« [Tip] Animated Mac OS X Style "Sheet" Dialogs in Servoy | Main | [Tip] Calling Servoy Methods from Beans Using Listeners »
October 28, 2007
[Tip] Servoy Tip for Lost Passwords
by Michael Mooney
IT Consultant and Architect
Ok. I'm in my 50's and guess what? I forgot my password! My old Servoy solution was hopelessly mired in the despondency-slough-of-MD5-or-some-other-encryption-scheme. And I *needed* some of that old code I had written. After all, a re-write was going to foul up a trip out for an espresso. And I wasn't in the mood that day for advanced byte-level hacking and algorithm extraction. So ...
Here's a simple tip for getting into that old solution:
1. Go into the database repository for the solution you need to pry open. BACK IT UP !!! (no exceptions!) You will need your standard database tool to do this. Since we are on Postgres this would be PGAdmin or another 3rd party tool. Sybase users can go in through Sybase Central or an equivalent tool. Make sure Servoy is shut-down before doing all of this.
2. Open up the servoy_users table. You will see the registered users for the login process complete with their encrypted password.
3. Delete all user rows in servoy_users. Since you (should be) developing in a separate repository from testing-QA or production this shouldn't be a major problem. Don't destroy the table or you will break things. Watch for orphaned records in servoy_user_groups and servoy_user_properties (I didn't have much going on here so this orphaned record point is not heavily tested). Note point 1 on the importance of your repository database backup: break the repository without a working database backup and your fun will begin for sure. If you are unsure of messing about with the repository then, please, stay out !!! Or, if you are learning, then small steps with adequate safety nets in place (tested backups).
4. You now have an unsecured solution. Go back into Servoy and re-open the solution. Go back into Servoy security and re-set the Admin user and password. You can now get at that lost code. 5 minutes later and I was able to go get my espresso (phew! close call).
All of this tells us TWO IMPORTANT LESSONS:
1. PROTECT YOUR SERVOY REPOSITORY WITH APPROPRIATE DATABASE SECURITY. This is your first line of defence against intrusions. Open up the database and "the world is your oyster" (if you are a hacker). The method above assumes you have appropriate levels of database security to perform the above operation. Servoy can't be held responsible for sloppy database access controls. Storage of passwords in encrypted rows is a *routine* security method. This security method *assumes* the database itself is secured against exploits!
2. SECURITY IS OPEN UNTIL EXPLICITLY RESTRICTED. It is the existence of a servoy_users row in the repository database (coupled with the Administrator property) that really starts solution lockdown (yes, there are additional security things going on in the properties file at startup ...). Guard this database table (and its rows) as noted in my previous point.
3. EAT FISH - it is good brain food and helps memory cells. Saves on hacks. Oh yes, that was TWO Lessons wasn't it ... :-)
Enjoy,
M^2
| Posted by David Workman on October 28, 2007 at 05:30 PM in Tips | Permalink
Comments
Thanks for this tip Micheal, can get pretty handy if (or rather when) we get locked out of our solutions. This from a guy who eats fish every week... ;~)
Posted by: Ben Savignac | Oct 29, 2007 6:56:04 AM
NOTE that this will not work if your solution is protected with a developer password (at export)
Posted by: Jan Aleman | Nov 2, 2007 4:58:29 AM
