Board index » delphi » User login in Web service

User login in Web service


2007-01-03 12:38:12 PM
delphi211
Hi all,
I want to create a web service that accepts user login against my users
table. I am using Delphi7 and a newbie in web service. Basically, every web
service method call should provide some kind of "userid", just like a
session in web application, so that only permittable user can access that
method.
Does anyone have any idea??
Thanks
 
 

Re:User login in Web service

If I understand you correctly, only users that are logged in should be able
to perform web calls...If such is the case this is what you could do. If
you used a TWebModule to build your webserver, this should be simple. First
you should visit dn.codegear.com/article/27513 to see how to build
your standalone web server. .
Once you've done this, there is an THTTPSoapPascalInvoker component on
your module - go to its OnBeforeDispatchEvent with a blank implementation.
The Module that you're on, should have a global Property called "Request" of
type TWebRequest. If you explore TWebRequest, you will notice that it has a
property called "RemoteAddr". At the point in which a web request comes
in, the
OnBeforeDispatch event is called first, then, the method is dispatched to
the Impl, then the OnAfterDispatch event is executed just before the
response is sent.
The key here is gather the information about the request just before it
is dispatched to the Impl unit. Once that is done, using some sort of list
management technique, map the Ip address of the web request to the user once
they log in. After that, everytime a request is made, search the list for
the ip address (Request.RemoteAddr) that the web request is comming from,
then get the matching user. If no matching user is found, and the method
being called is one other than a Login, then obviously, the user is not
logged in, and the request is invalid - thus the option of raising an
exception such as "Session not found". Else...go through. I do have some
code, but....I use ALOT of objects, so copy and paste is out of the
question, but u can look at it, and get an idea of the algorithm:
[code]
procedure TSecurityServerModule.HTTPSoapPascalInvoker1BeforeDispatchEvent2(
const MethodName: String; const Request: TStream; Response: TStream;
var BindingType: TWebServiceBindingType; var Handled: Boolean);
begin
{ default values }
try
{ set the current method call }
CurrentMethodCall:=SearchString(_SessionsNS,TStringStream(Request).DataString);
{ set the service being accessed }
CurrentServiceAccess:=SearchString(_ServiceCall,self.Request.PathInfo);
if (CurrentMethodCall<>'') then
begin
SessionHandler.SetCurrentWebRequest(self.Response.HTTPRequest);
SessionHandler.CurrentWebRequest.CurrentMethodCall:=CurrentMethodCall;
SessionHandler.CurrentWebRequest.ServiceAccess:=CurrentServiceAccess;
ServiceLogHandler.CurrentWebRequest.CurrentMethodCall:=CurrentMethodCall;
ServiceLogHandler.CurrentWebRequest.ServiceAccess:=CurrentServiceAccess;
ServiceLogHandler.SetCurrentWebRequest(self.Response.HTTPRequest);
end;
{ re-connect to database }
if not DatabaseLayer.DBConnectionObject.ConnectToDB.Success then
exit;
{ verify the session-
if the system is configured not to use sessions then skip then skip
verification }
if ((WebServerConfig.UseSessions=False)) then
begin
exit;
end;
{ if a session exists, then check to see if it is timed out }
if
(SessionHandler.IsValidSessionIP(SessionHandler.CurrentWebRequest.RemoteAddr))
then
begin
{ If Exclusive request checks to see if the call is either a login,
logout, isalive, versionscompatible .
Check to see if the session timed out, and the request is not an exclusive
one either}
if
((SessionHandler.IsSessionTimedOut(SessionHandler.CurrentWebRequest.RemoteAddr))and
(SessionHandler.ExclusiveRequest=False)) then
begin
{ remove the users session }
SessionHandler.RemoveSessionByIp(SessionHandler.CurrentWebRequest.RemoteAddr);
{ raise session timed out exception }
raise ESessionTimeOutException.Create(_SessionTimedOut);
exit;
end;
end
else
begin
{ if it is simply, not an exclusive request, raise an exception to the
client indicating that the session was not found }
if (SessionHandler.ExclusiveRequest=False) then
begin
try
raise ESessionNotFoundException.Create(_SessionNotFound);
exit;
finally
uBSNSApplicationCenter.FCriticalSection.Leave;
end;
end;
end;
finally
end;
end;
[/code]
"Rei" <XXXX@XXXXX.COM>writes
Quote
Hi all,
I want to create a web service that accepts user login against my users
table. I am using Delphi7 and a newbie in web service. Basically, every web
service method call should provide some kind of "userid", just like a
session in web application, so that only permittable user can access that
method.
Does anyone have any idea??

