The On Web Authentication database method is in charge of managing Web server engine access. It is called by 4D or 4D Server when a Web browser request requires the execution of a 4D method on the server (method called using a 4DACTION URL, a 4DSCRIPT tag, etc.).
This method receives six Text parameters: $1, $2, $3, $4, $5, and $6, and returns one Boolean parameter, $0. The description of these parameters is as follows:
Parameters | Type | Description |
$1 | Text | URL |
$2 | Text | HTTP header + HTTP body (32 KB maximum) |
$3 | Text | IP address of the Web client (browser) |
$4 | Text | IP address of the server |
$5 | Text | User name |
$6 | Text | Password |
$0 | Boolean | True = request accepted, False = request rejected |
You must declare these parameters as follows:
C_TEXT($1;$2;$3;$4;$5;$6)
C_BOOLEAN($0)
Note: All the On Web Authentication database method’s parameters are not necessarily filled in. The information received by the database method depends on the options that you have previously selected in the Database Settings dialog box (please refer to the section Connection Security).
- URL
The first parameter ($1) is the URL entered by the user in the location area of his or her Web browser, from which the host address has been removed.
Let’s take the example of an Intranet connection. Suppose that the IP address of your 4D Web Server machine is 123.4.567.89. The following table shows the values of $1 depending on the URL entered in the Web browser:
URL entered in Web browser Location area | Value of parameter $1 |
123.4.567.89 | / |
http://123.4.567.89 | / |
123.4.567.89/Customers | /Customers |
http://123.4.567.89/Customers | /Customers |
http://123.4.567.89/Customers/Add | /Customers/Add |
123.4.567.89/Do_This/If_OK/Do_That | /Do_This/If_OK/Do_That |
- Header and Body of the HTTP request
The second parameter ($2) is the header and the body of the HTTP request sent by the Web browser. Note that this information is passed to your On Web Authentication database method as it is. Its contents will vary depending on the nature of the Web browser which is attempting the connection.
If your application deals with this information, it is up to you to parse the header and the body.
Notes:
- For performance reasons, the size of data passing through the $2 parameter must not exceed 32 KB. Beyond this size, they are truncated by the 4D HTTP server.
- For more information about this parameter, please refer to the description of the On Web Connection database method.
- Web client IP address
The $3 parameter receives the IP address of the browser’s machine. This information can allow you to distinguish between Intranet and Internet connections.
Note: 4D returns IPv4 addresses in a hybrid IPv6/IPv4 format written with a 96-bit prefix, for example ::ffff:192.168.2.34 for the IPv4 address 192.168.2.34. For more information, refer to the Support of IPv6 section.
- Server IP address
The $4 parameter receives the IP address used to call the Web server. 4D since version 6.5 allows for multi-homing, which allows you to exploit machines with more than one IP address. For more information, please refer to the section Web Server Settings
- User Name and Password
The $5 and $6 parameters receive the user name and password entered by the user in the standard identification dialog box displayed by the browser. This dialog box appears for each connection, if a password management option has been selected in the Database Settings dialog box (see section Connection Security).
Note: If the user name sent by the browser exists in 4D, the $6 parameter (the user’s password) is not returned for security reasons.
- $0 parameter
The On Web Authentication database method returns a boolean in $0:
- If $0 is True, the connection is accepted.
- If $0 is False, the connection is refused.
The On Web Connection database method is only executed if the connection has been accepted by On Web Authentication.
WARNING: If no value is set to $0 or if $0 is not defined in the On Web Authentication database method, the connection is considered as accepted and the On Web Connection database method is executed.
Notes :
- Do not call any interface elements in the On Web Authentication database method (ALERT, DIALOG, etc.) because otherwise its execution will be interrupted and the connection refused. The same thing will happen if an error occurs during its processing.
- It is possible to prevent execution by 4DACTION or 4DSCRIPT for each project method via the “Available through 4D HTML tags and URLs (4DACTION...)” option in the Method properties dialog box. For more information about this point, please refer to the Connection Security section.
The On Web Authentication database method is automatically called, regardless of the mode, when a request or processing requires the execution of a 4D method. It is also called when the Web server receives an invalid static URL (for example, if the static page requested does not exist).
The On Web Authentication database method is therefore called in the following cases:
- when 4D receives a URL beginning with 4DACTION/
- when 4D receives a URL beginning with 4DCGI/
- when 4D receives a URL beginning with 4DSYNC/
- when 4D receives a URL requesting a static page that does not exist
- when 4D receives a root access URL and no home page has been set in the Database Settings or by means of the WEB SET HOME PAGE command
- when 4D processes a 4DSCRIPT tag in a semi-dynamic page
- when 4D processes a 4DLOOP tag based on a method in a semi-dynamic page.
Compatibility note: The database method is also called when 4D receives a URL beginning with 4DMETHOD/. This URL is obsolete and is only kept for compatibility's sake.
Note that the On Web Authentication database method is NOT called when the server receives a URL requesting a valid static page.
Example of the On Web Authentication database method in BASIC mode:
C_TEXT($5;$6;$3;$4)
C_TEXT($user;$password;$BrowserIP;$ServerIP)
C_BOOLEAN($4Duser)
ARRAY TEXT($users;0)
ARRAY LONGINT($nums;0)
C_LONGINT($upos)
C_BOOLEAN($0)
$0:=False
$user:=$5
$password:=$6
$BrowserIP:=$3
$ServerIP:=$4
If(WithWildcard($user)|WithWildcard($password))
$0:=False
Else
GET USER LIST($users;$nums)
$upos:=Find in array($users;$user)
If($upos >0)
$4Duser:=Not(Is user deleted($nums{$upos}))
Else
$4Duser:=False
End if
If(Not($4Duser))
QUERY([WebUsers];[WebUsers]User=$user;*)
QUERY([WebUsers]; & [WebUsers]Password=$password)
$0:=(Records in selection([WebUsers])=1)
Else
$0:=True
End if
End if
If(Substring($BrowserIP;1;7)#"192.100.")
$0:=False
End if
Example of the On Web Authentication database method in DIGEST mode:
C_TEXT($1;$2;$5;$6;$3;$4)
C_TEXT($user)
C_BOOLEAN($0)
$0:=False
$user:=$5
If(WithWildcard($user))
$0:=False
Else
QUERY([WebUsers];[WebUsers]User=$user)
If(OK=1)
$0:=Validate Digest Web Password($user;[WebUsers]password)
Else
$0:=False
End if
End if
The WithWildcard method is as follows:
C_INTEGER($i)
C_BOOLEAN($0)
C_TEXT($1)
$0:=False
For($i;1;Length($1))
If(Character code(Substring($1;$i;1))=Character code("@"))
$0:=True
End if
End for