Please be aware that the content in SAP SQL Anywhere Forum will be migrated to the SAP Community in June and this forum will be retired.

Is there a way to validate users already in Sybase db through a web interface?

0

I have to build a web interface using Sybase 11 backend. The database already has users and passwords that are generated by another application using GRANT CONNECT or ADD_USER statements. Is there a way to validate users against this database without having to create a full membership provider?

asked 23 Nov '10, 14:42

Dan's gravatar image

Dan
41336
accept rate: 0%

2 Answers:
active answersoldest answersnewest answerspopular answers
2

I'm not familiar with ASP.Net MembershipProvider, but an alternative would be to create an SA web service with AUTHORIZATION ON and then attempt do a web service call to the SA web service providing the user ID/PWD to verify that the credentials were correct.

E.g.

CREATE WEB SERVICE Validate_User
  TYPE 'raw' 
  AUTHORIZATION ON
  USER "public"
  AS select 'OK' from Dummy;

Then start the SQL Anywhere server using "-xs http" switch

Then send a request to http://username:password@yourhost.com/Validate_User (or equivalent using Ado.Net). If the credentials are correct, you will get an "OK" response back. If not, you will get an error back.

Of course, you should use HTTPS so that the credentials are transferred securely and therefore you should add "SECURE ON" to the web service definition. (Exercise left to the reader - see "-xs https" server switch in the docs :-).

permanent link

answered 23 Nov '10, 21:00

Mark%20Culp's gravatar image

Mark Culp
24.9k10141297
accept rate: 41%

1

If you talk about ASP.NET MembershipProvider it is not so much effort to do this. You have to implement only the ValidateUser function to get it working. Only in the case that you want to allow the user to do self-administration than you will have to implement the rest too.

In 

public override bool ValidateUser(string Username, string Password)

you get the user and password in clear text and can use this e.g. in an 

OdbcConnection con=new OdbcConnection(string.Format("dsn=...;uid={0};pwd={1}",Username,Password));

If you can afterwards open the connection without an exception you know that the credentials have been the right ones.

permanent link

answered 23 Nov '10, 16:02

Martin's gravatar image

Martin
9.0k130169257
accept rate: 14%

edited 24 Nov '10, 07:56

The problem with this is the encryption of the passwords. Aren't Sybase's passwords stored as one-way hashes?

(23 Nov '10, 21:25) Dan

Yes, but if you use the credentials to open the connection to the sybase db you will see if the connection is successful or not. If the password is wrong you will get an according exception. See edit above.

(24 Nov '10, 07:54) Martin

@Dan: From a security point of view, I think the approach as given by Martin and Mark is the correct one: Just try to find out whether the given credentials work - that's far better (and less error-prone and compatible) than somehow "lookup" the correct credentials and compare them with the given ones...

(24 Nov '10, 08:20) Volker Barth
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×143
×2

question asked: 23 Nov '10, 14:42

question was seen: 2,087 times

last updated: 24 Nov '10, 07:56

Related questions

NullReferenceException when using .net Membership and Role Providers with multiple users

Create connection in Visual-Studio-2013 with .NET-Framework-4 to Sql-Anywhere-11

Allow SADIAGDIR to be set by DB server start-up parameters

Different install options with different Win OS

SQL Anywhere and Entity Framework

Can you stop a DEFAULT TIMESTAMP field from updating on an update statement?

Sql COUNT Performance Question

Upgrading from 11-1-2472 to 12 or 16 - any advice?

2 Servers + 1 Database in an NAS

Intent locks not blocking each other?