Kbase P159086: How to authenticate connected user on AppServer
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
13/07/2010 |
|
Status: Verified
GOAL:
How to authenticate connected user on AppServer
GOAL:
Strategy for user authentication on AppServer using userid
FACT(s) (Environment):
All Supported Operating Systems
Progress 9.x
OpenEdge 10.x
FIX:
When connecting to an AppServer from a client session there is no direct mechanism for transferring user credentials from the client to the AppServer for database or session authentication. This article assumes that the application database uses the _user table to authenticate against the database. Any other type of authentication would be inserted in place of using the SETUSERID function.
The important aspects of this strategy include passing the userid to the AppServer and using SETUSERID for each interaction with the AppServer agent. After each interaction the user's credentials should be cleared so that the next user accessing the agent isn't mistakenly identified as the user who performed the previous request.
The stateless AppServer operating mode allows multiple users to maintain connections the the same AppServer agent without having to disconnect between requests(run statements on the server). The stateless AppServer provides a session level attribute called SERVER-CONNECTION-CONTEXT which is a freeform string that can be used to store information like userid and password etc. This string is passed back and forth to/from the AppServer with each request in binary form.
The following steps can be modified as needed depending upon the type of authentication used or the requirements of the application designer:
1) From the client, use the second and third parameters of the CONNECT method to pass userid and password to the AppServer or run a login.p procedure on the AppServer to pass this information
2) If using the second and third parameters to pass credentials to the AppServer, the AppServer should use a connect procedure (as_connect.p) specified in the srvrConnectProc property in ubroker.properties or in the Advanced agent properties in Progress Explorer
3) In the server side login.p or as_connect.p assign the passed userid and password to the SESSION:SERVER-CONNECTION-CONTEXT attribute.
4) If using _user to authenticate against the database you should have a user in the database with either a blank userid or some neutral userid that can be identified as someone with no credentials to affect changes in the database
5) Add a Activate procedure(as_activate.p) to the AppServer using the srvrActivateProc property in ubroker.properties or through the Advanced agent properties in Progress Explorer. This is a procedure which fires for every interaction with the AppServer from the client (i.e. run procedure on server).
6) In as_activate.p take the userid and password from the SESSION:SERVER-CONNECTION-CONTEXT attribute and use them in the SETUSERID function to authenticate the user against the database.
7) Add a De-Activate procedure(as_deactivate.p) to the AppServer using the srvrDeactivateProc property in ubroker.properties or through the Advanced agent properties in Progress Explorer. This is a procedure which fires after the interaction with the AppServer us complete and exiting the AppServer.
8) In as_deactivate.p use the SETUSERID function to authenticate the blank or neutral userid against the database. This ensures that subsequent users of the AppServer agent don't perform transactions using the previous user's id.