Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

Security for application provider

6 posts in General Discussion Last posting was on 2005-04-29 13:00:07.0Z
Jan Posted on 2005-04-26 14:00:23.0Z
From: "Jan" <jan@cyberprop.com>
Newsgroups: ianywhere.public.mbusinessanywhere.general
Subject: Security for application provider
Lines: 18
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
NNTP-Posting-Host: rrba-146-118-219.telkomadsl.co.za
X-Original-NNTP-Posting-Host: rrba-146-118-219.telkomadsl.co.za
Message-ID: <426e4977@forums-1-dub>
Date: 26 Apr 2005 07:00:23 -0700
X-Trace: forums-1-dub 1114524023 165.146.118.219 (26 Apr 2005 07:00:23 -0700)
X-Original-Trace: 26 Apr 2005 07:00:23 -0700, rrba-146-118-219.telkomadsl.co.za
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub ianywhere.public.mbusinessanywhere.general:393
Article PK: 8841

Hi,

We're using M-Business clients on the devices and they run an Ultralite
database and on the server we've got ASA with Mobilink.

Is there some mechanism in M-Business that can prevent multiple devices
using the same M-Business username and password (and Mobilink username and
password) from sync'ing with the server.

In other words - I want only once device to be able to use one
username/password that I have issued. If a second device tries to use that
same username/password to sync - the server must prevent the device from
sync'ing.

Thanks
Jan


Enrico Pallazzo Posted on 2005-04-26 16:16:55.0Z
From: "Enrico Pallazzo" <enricopallazzo@myway.com>
Newsgroups: ianywhere.public.mbusinessanywhere.general
References: <426e4977@forums-1-dub>
Subject: Re: Security for application provider
Lines: 29
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Response
X-Original-NNTP-Posting-Host: vpn-dub-134.sybase.com
Message-ID: <426e6974@forums-2-dub>
X-Original-Trace: 26 Apr 2005 09:16:52 -0800, vpn-dub-134.sybase.com
X-Original-NNTP-Posting-Host: forums-2-dub.sybase.com
X-Original-Trace: 26 Apr 2005 09:16:52 -0700, forums-2-dub.sybase.com
NNTP-Posting-Host: forums-master.sybase.com
X-Original-NNTP-Posting-Host: forums-master.sybase.com
Date: 26 Apr 2005 09:16:55 -0700
X-Trace: forums-1-dub 1114532215 10.22.108.75 (26 Apr 2005 09:16:55 -0700)
X-Original-Trace: 26 Apr 2005 09:16:55 -0700, forums-master.sybase.com
X-Authenticated-User: ngsysop
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub ianywhere.public.mbusinessanywhere.general:394
Article PK: 8842

There is no way built into MBA, however the server does send a headers with
the device's serial number and the userid. You can use those in your web
application to prevent multiple devices with the same account getting data.

X-AvantGo-DeviceId
"X-AvantGo-UserId

That you could use in your web application to prevent two devices

"Jan" <jan@cyberprop.com> wrote in message news:426e4977@forums-1-dub...
> Hi,
>
> We're using M-Business clients on the devices and they run an Ultralite
> database and on the server we've got ASA with Mobilink.
>
> Is there some mechanism in M-Business that can prevent multiple devices
> using the same M-Business username and password (and Mobilink username and
> password) from sync'ing with the server.
>
> In other words - I want only once device to be able to use one
> username/password that I have issued. If a second device tries to use that
> same username/password to sync - the server must prevent the device from
> sync'ing.
>
> Thanks
> Jan
>


Greg Fenton Posted on 2005-04-26 18:56:56.0Z
From: Greg Fenton <greg.fenton_NOSPAM_@ianywhere.com>
Organization: iAnywhere Solutions Inc.
User-Agent: Mozilla Thunderbird 1.6.3.2f (Windows/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
Newsgroups: ianywhere.public.mbusinessanywhere.general
Subject: Re: Security for application provider
References: <426e4977@forums-1-dub>
In-Reply-To: <426e4977@forums-1-dub>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Original-NNTP-Posting-Host: gfenton-t30.sybase.com
Message-ID: <426e8ef3$1@forums-2-dub>
X-Original-Trace: 26 Apr 2005 11:56:51 -0800, gfenton-t30.sybase.com
Lines: 30
X-Original-NNTP-Posting-Host: forums-2-dub.sybase.com
X-Original-Trace: 26 Apr 2005 11:56:53 -0700, forums-2-dub.sybase.com
NNTP-Posting-Host: forums-master.sybase.com
X-Original-NNTP-Posting-Host: forums-master.sybase.com
Date: 26 Apr 2005 11:56:56 -0700
X-Trace: forums-1-dub 1114541816 10.22.108.75 (26 Apr 2005 11:56:56 -0700)
X-Original-Trace: 26 Apr 2005 11:56:56 -0700, forums-master.sybase.com
X-Authenticated-User: ngsysop
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub ianywhere.public.mbusinessanywhere.general:395
Article PK: 8843


Jan wrote:
>
> Is there some mechanism in M-Business that can prevent multiple devices
> using the same M-Business username and password (and Mobilink username and
> password) from sync'ing with the server.
>

The ever-present Enrico answered your question about the mBusiness
client. As for UltraLite/MobiLink, when a user attempts to use the same
username on two separate devices, ML will recognize that the
synchronization progress of the second device is not the same as that of
the first device and will fail the synchronization. Only a device with
the same synchronization progress as the previous successful
synchronization with that username will be allowed (which for all
intents and purposes will only be that first device).

You could add some logic to the ML synchronization scripts (overriding
the default authetication mechanisms) and pass up some uniquely
generated value from the remote, but this is likely not necessary (as
per above).

