User Level Security and Data Access Pages

[Guest]

Hi Guys

I'm having a problem getting User Level Authentication to work for a Data Access Page.

I have managed to get the page to work without any security in a Three Tier configuration and I am now working on securing it. I am attempting to use the User Level Authentication features of Access to secure the database. I have the Jet OLEDB setting for System database set to the file path of the workgroup information file and in Access design mode, it works (before I set "UseRemoteProvider" to True).

I'm not getting a prompt for user name and password when the DAP tries to connect to the database. It acts as if it is trying to use an account to log onto the database but the username and/or password is not in the database.

I currently have IIS setup for Anonymous Access to the page. Changing it does not prompt me for the Database security.

Also, if I looked at the code of the Data Access Page, I can find the user id for the account I used for the test connection in MS Access design mode. I have changed this and done some editing of the ODC file and most of the time I get an "Data Provider Failed While Executing a provider command" followed by a "you do not have the necessary permissions" for the mdb file.

If I set a password for the database, I do get a password prompt but it will not accept the correct password

Any ideas as to where the problem is

 

[Eric Butts [MSFT]]

Hi,

It's possible that you are running into a known issue within Microsoft
Access 2002. Thereby, try the following as a workaround:

Place the workgroup information file in the Extended Properties property in
the
connection string:
Extended Properties=Jet OLEDB:System
database=c:\inetpub\wwwroot\databases\test.mdw.
Since the user will not be automatically prompted, create a second htm
file called
authenticate.htm. This page has two text boxes (one is a password type
text box).
One text box is for user id and one is for the password. The command
button on the
page writes two cookies and opens the data access page. Then, on the data
access
page, read the cookies into the connection string. ( code is similar to
that found
in 253976 ).
The following script was added to the data access page in the HEAD section
of the
page:
<SCRIPT language="VBScript">
Function readCookie(strVariableName)
Dim intLocation
Dim intNameLength
Dim intValueLength
Dim intNextSemicolon
Dim strTemp
' Calculate length and location of variable name.
intNameLength = Len(strVariableName)
intLocation = Instr(Document.Cookie, strVariableName)
strTemp = Right(Document.Cookie, Len(Document.Cookie) - intLocation + 1)
' Find the position of the next semicolon.
intNextSemicolon = Instr(strTemp, ";")
' If not found, assume you are at the end.
If intNextSemicolon = 0 Then
intNextSemicolon = Len(strTemp) + 1
End If
intValueLength = intNextSemicolon - intNameLength - 2
If intValueLength=-1 then
readCookie=""
Else
readCookie = Mid(strTemp, intNameLength + 2, intValueLength)
End If
End Function

Document.MSODSC.ConnectionString="Provider=Microsoft.Jet.OLEDB.4.0;" & _
";Data Source=C:\Inetpub\wwwroot\Databases\db1.mdb" & _
";User ID=" & readCookie("pUserID") & _
";Password=" & readCookie("pPWD") & _
";Extended Properties=Jet OLEDB:System
database=C:\inetpub\wwwroot\databases\test.mdw" & _
";Mode=Share Deny None" & _
";Persist Security Info=False"
Document.MSODSC.UseRemoteProvider=True
</SCRIPT>


Authenticate.htm contains the following HTML and script:

<HTML>
<HEAD>
<TITLE>Authenticate User</TITLE>
<SCRIPT language="VBScript">
Sub writeCookie(strVariableName, varVariableValue)
Document.Cookie = strVariableName & "=" & varVariableValue
End Sub
Sub openDAP()
Dim varUserID
Dim varPWD
varUserID = document.all.txtUserID.value
varPWD = document.all.txtPWD.value
writeCookie "pUserID", varUserID
writeCookie "pPWD", varPWD
'change "servername" to the name of your server.
window.navigate("http://server/databases/Employees.htm")
End Sub
</SCRIPT>
</HEAD>
<BODY>
<FORM id="form1">
<TABLE>
<TR>
<TD>User Name:</TD>
<TD><input type="text" name="txtUserID" size="20"></TD>
</TR>
<TR>
<TD>Password:</TD>
<TD><input type="password" name="txtPWD" size="20"></TD>
</TR>
</TABLE>
<P><input type="button" value="Open DAP"
name="B2" onClick="openDAP()"></P>
</FORM>
</BODY>
</HTML>


I hope this helps! If you have additional questions on this topic, please
respond back to this posting.


