $0:=False 

   $user:=$5
   $password:=$6
   $BrowserIP:=$3
   $ServerIP:=$4

      `For security reasons, refuse names that contain @
   If (WithWildcard($user) | WithWildcard($password))
      $0:=False
         `The WithWildcard method is described below
   Else
         `Check to see if it's a 4D user
      GET USER LIST($users;$nums) 
      $upos:=Find in array($users;$user)
      If ($upos > 0)
         $4Duser:=Not(Is user deleted($nums{$upos}))
      Else
         $4Duser:=False
      End if
   
      If (Not($4Duser))
            `It is not a user defined 4D, look in the table of Web users
         QUERY([WebUsers];[WebUsers]User=$user;*)
         QUERY([WebUsers]; & [WebUsers]Password=$password)
         $0:=(Records in selection([WebUsers]) = 1)
      Else
         $0:=True
      End if
   End if
      `Is this an intranet connection?
   If (Substring($BrowserIP;1;7) # "192.100.")
      $0:=False
   End if

The WithWildcard method is as follows:

      `WithWildcard Method
      `WithWildcard ( String ) -> Boolean
      `WithWildcard ( Name ) -> Contains a Wilcard character

   C_INTEGER($i)
   C_BOOLEAN($0)
   C_TEXT($1)

   $0:=False
   For($i;1;Length($1))
      If (Ascii(Substring($1;$i;1)) = Ascii("@"))
         $0:=True
      End if
   End for

Connection Security, Database Methods, On Web Connection Database Method, URLs and Form Actions.