Hope this helps,
greg.fenton
--
Greg Fenton
Consultant, Solution Services, iAnywhere Solutions
--------
Visit the iAnywhere Solutions Developer Community
Whitepapers, TechDocs, Downloads
http://www.ianywhere.com/developer/


Shuchit Posted on 2005-04-26 22:07:47.0Z
Newsgroups: ianywhere.public.mbusinessanywhere.general
Subject: Re: Security for application provider
From: Shuchit <me@privacy.net>
References: <426e4977@forums-1-dub> <426e8ef3$1@forums-2-dub>
Message-ID: <Xns9644B202D1123svelkarprivacynet@127.0.0.1>
User-Agent: Xnews/??.01.30 Hamster/2.0.6.0
X-Original-NNTP-Posting-Host: vpn-dub-031.sybase.com
X-Original-Trace: 26 Apr 2005 15:07:42 -0800, vpn-dub-031.sybase.com
Lines: 16
X-Original-NNTP-Posting-Host: forums-2-dub.sybase.com
X-Original-Trace: 26 Apr 2005 15:07:43 -0700, forums-2-dub.sybase.com
NNTP-Posting-Host: forums-master.sybase.com
X-Original-NNTP-Posting-Host: forums-master.sybase.com
Date: 26 Apr 2005 15:07:47 -0700
X-Trace: forums-1-dub 1114553267 10.22.108.75 (26 Apr 2005 15:07:47 -0700)
X-Original-Trace: 26 Apr 2005 15:07:47 -0700, forums-master.sybase.com
X-Authenticated-User: ngsysop
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub ianywhere.public.mbusinessanywhere.general:396
Article PK: 17678

Greg Fenton <greg.fenton_NOSPAM_@ianywhere.com> wrote in news:426e8ef3$1
@forums-2-dub:

> As for UltraLite/MobiLink, when a user attempts to use the same
> username on two separate devices, ML will recognize that the
> synchronization progress of the second device is not the same as that of
> the first device and will fail the synchronization.

Except in the case that the second device is doing a first-time sync with the
MobiLink server. In this case, I believe MobiLink server will allow the sync
to proceed.

To the OP, can you provide more details on why you want to impose this
restriction ?

Shuchit


Jan Posted on 2005-04-29 11:44:17.0Z
From: "Jan" <jan@cyberprop.com>
Newsgroups: ianywhere.public.mbusinessanywhere.general
References: <426e4977@forums-1-dub> <426e8ef3$1@forums-2-dub> <Xns9644B202D1123svelkarprivacynet@127.0.0.1>
Subject: Re: Security for application provider
Lines: 19
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
NNTP-Posting-Host: rrba-146-66-174.telkomadsl.co.za
X-Original-NNTP-Posting-Host: rrba-146-66-174.telkomadsl.co.za
Message-ID: <42721e11@forums-1-dub>
Date: 29 Apr 2005 04:44:17 -0700
X-Trace: forums-1-dub 1114775057 165.146.66.174 (29 Apr 2005 04:44:17 -0700)
X-Original-Trace: 29 Apr 2005 04:44:17 -0700, rrba-146-66-174.telkomadsl.co.za
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub ianywhere.public.mbusinessanywhere.general:400
Article PK: 8847


> To the OP, can you provide more details on why you want to impose this
> restriction ?

I think it's pretty obvious - therefore that I placed my question here
first - before starting just to develop some weird way of accomplishing
this...

From the service providers point of view, I want to be sure that I'm getting
what is due to me. If I sell access to my service to one guy - I don't want
to allow four other guys to simply use the same username/password and also
benefit from the service. If they want the service - they can pay their
way...

:))

It's all about $$$
Jan


Shuchit Posted on 2005-04-29 13:00:07.0Z
Newsgroups: ianywhere.public.mbusinessanywhere.general
Subject: Re: Security for application provider
From: Shuchit <me@privacy.net>
References: <426e4977@forums-1-dub> <426e8ef3$1@forums-2-dub> <Xns9644B202D1123svelkarprivacynet@127.0.0.1> <42721e11@forums-1-dub>
Message-ID: <Xns96475B1633F86svelkarprivacynet@127.0.0.1>
User-Agent: Xnews/??.01.30 Hamster/2.0.6.0
NNTP-Posting-Host: 72-254-143-22.client.stsn.net
X-Original-NNTP-Posting-Host: 72-254-143-22.client.stsn.net
Date: 29 Apr 2005 06:00:07 -0700
X-Trace: forums-1-dub 1114779607 72.254.143.22 (29 Apr 2005 06:00:07 -0700)
X-Original-Trace: 29 Apr 2005 06:00:07 -0700, 72-254-143-22.client.stsn.net
Lines: 27
X-Authenticated-User: techsupp
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub ianywhere.public.mbusinessanywhere.general:401
Article PK: 8848


> From the service providers point of view, I want to be sure that I'm
> getting what is due to me. If I sell access to my service to one guy - I
> don't want to allow four other guys to simply use the same
> username/password and also benefit from the service. If they want the
> service - they can pay their way...
>

I would use create a UUID for each device to identify it separately from the
user id.
Use Connection.getNewUUID() to create it on the device. Store this in a
table in UltraLite. So that you can check on each sync whether an UUID has
already been generated for the device. Send this UUID up to the MobiLink
server using SyncParms.setAuthenticationParms
On the MobiLink server, you will have access to this in the
authenticate_parameters connection event. In this event call a stored
procedure which will check whether the synchronizing user already has a UUID
associated with the user and if so does it match the value sent up from the
device.

Note, that if the device is ever hard-reset or if the UltraLite database is
deleted for some reason then your customers would need to contact you to
remove the UUID to userid mapping.

You could also use the device id instead of generating a UUID, however I am
not sure how you would get to it from javascript.

Shuchit