0
votes

I'm trying to improve security on our delphi datasnap server by adding PC1 and RSA filters on the TDSTCPServerTransport.Filters

It's not a problem to add the filters nor to connect a client afterwards, in fact I don't think anything is encrypted or more "safe", but I have to admit I don't fully understand how it's supposed to work.

Basically I want an encrypted communication between the client and the server, and I want to protect the server from exposing it's methods to any client who can read and list the server methods, except from those clients who knows the key to the encryption.

In my base example I'm able to connect the client regardless of filters added to the client. I found some documents, there are not exactly a lot of useful information on this topic, and if I understand them correctly the client will get the filters from the server and will be able to connect regardless of the PC1 key on the client matches the server.

I thought the keys had to match - working like kind of a pre shared key.

Can someone explain how it is supposed to work and what it will protect (and what not) if it's correctly set up? Is it possible to protect the exposed methods from being abused, it this to be done by combining PC1/RSA and roles, and can this be considered relative safe?

I did find the PC1DynamicKey but that only demonstrate dynamic keys.

I'm using XE8.

2

2 Answers

0
votes

You could use a Apache HTTP as reverse proxy and client certificates. The documentation covers this with configuration examples:

  • How can I force clients to authenticate using certificates?
  • How can I force clients to authenticate using certificates for a particular URL, but still allow arbitrary clients to access the rest of the server?
  • How can I allow only clients who have certificates to access a particular URL, but allow all clients to access the rest of the server?
  • How can I require HTTPS with strong ciphers, and either basic authentication or client certificates, for access to part of the Intranet website, for clients coming from the Internet?
0
votes

I have been digging in this and have found the following:

  1. Filters PC1 and RSA are only encrypting the communication, and will protect the communication from being sniffed by a third part on the network. Zip is just compression.
  2. Access to execute methods is controlled by roles in datasnap.
  3. Access to datasetproviders, if exported, is not protected by anything...?!?!
  4. Server methods with the name starting with AS_ is hidden and not included in proxy client class by the proxy generator.
  5. Datasetprovider with name starting with AS_ is also exposed.
  6. [$METHODINFO ON] has no effect on proxy generator, maybe only used by RTTI.

Here's an example ServerMethods class (G I hope this s editor will format well)

`

type
  TServerMethods1 = class(TDSServerModule)
    Sqlserver1ad4Connection: TFDConnection;
    Tree_alarmsTable: TFDQuery;
    Tree_calllistsTable: TFDQuery;
    Tree_contactsTable: TFDQuery;
    dspAlarms: TDataSetProvider;  // exported and accessable in proxy client
    dspCalllists: TDataSetProvider; // exported and accessable in proxy client
    dspContacts: TDataSetProvider;  // exported and accessable in proxy client
    AS_SecretDataSetProvider: TDataSetProvider; // AS_ has no effect here, exported and accessable in proxy client
    dspContactsNotExported: TDataSetProvider; // NOT exported and NOT accessable in proxy client
  private
    { Private declarations }
  public
    { Public declarations }
    function AS_AddCD(A, B : integer) : integer; // will not be in proxy client
    function AddDE(A, B : integer) : integer; /// will be in proxy client, and can be accessed by anyone
    {$METHODINFO ON} // has no effect on proxy client
    function EchoString(AString : string) : string; // will be in proxy client, and can be accessed by anyone
    function ReverseString(AString : string) : string; // will be in proxy client, and can be accessed by anyone
    function ValidateUser(ALoginName, APassword : string; out AUserLevel : integer; out AUserName : string) : boolean;
    [TAuthRoles('admins')]
    function AddAB(A, B : integer) : integer; // will be in proxy client, and can be accessed by user with role "admins"
    function AS_AddBC(A, B : integer) : integer; // will not be in proxy client
    {$METHODINFO OFF} // has no effect on proxy client
  end;

`

Proxy client looks like this then `

type
  TServerMethods1Client = class(TDSAdminClient)
  private
    FAddDECommand: TDBXCommand;
    FEchoStringCommand: TDBXCommand;
    FReverseStringCommand: TDBXCommand;
    FValidateUserCommand: TDBXCommand;
    FAddABCommand: TDBXCommand;
  public
    constructor Create(ADBXConnection: TDBXConnection); overload;
    constructor Create(ADBXConnection: TDBXConnection; AInstanceOwner: Boolean); overload;
    destructor Destroy; override;
    function AddDE(A: Integer; B: Integer): Integer;
    function EchoString(AString: string): string;
    function ReverseString(AString: string): string;
    function ValidateUser(ALoginName: string; APassword: string; out AUserLevel: Integer; out AUserName: string): Boolean;
    function AddAB(A: Integer; B: Integer): Integer;
  end;

`