Thanks


 

Re:User login in Web service

Wow, thanks a lot, I will try this out
"Net" <XXXX@XXXXX.COM>writes
Quote
If I understand you correctly, only users that are logged in should be
able
to perform web calls...If such is the case this is what you could do. If
you used a TWebModule to build your webserver, this should be simple.
First
you should visit dn.codegear.com/article/27513 to see how to build
your standalone web server. .
Once you've done this, there is an THTTPSoapPascalInvoker component on
your module - go to its OnBeforeDispatchEvent with a blank implementation.
The Module that you're on, should have a global Property called "Request"
of
type TWebRequest. If you explore TWebRequest, you will notice that it has
a
property called "RemoteAddr". At the point in which a web request comes
in, the
OnBeforeDispatch event is called first, then, the method is dispatched to
the Impl, then the OnAfterDispatch event is executed just before the
response is sent.
The key here is gather the information about the request just before
it
is dispatched to the Impl unit. Once that is done, using some sort of
list
management technique, map the Ip address of the web request to the user
once
they log in. After that, everytime a request is made, search the list for
the ip address (Request.RemoteAddr) that the web request is comming from,
then get the matching user. If no matching user is found, and the method
being called is one other than a Login, then obviously, the user is not
logged in, and the request is invalid - thus the option of raising an
exception such as "Session not found". Else...go through. I do have some
code, but....I use ALOT of objects, so copy and paste is out of the
question, but u can look at it, and get an idea of the algorithm:

[code]

procedure
TSecurityServerModule.HTTPSoapPascalInvoker1BeforeDispatchEvent2(
const MethodName: String; const Request: TStream; Response: TStream;
var BindingType: TWebServiceBindingType; var Handled: Boolean);
begin
{ default values }
try
{ set the current method call }

CurrentMethodCall:=SearchString(_SessionsNS,TStringStream(Request).DataStrin
g);
Quote
{ set the service being accessed }

CurrentServiceAccess:=SearchString(_ServiceCall,self.Request.PathInfo);

if (CurrentMethodCall<>'') then
begin
SessionHandler.SetCurrentWebRequest(self.Response.HTTPRequest);

SessionHandler.CurrentWebRequest.CurrentMethodCall:=CurrentMethodCall;

SessionHandler.CurrentWebRequest.ServiceAccess:=CurrentServiceAccess;


ServiceLogHandler.CurrentWebRequest.CurrentMethodCall:=CurrentMethodCall;

ServiceLogHandler.CurrentWebRequest.ServiceAccess:=CurrentServiceAccess;
ServiceLogHandler.SetCurrentWebRequest(self.Response.HTTPRequest);
end;

{ re-connect to database }
if not DatabaseLayer.DBConnectionObject.ConnectToDB.Success then
exit;

{ verify the session-
if the system is configured not to use sessions then skip then skip
verification }
if ((WebServerConfig.UseSessions=False)) then
begin
exit;
end;

{ if a session exists, then check to see if it is timed out }
if

(SessionHandler.IsValidSessionIP(SessionHandler.CurrentWebRequest.RemoteAddr
))
Quote
then
begin
{ If Exclusive request checks to see if the call is either a login,
logout, isalive, versionscompatible .
Check to see if the session timed out, and the request is not an
exclusive
one either}
if

((SessionHandler.IsSessionTimedOut(SessionHandler.CurrentWebRequest.RemoteAd
dr))and
Quote
(SessionHandler.ExclusiveRequest=False)) then
begin
{ remove the users session }

SessionHandler.RemoveSessionByIp(SessionHandler.CurrentWebRequest.RemoteAddr
);
Quote
{ raise session timed out exception }
raise ESessionTimeOutException.Create(_SessionTimedOut);
exit;
end;
end
else
begin
{ if it is simply, not an exclusive request, raise an exception to
the
client indicating that the session was not found }
if (SessionHandler.ExclusiveRequest=False) then
begin
try
raise ESessionNotFoundException.Create(_SessionNotFound);
exit;
finally
uBSNSApplicationCenter.FCriticalSection.Leave;
end;
end;
end;
finally
end;
end;
[/code]
"Rei" <XXXX@XXXXX.COM>writes
news:XXXX@XXXXX.COM...
>Hi all,
>I want to create a web service that accepts user login against my users
>table. I am using Delphi7 and a newbie in web service. Basically, every
web
>service method call should provide some kind of "userid", just like a
>session in web application, so that only permittable user can access
that
>method.
>Does anyone have any idea??
>
>Thanks
>
>

 

Re:User login in Web service

No prob. contact me again, if u have any more questions.
"Rei" <XXXX@XXXXX.COM>writes
Quote
Wow, thanks a lot, I will try this out

