Creation password at runtime
Bruce Easton
bruce at stn.com
Mon Feb 5 10:16:48 PST 2007
(comments posted inline, primarily in response to Jay Ashworth's post)
> Joe Chasan wrote on Monday, February 05, 2007 8:38 AM:
>
> On Sat, Feb 03, 2007 at 02:53:01PM -0500, Jay R. Ashworth wrote:
> > On Fri, Jan 19, 2007 at 10:02:14AM -0500, Cesar Davila Jr wrote:
> > > I've been working on this with Bruce and we understand what
> you are saying
> > > and agree with it. So we did as suggested and placed the
> lookups in the
> > > processing tables without the variable names so that we can
> be prompted for
> > > the creation passwords when we tokenize.
> > >
> > > What we are encountering is that the user is being prompted
> for the creation
> > > password when they start using the application. The users are
> not "creating"
> > > anything other than data. In fact, the application Bruce is
> working on is
> > > simply trying to browse a series detail files.
> >
> > I believe those two paragraphs are contradictory, alas.
Jay - yes they are. However, if you read my posts subsequent
to the one you've referenced on this topic, I think you will
discover that I do NOT agree with the current design and behavior.
You've replied to something that had a fair amount of discussion
and consideration since Cesar's post.
> >
> > A creation password is prompted for when a lookup to the file it
> > protects is "bound" by filepro. With fixed-named lookups, that binding
> > happens at compile time.
> >
> > With variable-named lookups, that binding does not happen until
> > runtime.
> >
Yes, I think most of us can now see that is the current method
and behavior. I contend that any checking/handling/"binding"/
what-ever-you-want-to-call-it of creation authority, thereby
prompting for Creation Passwords at RUNTIME is WRONG. It makes,
as I've pointed out, filePro's original definition of the purpose
and usage of the Creation Password misleading. As a developer,
you cannot produce code with variable-named lookups, tokenize it
and sell just the tokenized software to a client without the
client's end-users getting prompted at runtime for creation
passwords.
Passwords that you may not want the client to know
at all, and/or that the client probably does not want to be
bothered with. And, asking for these passwords at runtime,
introduces authority decisions for the client regarding format
protection and their personnel. The client now has to keep track
of who (people that come and go) knows creation passwords that
were created by (and probably only for) the developer. To me,
going near any of the runtime programs with this check is bad.
And if someone really wants to use Creation Passwords in this way
at runtime, then, please, at least call it something else.
> > I understand your problem, but I also understand their implementation,
> > and I see why the other requirements of their implementation lead to
> > this requirement.
Yes, I think maybe I can understand how filepro arrived at
this behavior. Let's jump back for a moment to filepro prior
to 4.8, where you had quickstart and creation passwording,
but no variable name-lookuping. The creation password checking
that was only manifesting itself in creation programs was working
as advertised, but really had the additional feature (to me,
more than what was defined in the manual) of protecting views
of data via lookups. Had nothing to do with protecting formats
as advertised, but by having this added feature, together with
passwording screens, menus, etc. could sort of protect views of
the data via lookups between even different developers in the
same shop. And it could do so without even having to store
anything extra besides the creation password in the maps - I think
that part was neat for what it offered. But the original
advertised definition and purpose, in my mind was already askew
when it came to lookups, again, since part of filepro's definition
of the Creation password is "This password does not, however,
affect who can or cannot see and change your records - runtime
operations are protected separately with individual passwords."
(3.0 manual) Therefore, even under *cabe, how does asking for a
Creation Password (CP) when looking up from another file jeopardize
the formats or file structure of the file (map/out/prc/screen, etc.)
that has the CP? It doesn't. One has to argue that the lookup
in the file that is looking into the file with the CP is itself
a format of the file that has the CP. I can live with that. But
it's purpose is now protecting viewing of data, not being able to
alter any formats nor file structure that reside in the filepro
directory of the file that has the CP. I'm fine with that too,
because, as a developer, you can live with it and keep it away
from runtime clients. It is when we try to bring this prompting
of the CP over to the runtime programs that I have a problem.
So until this newer behavior with the advent of variable-named
lookups, the lookup behavior of CPs in *cabe has served well for
certain applications. (Say developing software for in-house use,
but even then, as John E. pointed out, if people "in-house" can get
to vi key files and such, then it's easy to get around that type of
application of creation passwording. And if you only allow certain
users controlled menu access to your system, and no development
functions, then you don't even need to bother with CPs. So I guess
the really bad idea of introducing prompting of creation passwords
at runtime was to not create a data security loophole with the
advent of variable-named lookups; moving foward along on a track to
me that was already off-course for the sake of consistency and
backward compatibility - fine. And I am certainly happy that the
implementation of variable-named lookups did not take longer than
it did.
> >
> > And, honestly, I don't see any way they can satisfy those requirements
> > and not cause this problem.
Well, what Joe wrote below, which was suggested previously - very
neat, very simple, is one of a few suggestions that you may have
missed. One, which I had suggested, calls for the *cabe program to
allow the operator to ask to be prompted for files that do not have
hard-coded lookups in the table - and for each of those files, to
then prompt if necessary for a creation password. I think I called
it "pre-authorization." (If interested, see earlier posts regarding
how this could be done and how it could be backward compatible.) But
what is below, I would think, is all that is needed, especially since
I view this as a patching something that has already headed in the
wrong direction. If protection of viewing/updating data is the
concern, then as others have indicated, there is a lot more to
consider than just the prompting of some password at runtime.
>
> if the lookup exists elsewhere in the prc table in hardwired form, then
> lookup to same filepro file or filepro file/qualifier combo using a
> variable can be excluded from such checks. this satisfies both
> requirements but apparently would have to be a wishlist item for
> a future change/release as it is not coded that way right now.
>
Joe, thanks for reminding us of this simple idea that John had
thought was already in place. Hopefully, if it is implemented,
it will be done so that the hard-wired lookup just needs to be
scanned by *cabe and doesn't have to executed by the program.
Bruce Easton
STN, Inc.
More information about the Filepro-list
mailing list