Regards,

Eric Butts
Microsoft Access Support
(e-mail address removed)
"Microsoft Security Announcement: Have you installed the patch for
Microsoft Security Bulletin MS03-026? If not Microsoft strongly advises
you to review the information at the following link regarding Microsoft
Security Bulletin MS03-026
<http://www.microsoft.com/security/security_bulletins/ms03-026.asp> and/or
to visit Windows Update at <http://windowsupdate.microsoft.com/> to install
the patch. Running the SCAN program from the Windows Update site will help
to insure you are current with all security patches, not just MS03-026."

This posting is provided "AS IS" with no warranties, and confers no rights


--------------------
| Thread-Topic: User Level Security and Data Access Pages
| thread-index: AcQ3eY0o6UJci7zORcGYZSA3Q6cmGg==
| X-WN-Post: microsoft.public.access.security
| From: "=?Utf-8?B?U2hhbm5vbg==?=" <[email protected]>
| Subject: User Level Security and Data Access Pages
| Date: Tue, 11 May 2004 10:01:07 -0700
| Lines: 16
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.access.security
| Path: cpmsftngxa10.phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.access.security:10653
| NNTP-Posting-Host: tk2msftcmty1.phx.gbl 10.40.1.180
| X-Tomcat-NG: microsoft.public.access.security
|
| Hi Guys,

I'm having a problem getting User Level Authentication to work for a Data
Access Page.

I have managed to get the page to work without any security in a Three Tier
configuration and I am now working on securing it. I am attempting to use
the User Level Authentication features of Access to secure the database. I
have the Jet OLEDB setting for System database set to the file path of the
workgroup information file and in Access design mode, it works (before I
set "UseRemoteProvider" to True).

I'm not getting a prompt for user name and password when the DAP tries to
connect to the database. It acts as if it is trying to use an account to
log onto the database but the username and/or password is not in the
database.

I currently have IIS setup for Anonymous Access to the page. Changing it
does not prompt me for the Database security.

Also, if I looked at the code of the Data Access Page, I can find the user
id for the account I used for the test connection in MS Access design mode.
I have changed this and done some editing of the ODC file and most of the
time I get an "Data Provider Failed While Executing a provider command"
followed by a "you do not have the necessary permissions" for the mdb file.

If I set a password for the database, I do get a password prompt but it
will not accept the correct password.

Any ideas as to where the problem is?

|

 

[Guest]

Ok, I'm confussed about the workaround. I've gotten the cookie gen page working (after I figured out that I needed to remove the semicolon in the window.navigate method) but I'm still having a problem with the DAP page. I've added the VBscript to the top of the <HEAD> section and in the VBscript there is a "Document.MSODSC.ConnectionString"

Do I need to do anything to the <a:ConnectionString> in the XML object, MSODSC, that Access 2002 created when I made the DAP? (I think it's a XML object. It begins with <OBJECT id=MSODSC tabIndex=-1 classid=CLSID:0002E553-0000-0000-C000-000000000046 VIEWASTEXT><PARAM NAME="XMLData" ...)

I'm not getting any error messages but I'm not getting any data as well


----- Eric Butts [MSFT] wrote: ----

Hi

It's possible that you are running into a known issue within Microsoft
Access 2002. Thereby, try the following as a workaround

Place the workgroup information file in the Extended Properties property in
the
connection string
Extended Properties=Jet OLEDB:System
database=c:\inetpub\wwwroot\databases\test.mdw
Since the user will not be automatically prompted, create a second htm
file called
authenticate.htm. This page has two text boxes (one is a password type
text box).
One text box is for user id and one is for the password. The command
button on the
page writes two cookies and opens the data access page. Then, on the data
access
page, read the cookies into the connection string. ( code is similar to
that found
in 253976 ).
The following script was added to the data access page in the HEAD section
of the
page
<SCRIPT language="VBScript"
Function readCookie(strVariableName
Dim intLocatio
Dim intNameLengt
Dim intValueLengt
Dim intNextSemicolo
Dim strTem
' Calculate length and location of variable name
intNameLength = Len(strVariableName
intLocation = Instr(Document.Cookie, strVariableName
strTemp = Right(Document.Cookie, Len(Document.Cookie) - intLocation + 1
' Find the position of the next semicolon
intNextSemicolon = Instr(strTemp, ";"
' If not found, assume you are at the end
If intNextSemicolon = 0 Then
intNextSemicolon = Len(strTemp) +
End I
intValueLength = intNextSemicolon - intNameLength -
If intValueLength=-1 the
readCookie=""
Els
readCookie = Mid(strTemp, intNameLength + 2, intValueLength
End I
End Functio

