© 2018 Capita Business Services Ltd. All rights reserved.

Capita Education Software Solutions is a trading name of Capita Business Services Ltd. Our Registered office is 30 Berners Street, London, W1T 3LR and our registered number is 02299747. Further information about Capita plc can be found in our legal statement.

Local API - SIMS Logins for Web Applications

How SIMS .Net Logs In

In normal use the SIMS .Net Login APIs are not ‘reentrant’. By ‘normal use’ we mean that the APIs are used in a similar way to the way that SIMS .Net uses them. In the case of Login SIMS .Net never makes an attempt to change the logged in user from A to B after the initial successful login occurs.

Windows (or NT) Users

SIMS .Net supports windows users in addition to SQL users. In this case, the only Windows User that is supported is the currently logged in user.

public static string GetWindowsUser()
{    
    return System.Environment.UserDomainName + "\\" + System.Environment.UserName;
}

There is no need to know or to prompt for the password because the NT user is already authenticated. SIMS does not store NT passwords except for initial passwords used by our Active Directory Provisioning Service product and in this case the AD passwords are not known to SIMS once an account goes live.

Where NT users are used (any login name with a “\” character in it) simply pass in “” as the password and it will always work.

public static string GetWindowsUserPassword()
{  
   throw new Exception("SIMS Has no way of getting an NT user's password;  The currently logged in user is already authenticated.");   
  return "";
}

 

An attempt to login as “DOMAIN\USER” in to SIMS, where it is not the current Windows User AND the logged in user is a valid SIMS user then it may give a false positive result and the converse may give a false negative result.  There are no plans to modify SIMS .Net to support an alternative Windows User.

In theory, a similar result could be achieved simply by using the Windows ‘runas’ command which would create a new process under the account of the alternative user.  Obviously there would be no communication via process running under different credentials.

Avoiding Reentrancy

There are a number of methods that may work. It is however key that we point out that SIMS .Net APIs are not used by ESS SIMS in this way. 

Method 1 – Service Account

Pro:       Avoids reentrancy

Con:      SIMS .Net calls are not attributable directly to the calling user.

Typically web based systems want to allow different users to access the same web resources but without having to create new processes.

For example a method may need to get pictures on behalf of a number of users.  We have created a queue concept below to illustrate the idea.  The method is as follows but relies upon the creation of a service account with appropriate high level access and the Partner System itself deciding what a user can or cannot do. In this case the user names are solely those for the partner system. This concept works fine; we would however recommend taking the login away from a method that can be called many times and only exercising the ‘Login to SIMS’ call once.

/// <summary>
/// Service account method
/// </summary>
public void GetPicturesMethodA()
{ 
    /// Queue is the set of requests for pictures - the id of the image, user requesting them and their passwords are stored in the queue.
    Queue q = new Queue();
    q.Add(1,"partnerSystem_blacka","abcd");
    q.Add(2,"partnerSystem_blackb","abcd");
    q.Add(3,"partnerSystem_blackc","abcd");
    q.Add(4,"partnerSystem_blackd","abcd");
    q.Add(5,"partnerSystem_blacke","abcd");
    q.Add(6,"partnerSystem_blackf","abcd");
    string serviceAccountUser =  textBoxUser.Text;
    string serviceAccountPassword = textBoxPassword.Text;
    if (BLink.LoginHelper.SIMSlogin(textBoxServer.Text, textBoxDatabase.Text, serviceAccountUser, serviceAccountPassword))
    {
        while (true)
        {
            QueueMember m = q.Next();
            if (m == null)
            {
                break;
            }
            else
            {
                if (CheckPermissionsInThePartnerSystem(m.User,m.Password))
                    GetPicture(m.ImageId);
            }
        }
    }
}
public static bool CheckPermissionsInThePartnerSystem(string user,string password)
{
    // Over to the partner system to decide what this user can and can't do
    return true;  //to make it compile!
}

NB: The advice suggests that a service account model will work for applications that need to service calls from in effect multiple users.  It also clearly identifies the need for partner systems to manage their own security in such designs.  Please note the caveat at the end of the end of the document with regard to SIMS .net being single threaded.

