1. Peter Thiem
  2. PowerServer Obsolete (2020 or older)
  3. Friday, 19 July 2019 07:26 AM UTC

Hello,

I'm trying to understand security for a PowerServer deployment when used to deploy a traditional Powerbuilder (classic) application.

Is there good documentation that I could read, and could be shown to security architects?

In particular, I'm having difficulty in being able to answer questions like these:

- Could a malicious system user (an internal user that is permitted to use parts of the system) get access to server side methods in any way?

- What security/protection is there on server side methods to restrict them to appropriate user roles?

At the moment, the application is deployed to Citrix, and the client interface restricts access to the available menus and buttons.

The security architects are very nervous about direct database connections, and quite nervous about any access to data that is vulnerable to determined attacks.

Cheers, Peter.

Peter Thiem Accepted Answer Pending Moderation
  1. Thursday, 1 August 2019 04:39 AM UTC
  2. PowerServer Obsolete (2020 or older)
  3. # 1
0
Votes
Undo

Thanks Chris and Mike!

Comment
There are no comments made yet.
Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Tuesday, 23 July 2019 13:52 PM UTC
  2. PowerServer Obsolete (2020 or older)
  3. # 2
0
Votes
Undo

Hi Peter;

  In my Active Directory based Apps, I check the user security level & role(s) upon login and then set a DWO with the roles & their setting (basically Y/N). Then at run time, I have the PS App check the user's roles and adjust the controls / menus upon instantiation.

Regards ... Chris

Comment
Thank you Chris for your help and attention!



I tried to find your "Building PB/PS Active Directory Aware Apps" presentation, but could only find a reference to it in the session catalog for the event.



Would it be available for the public? I understand if it is not or is paid content only.



Otherwise, thanks again.



Cheers, Peter.
  1. Peter Thiem
  2. Tuesday, 23 July 2019 23:02 PM UTC
Yes, I believe that you would need to have Conference access to download any Appeon Conference presentations.

  1. Chris Pollach @Appeon
  2. Wednesday, 24 July 2019 14:22 PM UTC
There are no comments made yet.
Peter Thiem Accepted Answer Pending Moderation
  1. Tuesday, 23 July 2019 01:21 AM UTC
  2. PowerServer Obsolete (2020 or older)
  3. # 3
0
Votes
Undo

Thank you Chris and Mike for your responses, they are a great help.

I'm still not sure of one of my questions, so I'd like to express as a concrete hypothetical scenario...

 

Imagine an application with users with two types of roles - Managers and Users.

Managers have access to a form with a list of users and a button that executes a NVO function to add or remove a Manager role.

This application is deployed to PowerServer and users need to authenticate before access.

 

Would a (non-manager) user, equipped with the right tools, be able to execute the NVO function to add/remove the Manager role? Perhaps by using a tool that would simulating logging in and directly calling the network end point for the NVO function.

I imagine it would be difficult to do so, unless a generic tool existed, but is it possible?

Or, do the server side components, know somehow, that the (non-manager) user should not have access to the button and the form and the NVO function to add/remove the Manager role?

 

> You could implement User "Role" security within your App by tying in PS Security feature into you App. 

Chris, I'm guessing by what you mean, but to solve the above scenario, would it be advised to add functionality to all components partitioned into the server side (datawindows and NVOs) that checks the user identity and their roles are appropriate for that object or the specific functions of that object?

Cheers Peter.

Comment
'calling the network end point for the NVO function.'

this isn't how powerserver works. apps are pretty much client/server unless you rewrote parts of it as web apis. the code is running on the user's machine. powerserver pretty much works as a middle man between the application and the database server. the communication between PS and the browser is encrypted.



so your next question will probably be: "can someone figure out how to change this code that is running in memory to allow someone become a manager"

if given enough time and if they are really smart developers, then possibly? IMO, i think it is less likely to occur in a PS app than a regular powerbuilder app.



It is a lot more likely that a user would steal a managers password or talk an admin into providing them one



  1. mike S
  2. Tuesday, 23 July 2019 13:10 PM UTC
There are no comments made yet.
mike S Accepted Answer Pending Moderation
  1. Friday, 19 July 2019 15:52 PM UTC
  2. PowerServer Obsolete (2020 or older)
  3. # 4
0
Votes
Undo

"an internal user that is permitted to use parts of the system"

what system are you talking about?  If you are talking about the powerserver AEM - then the security is not very fine grained.  however, only IT/developer admins would have access to that, the same way you don't provide end users the sa login to the database server.

 

If you are talking about your application, then they have whatever access you provided them within the application itself.  As chris stated, all database connections go through the powerserver application - the user does NOT have a database id/login (well, they could if you needed it for a special reason but the default is that they don't).  In that way, the system is more secure than citrix.  If your citrix deployment uses database logins per user then a user could use their applicaiton login and connect directly to the database with excel or similar. 

The database can be behind firewalls to prevent access except by powerserver.  Only powerserver requires access to the database.   The user gets access to your powerserver based application via https or http.

Comment
There are no comments made yet.
Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Friday, 19 July 2019 14:01 PM UTC
  2. PowerServer Obsolete (2020 or older)
  3. # 5
0
Votes
Undo

Hi Peter;

  PS's architecture is such that all DBMS access id from the "PS" (Application Server) middle tier and not any longer from the PB Application layer. PS is actually not a separate server. Instead, its installed underneath an Application Server (J2EE or .Net) and works as a "helper" to the App Server parent for things like DBMS connection, pooling, DML execution, result handling, etc).

  FYI:  https://www.appeon.com/support/documents/appeon_online_help/ps2019/installation_guide/ch01s02.html

  As far as App security features, PS has its own feature for that. You can read more about this here:

https://www.appeon.com/support/documents/appeon_online_help/ps2019/server_configuration_guide_for_net/Server_Security.html

  You could implement User "Role" security within your App by tying in PS Security feature into you App. The other alternative would be to use "Active Directory" (I did a presentation on AD &  the roles aspect at the Elevate 2018 Conference last year based on an actual client implemenation) .

Regards ... Chris

 

Comment
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.