Document.MSODSC.ConnectionString="Provider=Microsoft.Jet.OLEDB.4.0;" &
";Data Source=C:\Inetpub\wwwroot\Databases\db1.mdb" & _
";User ID=" & readCookie("pUserID") &
";Password=" & readCookie("pPWD") &
";Extended Properties=Jet OLEDB:System
database=C:\inetpub\wwwroot\databases\test.mdw" &
";Mode=Share Deny None" &
";Persist Security Info=False
Document.MSODSC.UseRemoteProvider=Tru
</SCRIPT


Authenticate.htm contains the following HTML and script

<HTML><HEAD><TITLE>Authenticate User</TITLE><SCRIPT language="VBScript"
Sub writeCookie(strVariableName, varVariableValue
Document.Cookie = strVariableName & "=" & varVariableValu
End Su
Sub openDAP(
Dim varUserID
Dim varPWD
varUserID = document.all.txtUserID.valu
varPWD = document.all.txtPWD.valu
writeCookie "pUserID", varUserI
writeCookie "pPWD", varPW
'change "servername" to the name of your server
window.navigate("http://server/databases/Employees.htm"
End Su
</SCRIPT></HEAD><BODY><FORM id="form1"><TABLE><TR><TD>User Name:</TD><TD><input type="text" name="txtUserID" size="20"></TD></TR><TR><TD>Password:</TD><TD><input type="password" name="txtPWD" size="20"></TD></TR></TABLE><P><input type="button" value="Open DAP
name="B2" onClick="openDAP()"></P></FORM></BODY></HTML


I hope this helps! If you have additional questions on this topic, please
respond back to this posting.


Regards,

Eric Butts
Microsoft Access Support
(e-mail address removed)
"Microsoft Security Announcement: Have you installed the patch for
Microsoft Security Bulletin MS03-026? If not Microsoft strongly advises
you to review the information at the following link regarding Microsoft
Security Bulletin MS03-026
<http://www.microsoft.com/security/security_bulletins/ms03-026.asp> and/or
to visit Windows Update at <http://windowsupdate.microsoft.com/> to install
the patch. Running the SCAN program from the Windows Update site will help
to insure you are current with all security patches, not just MS03-026."

This posting is provided "AS IS" with no warranties, and confers no rights


--------------------
| Thread-Topic: User Level Security and Data Access Pages
| thread-index: AcQ3eY0o6UJci7zORcGYZSA3Q6cmGg==
| X-WN-Post: microsoft.public.access.security
| From: "=?Utf-8?B?U2hhbm5vbg==?=" <[email protected]>
| Subject: User Level Security and Data Access Pages
| Date: Tue, 11 May 2004 10:01:07 -0700
| Lines: 16
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.access.security
| Path: cpmsftngxa10.phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.access.security:10653
| NNTP-Posting-Host: tk2msftcmty1.phx.gbl 10.40.1.180
| X-Tomcat-NG: microsoft.public.access.security
|
| Hi Guys,

I'm having a problem getting User Level Authentication to work for a Data
Access Page.

I have managed to get the page to work without any security in a Three Tier
configuration and I am now working on securing it. I am attempting to use
the User Level Authentication features of Access to secure the database. I
have the Jet OLEDB setting for System database set to the file path of the
workgroup information file and in Access design mode, it works (before I
set "UseRemoteProvider" to True).

I'm not getting a prompt for user name and password when the DAP tries to
connect to the database. It acts as if it is trying to use an account to
log onto the database but the username and/or password is not in the
database.

I currently have IIS setup for Anonymous Access to the page. Changing it
does not prompt me for the Database security.

Also, if I looked at the code of the Data Access Page, I can find the user
id for the account I used for the test connection in MS Access design mode.
I have changed this and done some editing of the ODC file and most of the
time I get an "Data Provider Failed While Executing a provider command"
followed by a "you do not have the necessary permissions" for the mdb file.

If I set a password for the database, I do get a password prompt but it
will not accept the correct password.

Any ideas as to where the problem is?

|