Self-Answer

I think I knew the answer right now.

The customer login is set in the DataManager manually. A 3rd party application is not required to turn in these information.

Am I right?!

Re: How to submit the login info through Desktop API?

If I understand the question, user authentication is also done via SetApplication. Instead of passing the entitled app name, you just pass your normal eSignal username. If you have added the ActiveX control entitlement to your account via the Account Management page, then you are all set.

Does that answer your question?

Cheers... George

Re: Re: How to submit the login info through Desktop API?

Yes. Now I understand that there are actually two kinds of Authentications. One for Customers, which is set in the Data Manager manually; the other is for the applications, which is done through SetApplication. In other words, in order to use eSignal Data, both the user and the application that the user is using have to be entitled.

However, it appears to me that there is a security problem. If one guy knows the entitlement of a authorized application, he can then simply developed a program, cheating the DataManager by saying 'Hey, I am ***'. Isn't it?

Jason Ruan

Re: Re: Re: How to submit the login info through Desktop API?

Yes, there are two types of strings that can be used to authenticate. Both require calls to SetApplication. If you are a developer with the entitlement, then you pass the username you have in your Data Manager to SetApplication.

Good question. Maybe Robi can shed some light on this. I imagine there must be some sort of agreement signed where the app developer agrees not to share his entitlement string. But, unless he encrypts it in the binary, a little time with a hex editor could yield the string. Or maybe there is some sort of hash of the executable that is sent with the request behind the scenes (the downside being a new entitlement registration would need to be granted for each bug fix, feature addition, etc.).

Cheers... George

SetApplication

The SetApplication functionality is not very clear and I just figured it out. Here it is:

There are 2 different entitlements: 1 to develop with the API (AXQ) and 1 to use applications that access the API (AXH).

While developing with the API, use your USERNAME as the application string in SetApplication. When you are finished developing your app and want it available for distribution to end users, we certify it and send you an application string which should replace your USERNAME in SetApplication. An end user needs to go into Customer Support -> Account Maintenence or here and set the bit on. If you are developing for a known set of end-users, we can turn on that bit for entire groups at a time. Obviously any user with the AXQ turned on will be able to use any 3rd party application. The string allows use to track who is using what and how often - so we know which applications are popular.

There is no security leak because you still need a valid username and password to use the 3rd-party application (which actually uses winsig.exe) and there can only be one username connected at any one time on any of our servers.

I hope this clarifies things.