by Andrew >> Thu, 10 Aug 2006 3:00:09 GMT
I know this has come up in the newsgroups before, in fact I've posted questions myself.
With the inclusion of a dev license in productions system the ability to prevent unwanted access to the Jade Development Environment is absolutely critical.
I'm not looking for the ultimate un-crackable security, just something that will prevent a curious user from stumbling across a Jade shortcut and potentially causing some real harm to a live system.
I have no experience with creating dll's however imagine that if someone offered up a simple dll (or template), with user name and password hardcoded into the dll. And a tip on what sort of tool might be able to edit this dll, many newsgroup users would be much appreciative.
JDE Security dll
-
ConvertFromOldNGs
- Posts: 5321
- Joined: Wed Aug 05, 2009 5:19 pm
Re: JDE Security dll
by Patwos >> Thu, 10 Aug 2006 8:15:17 GMT
I thought the demodll had an example of a simple implementation of this.... of course if you're not familiar with building a dll it does make it somewhat more difficult to use this example (and I'm including myself in this category).
It would definitely be nice if there was a way to provide a Jade coded hook rather than having to use a dll to achieve this, but I imagine it opens up all sorts of other issues running user code under the system process Jade application.
Failing that, you could always choose not to include a free developer seat in your production licence so that they get a 5503 exception trying to launch an app=Jade shortcut should they find one lying around and try to use it.
Hope that helps,
Pat.
I thought the demodll had an example of a simple implementation of this.... of course if you're not familiar with building a dll it does make it somewhat more difficult to use this example (and I'm including myself in this category).
It would definitely be nice if there was a way to provide a Jade coded hook rather than having to use a dll to achieve this, but I imagine it opens up all sorts of other issues running user code under the system process Jade application.
Failing that, you could always choose not to include a free developer seat in your production licence so that they get a 5503 exception trying to launch an app=Jade shortcut should they find one lying around and try to use it.
Hope that helps,
Pat.
-
ConvertFromOldNGs
- Posts: 5321
- Joined: Wed Aug 05, 2009 5:19 pm
Re: JDE Security dll
by Patwos >> Thu, 7 Sep 2006 5:47:19 GMT
Out of interest, did you manage to get your security dll working in the end?
If you did, do you have any hints or tips you've got to share with the rest of us on doing so?
Out of interest, did you manage to get your security dll working in the end?
If you did, do you have any hints or tips you've got to share with the rest of us on doing so?
-
ConvertFromOldNGs
- Posts: 5321
- Joined: Wed Aug 05, 2009 5:19 pm
Re: JDE Security dll
by John Munro >> Mon, 18 Dec 2006 21:40:37 GMT
We use a security dll. I had a hard time creating it so I thought it might be helpful to someone to outline our solution.
For the jadeDevelopmentUserInfo call, our dll checks the username and password against the domain using the LogonUser Windows API call. This means we don't need to maintain a separate username/password db and ensure it's secure.
The down side is that any domain user will be allowed access to any part of the development environment, so I added an additional check by implementing the jadeDevelopmentFunctionSelected call. This checks the username against an xml file which is structured to allow everything
from switching all access off to switching off a specific feature for a specific entity.
By default nobody has any access, so only users specifically given
access will be able to do anything. For example this would give me full access:
<john all='true' />
this would only give me access to add applications, but into any schema:
<john>
<addApplication all='true' />
</john>
and this would only give me access add applications in the TestSchema schema:
<john>
<addApplication>
<TestSchema />
</addApplication>
</john>
The xml file obviously needs to be properly secured to keep people from increasing their own permissions.
The xml file is read every time jadeDevelopmentFunctionSelected is
called so permission changes can be made on the fly. I thought parsing the xml so often would slow it down but it is unnoticeable.
I'm not a big C++ guy so I used .net in the dll for all of the xml
stuff, which saved me a lot of time.
I added logging to the jade* calls for debug purposes, but then left it in because it has the interesting side effect of logging everything that every developer does, which makes a good resource when you're trying to manage people remotely.
As we have developers in different countries, we use the free Hamachi encrypted VPN (http://www.hamachi.cc) to give access to those remote users. This means that our dev server is not exposed on the Internet at all and all traffic to it is encrypted.
John Munro
400 Perimiter Center Terrace
Suite 110
Atlanta, GA 30346
P 770-551-1416
F 770-551-1414
jmunro@filevision.net
www.filevision.net
Out of interest, did you manage to get your security dll working in the end?
If you did, do you have any hints or tips you've got to share with the rest of us on doing so?
We use a security dll. I had a hard time creating it so I thought it might be helpful to someone to outline our solution.
For the jadeDevelopmentUserInfo call, our dll checks the username and password against the domain using the LogonUser Windows API call. This means we don't need to maintain a separate username/password db and ensure it's secure.
The down side is that any domain user will be allowed access to any part of the development environment, so I added an additional check by implementing the jadeDevelopmentFunctionSelected call. This checks the username against an xml file which is structured to allow everything
from switching all access off to switching off a specific feature for a specific entity.
By default nobody has any access, so only users specifically given
access will be able to do anything. For example this would give me full access:
<john all='true' />
this would only give me access to add applications, but into any schema:
<john>
<addApplication all='true' />
</john>
and this would only give me access add applications in the TestSchema schema:
<john>
<addApplication>
<TestSchema />
</addApplication>
</john>
The xml file obviously needs to be properly secured to keep people from increasing their own permissions.
The xml file is read every time jadeDevelopmentFunctionSelected is
called so permission changes can be made on the fly. I thought parsing the xml so often would slow it down but it is unnoticeable.
I'm not a big C++ guy so I used .net in the dll for all of the xml
stuff, which saved me a lot of time.
I added logging to the jade* calls for debug purposes, but then left it in because it has the interesting side effect of logging everything that every developer does, which makes a good resource when you're trying to manage people remotely.
As we have developers in different countries, we use the free Hamachi encrypted VPN (http://www.hamachi.cc) to give access to those remote users. This means that our dev server is not exposed on the Internet at all and all traffic to it is encrypted.
John Munro
400 Perimiter Center Terrace
Suite 110
Atlanta, GA 30346
P 770-551-1416
F 770-551-1414
jmunro@filevision.net
www.filevision.net
Return to “Tips and Techniques”
Who is online
Users browsing this forum: No registered users and 13 guests