Spanish Ayuda con JRDC2 + login + sesion usuario

[albertogomez38]

Llevo unas semanas por el foro buscado información de como puedo montar un servidor JRDC2 (online) y usar clientes en android con B4A.
He avanzado bastante, pero me he atascado (quizás tengo errores de concepto y en esos caso en muy difícil seguir).

Os comento por si alguien me puede ayudar.

La parte server siguiendo la guia del foro la tengo corriendo en un servidor con mariadb https://www.b4x.com/android/forum/threads/tutorial-acceder-a-base-de-datos-con-jrdc2.130278/

jRDC is running (version = 2.23)

En la parte cliente he creado con B4A una pantalla login, y puedo validarme usando la consulta sql definida en JRDC2 en el fichero config.properties.

Mi duda es... ¿como garantizo si creo nuevas consultas en el fichero config.properties, por ejemplo altas, bajas de articulos, que solo los usuairos logueados las pueden ejecutar?.
El control desde el lado cliente la entiendo. Si no te validas no puedes acceder a los siguientes menús.. donde estarán las opciones altas, bajas ,etc.

¿Pero como controlo que solo los usuarios logueados con una sesión valida puedan ejecutar esas consultas?. Me refiero claro a "alguien" que no tenga el cliente, pero que si pueda conectar contra el servidor ya que es publico en internet. No termino de ver clara esa parte.

¿No debería usarse algo como como un id de sesión que expire pasado un tiempo o algo así?


He visto algún post como este

jRDC2: How to pass SessionId (or Type) between remote server & client?

My app will have the user enter a UserName/PW from my B4A app before he can connect to the remote database. When the remote server authenticates the user as being valid (by using UserName_PW table), a session id is generated and a row is added to a temporary table on the server showing the user...

www.b4x.com

donde sugieren que es en la parte del servidor donde se debe tener ese control. Pero se me escapa la verdad...

También he visto el post de

[B4XPages] jRDC2 + MySql CRUD + Login

Hi all: I'm starting (at last) to work with B4XPages, so I've started to adapt the B4XPages + B4XDrawer example. I think I’ve seen more examples with php + mysql, but no projects with Jrdc2. Maybe the dummy data and the UI are too basic, but you can get some ideas. What do we need? - A...

www.b4x.com

donde guarda los valores del usuario logueado en el lado cliente usando KVS As KeyValueStore, pero entiendo que es mas para evitar meter continuamente la contraseña.


Disculpar si hay alguna cosa obvia que me estoy pasando por alto, pero soy bastante novato en este tema.

Agradecería cualquier ayuda o comentario.

 

[aeric]

jRDC2 server authentication + console client

Update Here is another example using session id https://www.b4x.com/android/forum/threads/jrdc2-server-with-login-session.166903/ Simple jRDC2 server authentication example with user name and password This example is based on this solved question for learning purpose. If user name and...

www.b4x.com

 

[albertogomez38]

OK, estudio esta posibilidad.

Gracias por la respuesta @aeric

 

[calloatti]

Si es una app para uso en LAN, te comento yo tengo una app andando hace años usando jdbcsql conectando directo a servidor mysql.

Probé al principio de usar jRDC pero me fue mas simple usar jdbcsql

​

 

[aeric]

No hablo español.
Aquí hay otro ejemplo:

jRDC2 server with login session

A jRDC2 server with login session modified from [Project Template] jRDC2 Server. This project is currently a proof of concept. It demonstrates a login test using email and password to return a session id. This session id is required by the client to make further queries. Thus, client does not...

www.b4x.com

 

[albertogomez38]

Gracias @calloatti , pero el proyecto que tengo en mente necesito que sea online.
Gracias también @aeric , creo que este segundo proyecto tiene un enfoque muy parecido a lo busco.

 

[MrKim]

My suggestion would be when the user logs in create a session ID (UUID) and store it in a table along with the time and return it to the user.
with each query the user passes that ID back to your server. All queries other than log in should first run a function that validates that the id is in the table.
Something like this:

IF (SELECT ID FROM IDTable WHERE ID = 'XYZ' AND IDTable.LastAccess > (NOW - 1 hour)) IS NOT NULL
BEGIN
    UPDATE IDTable SET LastAccess = NOW WHERE ID = 'XYZ'
    --Your stuff here
END
ELSE
BEGIN
    IF (SELECT ID FROM IDTable WHERE ID = 'XYZ') IS NULL
BEGIN
    SELECT 'You are not Logged in!' AS ERROR
END
ELSE
    DELETE FROM IDTable WHERE ID = 'XYZ'
    SELECT 'Your session has expired! Please log in again.' AS ERROR
END

In your login code delete everything that is older than 1 hour (or whatever your time period is.)

