...
When the authentication is done against the password stored in the SmartUser table of the SmartDB, then the User Maintenance form should also allow updating the password stored in this table (e.g. when creating new users). To allow the update of the password field in the SmartUserViewer the maintainPasswordInSmartUser setting in the IConfigurationProvider service needs to by be set to “true”. By default this is read from either the .applicationsettings JSON file (OpenEdge 11) or .applicationsettings.xml XML file (OpenEdge 10).
...
Security Realms
Introduction
Security Realms describe a specific group of functions for which authorization is maintained using a centralized security assignment and enquiry system.
Security Realms are registered in the Security Realm Maintenance function of the SmartFramework.
...
This dialog allows to assign any menu structure node to any user group. Users of that user group will have access to this menu structure as a top level menu structure.
Security Service
When not provided by specialized services (such as for Security Tokens), the ISecurityService implementations allow developers to query the authorization for the current user for a given security item. The security item is identified by the realm code and the unique identifier of the security item in query (as defined by the security realm service).
There are two security services available:
Server side security service implementation that implements the actual authorization logic based on assignments for the user, the groups the user is member of or the security realm default | |
Caching client side version of the Security Service. |
The primary method of the ISecurityService is the method IsRestricted which can be used like this to return if a user does not have access to a certain function.
| Code Block | ||
|---|---|---|
| ||
DEFINE VARIABLE oSecurityService AS ISecurityService NO-UNDO .
oSecurityService = {Consultingwerk/get-service.i Consultingwerk.SmartFramework.Authorization.ISecurityService} .
/* ... */
IF VALID-OBJECT (oSecurityService) AND oSecurityService:IsRestricted ("SMF":U,
eSmartMenu.FunctionGuid) THEN NEXT . |
Validate Class
The Validate Class does also provide a simple API to query authorization during the validation of updates in a Business Entity. The method IsNotRestricted validates that the user has authorization for a specific data item identified by a security realm code and the value of the field passed to the Validate:IsNotRestricted method.
| Code Block | ||
|---|---|---|
| ||
FOR EACH eSmartMessage ON ERROR UNDO, THROW:
Consultingwerk.OERA.Validate:IsNotRestricted (BUFFER eSmartMessage:HANDLE,
"LanguageGuid":U,
"SMT":U,
MessageFormatter:GetMessage ("SFR":U, 200)) .
END. |
Additional Security Hooks
Toolbar Authorization Provider
Field Authorization Provider
Request Authorization Provider
Server Session Activator
...
Request Authorization Provider
The request authorization provider is an optional service. The service must implement the IRequestAuthorizationProvider interface and will be used by the ServiceInterface when a service is registered against that interface.
The request authorization provider allows to verify requests to the backend of the framework. As any call needs to pass the service interface this allows to reliably inject of any kind of security checks such as authorization for specific business entities or tasks.
See the interface description for further details.
Server Session Activator
The server session activator is not truly a security feature but security related. It is responsible for restoring the session context on the backend. The server session activator reacts on the Activate and Deactivate events of the ServiceInterface class.
We do not provide an interface for the server session activator. We do however provide a reference implementation in the form of the ServerSessionActivator which can also be loaded from a services.xml file. This class does for instance restore the SessionManager properties and imports the client principal of the Context Dataset into the current security context.