Custom Authentication security problem

Apr 1, 2009 at 12:00 PM
I am really newbie in the world of authorization and databases systems so I have not understood how the custom authentication works...

Using Microsoft server managment studio I added my custom users in the table dbo.UsersDemo in my db NetSqlAzManStorage -> Tables -> dbo.UsersDemo.

I wrote something like this:

IAzManStorage storage = netSqlAzMan.getStorage(sqlConnectionString);
IAzManDBUser dbUser = storage.GetDBUser("foo");

to access the user and perform authorization operations.

the problem is that the only authentication check is done on the connection on the db.

After that is performed the db connection any users can call the procedure storage.GetDBUsers to know the names of all the users and finally use the preferred
dbusername (my be the higgest authorized user) to perform authorization check.

All this don't looks like a secure way to manage the authorization problem... how do you
use the custom auhtorization to avoid this problem !?

thks

  n.
 
Apr 1, 2009 at 11:10 PM

Hi N,

NetSqlAzMan is a product that deals of the authorization only phase and not authentication.

In the case of Database Users the authentication step of a DB user is delegated to your custom application.

Similarly for Windows users ... NetSqlAzMan never ask or never saves any password because it delegates Authentication to the Win32 Kerberos.

Regards,

Andrea.

Apr 2, 2009 at 9:52 AM
Hi Andrea,
I think that with the windows authentication is  enough simple
because before running the application it's necessary being
authenticated with the windows domain.

On the other hand, with the dbusers, it's a little bit difficult because the user
is enabled to execute the application and, how you said, it is the application that
have to handle the authentication phases...
but I have seen that, during the start up, the Microsoft SQL Management Studio Express
asks the users to choose between two kinds of authentication.
It's possible choose between Windows Authentication, that relies on WindowsIdentity
credentials and don't ask new password and username.
But it's also possible use the sql Server Authentication where it asks for
username and password.

I thought that in netsqlazman the dbuser authentication was delegated to the db, as does the
the Microsoft SQL Management. I would expected a call to some api of sql Server
that get back something like a SQLServerAuthenticationSID...
And then use this SID in the NetSqlAzman framework.

I think that in this way is not necessary write the table dbo.UsersDemo and the application
don't have to handle the Authentication;
on the other hand it's the sqlserver system that records user names and password and
perform the Authentications checks...Like do with Sql Server managemetn studio.

but repeat, I very newbie of db and may be I missing something...

thks

  n.
Apr 2, 2009 at 4:17 PM
Hi,
not necessarily be said that database SQL Server users are the same of the NetSqlAzMan db users, for this reason, the authentication of NetSqlAzMan database users must be custom.
Where instead should be ... you can use this T-SQL to manually authenticate your users.

if (exists(select * from master.dbo.syslogins
where
loginname = 'sa'
and pwdcompare('microsoft', [password]) = 1)
Regards,
Andrea.

Apr 3, 2009 at 8:20 AM
thanks for the clarification.

 n.