Accesing database with a blank userid and I can access all t

Posted by robertov on 31-Jan-2011 03:52

Hi people,

sorry if the question has already answered (i didn't find anything using search):

We have an application on progress 9.1B (yes, I know that is an older release but at this time we haven't the neccesary resources to migrate it to a new one) and we tried to disable de blank userid access to the database. We tried activating the "disallow blank userid access" option in data admistration and yes, if you  try to logon on data dictionary with blank userid it tells that you don't have all the access to the data but if you create a query on the procedure editor it returns all the data without problems.

I know that in 10.A there is a new option to block the blank userid access directly but I don't find a way to do it in 9.1B. Any suggestion?

thank you in advance.

All Replies

Posted by Thomas Mercer-Hursh on 31-Jan-2011 11:23

We need a bit more information.

Security in general is provided by the application.  I.e., allowing blank userid or not, creating records in _user or not is merely controlling whether or not _userid will be set during the session.  That controls absolutely nothing in terms of access to data unless one of two things is true.  One is that you have used the CAN-* fields in the data dictionary to define permissions.  With an old release that was only checked at compile time, so wasn't very useful.  The other is that your application uses this information to control access to data.  The implication is that one has to be accessing the database through the application and writing a FOR EACH or whatever in the procedure editor is going to pay no attention to the application.

BTW, the "resources" required to move to a modern version are generally trivial.

Posted by robertov on 01-Feb-2011 02:40

Ok, I understand, but apart from the application, in the case of someone get access to the physical db, using a blank userid will give you access to all the data (through data dictionary/procedure editor)?

Thank you very much for your answers!

Posted by Thomas Mercer-Hursh on 01-Feb-2011 11:28

Point being, that apart from the application, there is basically no security except the can-* fields and in older versions of Progress that was just compile time.  Yes, if you use one of these fields to block access with a blank userid, then dropping into the editor to write a for each won't work because one has to compile the program to run it, but it isn't much protection.  The real need is to provide the protection you want with the application and then not allow anyone except those who are trusted to ever get to an editor.

Posted by robertov on 02-Feb-2011 02:38

Thank you very much for your help!

I've been reading about the migration to 10.3B and I think that it can be "easier" as I initially thinked, as you said.

I'm working on it,


Posted by Thomas Mercer-Hursh on 02-Feb-2011 11:44

10.3B will be a little tricky, but 10.2B is probably compile and go.     If there is anything that needs fixing, it is usually just a new keyword which you have used as a variable or field name.   You can always use the keyword forget list to get past that, but of course, you won't be able to use the functionality associated with that keyword while it remains on the forget list.  If you are using ADM or another framework, your first step should be to bring the old framework with you instead of using the one in the new release.  Then, at your leisure, you can explore moving to the new framework.

Do this during the year and you will be ready for 11.0 where the multi-tenant facilities will add new security options.  Come to PUG Challenge Americas to hear about multi-tenancy and the Client-Principal object which can be used for security issues in many ways.

Or ... drop me a line and I can help with the migration and goal setting for the future.

Posted by robertov on 04-Feb-2011 03:44

I was wrong, the version of the OpenEdge evaluation kit is 10.2B, not 10.3B. I haven't major problems right now, I followed this steps:

* I've converted the 9.1B database using the -conv910 option. All OK.

* For the code, as the application is using ADM, I've added the 9.1B's adm library to the project.

* I've compiled the code without errors (I have warnings related to visual problems, fonts not defined, etc)

* I've launched the app with the -noint64 option (i don't know that this is correct). I had visual problems, all the windows are scaled down and I have problems with fonts not defined. Nothing that i can't be solved with more or less work re-designing the windows.(We want to make a re-styling to the app so this it's not a problem)

* I didn't appreciate database errors, queries seems to run well.

I only have one question, I didn't find report builder in appbuilder, is not available anymore?

Thank you again!!

Posted by kevin_saunders on 04-Feb-2011 04:13

robertov wrote:

I only have one question, I didn't find report builder in appbuilder, is not available anymore?

Thank you again!!

No, as of OE10, Report Builder is no longer available (only the runtime is, as far as I remember).

This thread is closed