Method 2 – NT Authentication

Pro:       Uses the actual SIMS users and does not require a SIMS Service Account

Con:      Has to spin up processes for each SIMS user under their NT credentials.

              Only works if the web server is in the same domain as the application tier.

Each process logs in to SIMS once. NT authentication would be required if it is simply to be passed through to SIMS .Net Binaries. It is single threaded. [See link at the foot of the document] Please note that this solution would need to be tested under load. SIMS .Net is a comprehensive application and was designed to be used as a Windows forms application.  Many customers run SIMS .Net on terminal servers which is a similar concept in so far as multiple copies of SIMS .net run on the terminal server under different user accounts.

Please note that the diagram shows the principles involved. Partners would of course have to ensure that they were able to demonstrate the security principles that underpin their solution and Partners are asked to note that ESS would not wish to comment on the design of partner’s systems except for how they used the SIMS binaries.

Method 3 – SIMS Stateless APIs

These are no longer available or supported.

Other Methods

There is no suggestion that these are the only methods that can work.

Subject to a suitable support contract being in place, the SIMS Partner Development Support Team would be happy to comment on alternative solutions from a SIMS perspective, the web end of the engineering would beyond our remit and likely skill set. There is however no substitute for testing any solution under load.

Reentrancy

WARNING – THIS DOES NOT WORK - Using SIMS to do multiple authentications doesn’t work

public void GetPicturesMethodA()
{ 
    /// Queue is the set of requests for pictures - the id of the image, 
    /// user requesting them and their passwords are stored in the queue.
    Queue q = new Queue();
    q.Add(1,"blacka","abcd");
    q.Add(2,"Domain\\blackb","abcd");
    q.Add(3,"blackc","abcd");
    q.Add(4,"Domain\\blackd","abcd");
    q.Add(5,"blacke","abcd");
    q.Add(6,"blackf","abcd");
    while (true)
    {
        QueueMember m = q.Next();
        if (m == null)
        {
            break;
        }
        else
        {
            if (BLink.LoginHelper.SIMSlogin(textBoxServer.Text, 
                    textBoxDatabase.Text, m.User, m.Password))
            {
    
                GetPicture(m.ImageId);
            }
        }
    }
         
}

Looks a lot easier to code! But as pointed out above, the domain users in the list cannot both work. That is however not the only shortcoming of the method above. The code snippet below allows an application to check whether the user has a specific SIMS Permission.

if (SIMS.Entities.Cache.ProcessAvailable("ThirdPartyUserManagement"))
{      
   // High level
}

In the sample application, ThirdPartyUserManagement is a high level permission which ‘BlackA’ above has.  ‘BlackC’ does not have the permission.

If you log in as ‘BlackA’ followed by ‘BlackC’ as above, then ‘BlackC’ will also have that permission.  Whilst this is an incorrect result from the perspective of my sample application, the situation would not arise in the normal use of SIMS.

The reason for the behavior is that ‘Logout’ has no need to clear any of the caches that are built up whilst SIMS in use. In the Case of SIMS .Net, ‘Logout’ is followed by a guaranteed ‘Application Exit’. Ergo this behaviour is not a bug and is unlikely to change.

Best Practice for Partner Systems Logging in To SIMS.

In the same way as SIMS .Net, ESS recommends that partner systems implement a 3 tries and you are our login policy and reserves the right to enforce this at a later date.

Conclusion, Guidance and Warning

In case of any ambiguity – ESS will not support partners using the techniques identified above as unsuitable for use.  

SIMS does not support multi-threading and there are separate documents that describe considerations that need to be addressed when for example using SIMS .Net APIs in a web type environment.  Please ask the SIMS Partner Development Support Team for a copy of the document or use the following link if you have access to Support Net click on the link below. 

Using SIMS DLLs for Web Applications

Writing SIMS Links for Web Applications

Advice and Consultancy 

We would recommend that partners considering any new significant development consider consultancy from ESS SIMS. Rates are here.