"Net" <XXXX@XXXXX.COM>writes
news:XXXX@XXXXX.COM...
>If I understand you correctly, only users that are logged in should be
able
>to perform web calls...If such is the case this is what you could do. If
>you used a TWebModule to build your webserver, this should be simple.
First
>you should visit dn.codegear.com/article/27513 to see how to build
>your standalone web server. .
>Once you've done this, there is an THTTPSoapPascalInvoker component
>on
>your module - go to its OnBeforeDispatchEvent with a blank
>implementation.
>The Module that you're on, should have a global Property called "Request"
of
>type TWebRequest. If you explore TWebRequest, you will notice that it
>has
a
>property called "RemoteAddr". At the point in which a web request comes
>in, the
>OnBeforeDispatch event is called first, then, the method is dispatched to
>the Impl, then the OnAfterDispatch event is executed just before the
>response is sent.
>The key here is gather the information about the request just before
it
>is dispatched to the Impl unit. Once that is done, using some sort of
list
>management technique, map the Ip address of the web request to the user
once
>they log in. After that, everytime a request is made, search the list
>for
>the ip address (Request.RemoteAddr) that the web request is comming from,
>then get the matching user. If no matching user is found, and the method
>being called is one other than a Login, then obviously, the user is not
>logged in, and the request is invalid - thus the option of raising an
>exception such as "Session not found". Else...go through. I do have
>some
>code, but....I use ALOT of objects, so copy and paste is out of the
>question, but u can look at it, and get an idea of the algorithm:
>
>[code]
>
>procedure
TSecurityServerModule.HTTPSoapPascalInvoker1BeforeDispatchEvent2(
>const MethodName: String; const Request: TStream; Response: TStream;
>var BindingType: TWebServiceBindingType; var Handled: Boolean);
>begin
>{ default values }
>try
>{ set the current method call }
>
CurrentMethodCall:=SearchString(_SessionsNS,TStringStream(Request).DataStrin
g);
>{ set the service being accessed }
>
CurrentServiceAccess:=SearchString(_ServiceCall,self.Request.PathInfo);
>
>if (CurrentMethodCall<>'') then
>begin
>SessionHandler.SetCurrentWebRequest(self.Response.HTTPRequest);
>
SessionHandler.CurrentWebRequest.CurrentMethodCall:=CurrentMethodCall;
>
SessionHandler.CurrentWebRequest.ServiceAccess:=CurrentServiceAccess;
>
>
ServiceLogHandler.CurrentWebRequest.CurrentMethodCall:=CurrentMethodCall;
>
ServiceLogHandler.CurrentWebRequest.ServiceAccess:=CurrentServiceAccess;
>
>ServiceLogHandler.SetCurrentWebRequest(self.Response.HTTPRequest);
>end;
>
>{ re-connect to database }
>if not DatabaseLayer.DBConnectionObject.ConnectToDB.Success then
>exit;
>
>{ verify the session-
>if the system is configured not to use sessions then skip then skip
>verification }
>if ((WebServerConfig.UseSessions=False)) then
>begin
>exit;
>end;
>
>{ if a session exists, then check to see if it is timed out }
>if
>
(SessionHandler.IsValidSessionIP(SessionHandler.CurrentWebRequest.RemoteAddr
))
>then
>begin
>{ If Exclusive request checks to see if the call is either a login,
>logout, isalive, versionscompatible .
>Check to see if the session timed out, and the request is not an
exclusive
>one either}
>if
>
((SessionHandler.IsSessionTimedOut(SessionHandler.CurrentWebRequest.RemoteAd
dr))and
>(SessionHandler.ExclusiveRequest=False)) then
>begin
>{ remove the users session }
>
SessionHandler.RemoveSessionByIp(SessionHandler.CurrentWebRequest.RemoteAddr
);
>{ raise session timed out exception }
>raise ESessionTimeOutException.Create(_SessionTimedOut);
>exit;
>end;
>end
>else
>begin
>{ if it is simply, not an exclusive request, raise an exception to
the
>client indicating that the session was not found }
>if (SessionHandler.ExclusiveRequest=False) then
>begin
>try
>raise ESessionNotFoundException.Create(_SessionNotFound);
>exit;
>finally
>uBSNSApplicationCenter.FCriticalSection.Leave;
>end;
>end;
>end;
>finally
>end;
>end;
>[/code]
>"Rei" <XXXX@XXXXX.COM>writes
>news:XXXX@XXXXX.COM...
>>Hi all,
>>I want to create a web service that accepts user login against my users
>>table. I am using Delphi7 and a newbie in web service. Basically, every
web
>>service method call should provide some kind of "userid", just like a
>>session in web application, so that only permittable user can access
that
>>method.
>>Does anyone have any idea??
>>
>>Thanks
>>
>>
>