Results 1 to 8 of 8
  1. #1

    Permissions in Lightstreamer javascript

    Hi there,

    I have a web, this web has 2 users: admin and user1.
    My web got 3 items. Now i want user1 only see 2 items. and only the admin can see all 3 items.

    I know that i can generate HTML code from server side. Like if authenticate as user1, 2 items will be returned.
    --> But this is Javascript, i mean user1 will know the script and he will code for himself a script that will collect all 3 items. They can manually add the code below to the web page (item "greetings"). And of course, i dont want him to see this "greetings" item.
    Code:
    <div source="lightstreamer" table="hellotable" item="greetings" field="message">loading...</div>
    Please show me the solutions for this

    I know that Lighstreamer has authentication mechasim. But if i use that, how can i pass the password to the web page html without being noticed by users?
    Last edited by vielktus; December 15th, 2013 at 07:49 AM.

  2. #2
    Administrator
    Join Date
    Feb 2012
    Location
    Milano
    Posts
    716
    Hi vielktus,

    Usually, in real production scenario, the actual authentication is handled by the legacy Web/Application server, irrespective of Lightstreamer.
    So, in order to better assist you, we need to understand if you are working with Lightstreamer together a Web/Application server or with Lightstreamer alone.

    By the way, I confirm you that simple guidelines for authentication in Lighstreamer are shown in section 4.1 of "General Concepts.pdf" and also you can take a look at this thread which discusses a problem similar to your.

  3. #3
    Ok, let me explain this more clearly.

    I have a web and a login page. When user 1 logged in, the web will return the code below:
    Code:
         <div datasource="lightstreamer" itemname="abc">
         <div datasource="lightstreamer" itemname="xyz">
    
    <!-- Below is the javascript Lightstreamer connect (i use the one ie the helloworld example) -->
    <script>
    ...
    </script>
    I only want the User 1 to see only 2 <div>s like that. But when the admin logged in, he will see all 3 divs like this:
    Code:
         <div datasource="lightstreamer" itemname="abc">...</div>
         <div datasource="lightstreamer" itemname="xyz">...</div>
         <div datasource="lightstreamer" itemname="123123">...</div>
    <!-- Below is the javascript Lightstreamer connect (i use the one in the helloworld example) -->
    <script>
    ...
    </script>
    Of course, i use my own php authentication code. But in this situation, user1 can right click and view web's source, he will see the javascript Lightsteamer connecting code. He will copy the code to connect manually to my lightstreamer server. And what if he knows the item "123123" ? He will add a similar div and he will see the streaming data of that div. I dont want this.

    Thanks for the guide authentication in section 4.1, but like you said, i wont use lightstreamer authentication.

    Please show me how to handle this case.

  4. #4
    Administrator
    Join Date
    Feb 2012
    Location
    Milano
    Posts
    716
    Hi vielktus,

    In a case like your, some credentials information need to be passed to your Metadata Adapter.
    If you wont use Lightstreamer authentication you should pass to the Metadata Adapter the user/session info generated by your authetication procedure.
    In the notifyUser method you should validate that info against the Web/Application Server that generated it (or a database or whatever back-end system).

    Once that the user is validated the notifyNewTables method of your Metadata Adapter should check if the user is entitle for all the Items requested and if not throw a CreditsException.

  5. #5
    Quote Originally Posted by giuseppe.corti View Post
    Hi vielktus,

    In a case like your, some credentials information need to be passed to your Metadata Adapter.
    If you wont use Lightstreamer authentication you should pass to the Metadata Adapter the user/session info generated by your authetication procedure.
    In the notifyUser method you should validate that info against the Web/Application Server that generated it (or a database or whatever back-end system).

    Once that the user is validated the notifyNewTables method of your Metadata Adapter should check if the user is entitle for all the Items requested and if not throw a CreditsException.
    Oops, sounds a little bit tough... I use .NET Adapter, PHP Authentication on my web pages. When i validate the user logged in with PHP, how can i use the method notifyUser in the Metadata Adapter ? Can you have some simple codes ?

  6. #6
    Power Member
    Join Date
    Jul 2006
    Location
    Cesano Maderno, Italy
    Posts
    784
    Hi,

    We don't have any ready-made example: basically your .NET adapter and your PHP application need to "communicate".

    As an example as your PHP application validates an user, it will likely send back a session cookie to the browser to keep the session alive for a while. It will also store the cookie somewhere (e.g.: memcached, SQL server... ) for checking it on subsequent requests.

    That said your client could read such cookie via javascript and use it as user password (setPassword). This way, on the metadata adapter, you'll get the cookie in the notifyUser call and you can validate it against the same storage PHP is accessing (again, memcached, SQL server...)

    HTH

  7. #7
    Ok, can we get this simple like this ?

    I will use the Lightstreamer authentication, i will pass the password to the Metadata Adapter in javascript. Can i encrypt this password in connecting javascript?

  8. #8
    Administrator
    Join Date
    Feb 2012
    Location
    Milano
    Posts
    716
    If you want to proceed with authentication by passing the password through the JavaScript library an HTTPS connection is strongly recommended. But please note that this option is not available in "Moderato" edition of Lightstreamer server (please refer here).

    You can also simply encrypt your password at the application level before passing it to the JavaScript library but this exposes you to security problems (for example sniffing), unless, again at the application level, you implement more sophisticated mechanisms.

 

 

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT +1. The time now is 10:55 PM.