 

[aeric]

My suggestion would be when the user logs in create a session ID (UUID) and store it in a table along with the time and return it to the user.
with each query the user passes that ID back to your server. All queries other than log in should first run a function that validates that the id is in the table.
Something like this:

IF (SELECT ID FROM IDTable WHERE ID = 'XYZ' AND IDTable.LastAccess > (NOW - 1 hour)) IS NOT NULL
BEGIN
    UPDATE IDTable SET LastAccess = NOW WHERE ID = 'XYZ'
    --Your stuff here
END
ELSE
BEGIN
    IF (SELECT ID FROM IDTable WHERE ID = 'XYZ') IS NULL
BEGIN
    SELECT 'You are not Logged in!' AS ERROR
END
ELSE
    DELETE FROM IDTable WHERE ID = 'XYZ'
    SELECT 'Your session has expired! Please log in again.' AS ERROR
END

In your login code delete everything that is older than 1 hour (or whatever your time period is.)

You need to understand how jRDC2 works.

 

[MrKim]

You need to understand how jRDC2 works.

I know how jrdc2 works to some extent. I use a version that I have modified slightly. The code I have provided would be a standard test that would be a part of each of the jrdc2 queries except the login.. What is it I am missing?

 

[aeric]

I know how jrdc2 works to some extent. I use a version that I have modified slightly. The code I have provided would be a standard test that would be a part of each of the jrdc2 queries except the login.. What is it I am missing?

You missed the main point since you said you excepted the login part that we are talking about.
Try translate your concept or SQL in post #7 into actual example.
If you want, you can open a new thread to discuss.

 

[MrKim]

You missed the main point since you said you excepted the login part that we are talking about.
Try translate your concept or SQL in post #7 into actual example.
If you want, you can open a new thread to discuss.

Well, no, you HAVE to exempt the login part since you are not yet logged in you can't test for a login if you are trying to login. Before you login you will HAVE no UUID. All other queries would check for a login before continuing. Sorry if I wasn't clear. I don't really have time to go in to a whole analysis.

 

[aeric]

Well, no, you HAVE to exempt the login part since you are not yet logged in you can't test for a login if you are trying to login. Before you login you will HAVE no UUID. All other queries would check for a login before continuing. Sorry if I wasn't clear. I don't really have time to go in to a whole analysis.

Reply only when you are clear and have time.
You CAN'T exempt the login part as this is the question being asked.
My point is the solution is not as easy as you think. i.e it cannot be achieve by just using an SQL command in jRDC2 without modifying it.
That is the problem and why some members have been asking. And I have already spent some time to provide a solution.

 

[MrKim]

Reply only when you are clear and have time.
You CAN'T exempt the login part as this is the question being asked.
My point is the solution is not as easy as you think. i.e it cannot be achieve by just using an SQL command in jRDC2 without modifying it.
That is the problem and why some members have been asking. And I have already spent some time to provide a solution.

I don't see anything that says he is not willing to modify the commands. He is asking how do I prevent not logged in users from running commands if they are not logged in. What I proposed does that. Of course I am leeting google translate this post to English, perhaps I am missing something.

 

[aeric]

I don't see anything that says he is not willing to modify the commands. He is asking how do I prevent not logged in users from running commands if they are not logged in. What I proposed does that. Of course I am leeting google translate this post to English, perhaps I am missing something.

I didn't mean modifying the SQL commands inside config.properties. I mean it required to modify the jRDC2 project code.

I don't believe or agree by just modifying the SQL commands inside config.properties will solve the issue.

You can prove me wrong by creating a working example.

I don't like to talk much on theory, I prove my idea by creating it.

I will stop the debate here to keep this thread short.

 

[josejad]

You CAN'T exempt the login part as this is the question being asked

Hi Aeric and MrKim:

Not sure if there's something lost in translation. I don't know if MrKim's solution it's ok or not, but I understand what he means, he is not ignoring the login, he is just ignoring using the UUID in the sql statement to login.
I know aeric knows very well the problem here, because he has a lot of acknowledgement about this kind of stuff, so maybe we're missing something he sees because he has been working on it

I mean it required to modify the jRDC2 project code.

And now I'm reading the last post, probably he means that create the UUID and store it in the database can't be done just with the sql part.

 

[aeric]

I'm reading the last post, probably he means that create the UUID and store it in the database can't be done just with the sql part.

Not really.
I wish someone has tried the project I shared in post #5 to find out the answer.

 

[MrKim]

Not really.
I wish someone has tried the project I shared in post #5 to find out the answer.

Ahh, I had a little time and read the link in post 5. I see where you are going. I won't try it because I don't use MYSQL and I already have a custom version of jRDC that I use. Again, unless there is something in your code I am missing I still think you can accomplish everything you talk about by just modifying the SQL queries which I think is easier and more transparent and maintainable than modifying jRDC2. It does mean having a rights table and storing the login id on the server for comparison and the user must pass it each time but that is a really insignificant amount of data to send.

 

[aeric]

Ahh, I had a little time and read the link in post 5. I see where you are going. I won't try it because I don't use MYSQL and I already have a custom version of jRDC that I use. Again, unless there is something in your code I am missing I still think you can accomplish everything you talk about by just modifying the SQL queries which I think is easier and more transparent and maintainable than modifying jRDC2. It does mean having a rights table and storing the login id on the server for comparison and the user must pass it each time but that is a really insignificant amount of data to send.

Please post your question on a new thread.