The SmartFramework contains a series of security related functions (like authentication or authorization) typically required in business applications.
Those functions are designed to be extendable and customizable and allow integration with existing security functions.
Authentication
The standard login dialog LoginForm of the SmartFramework (actually the login dialog can also be used outside of the SmartFramework) uses SessionManager static class which calls into the current IAuthenticationService service instance for actually performing the authentication.
We provide two standard authentication mechanisms. But the list of authentication systems can be extended to match customer requirements.
Database Authentication Service
The DatabaseAuthenticationService class implements the IAuthenticationService Interface and provides authentication against a databases _user table. Database based authentication has come back into fashion with the introduction of multi-tenancy in the OpenEdge database.
The DatabaseAuthendicationService is a client side API (the client authenticates against the AppServer) and calls into the UserBusinessEntity method PerformDatabaseAuthentication.
The UserBusinessEntity performs authentication against a single database. The logical name of the authentication database is retrieved from the IConfigurationProvider service. By default the database name is read from either the .applicationsettings JSON file (OpenEdge 11) or .applicationsettings.xml XML file (OpenEdge 10) using the authenticationDb entry.
When the company that the user is trying to login against has a LoginCompanyTenantDomain value assigned, the user is authenticated as <username>@< LoginCompanyTenantDomain>. If not the user is authenticated as <username> only.
The method PerformDatabaseAuthentication returns the database client principal to the client which maintains it for future AppServer calls in the Context Dataset.
{
"appServerKeepAlivePeriod":"120",
"authenticationDb":"sports2000",
"homePageUrl":"http://www.consultingwerk.de",
"defaultPartition":"Default",
"maintainPasswordInSmartUser":"false",
"systemDescription":"Development",
"rollbaseRestApiUrl":"https://www.rollbase.com/rest/api/",
}
SmartUser Authentication Service
The AuthenticationService class implements the IAuthenticationService Interface and provides authentication against a password stored in the SmartUser table of the SmartDB.
The AuthenticationService performs authentication by trying to retrieve the SmartUser record with the given Login Company, UserName and password from the UserBusinessEntity.
When the record is found, the UserName is stored in the Context Dataset so that it is known on the client and on the AppServer in future calls.
When the authentication is done against the password stored in the SmartUser table of the SmartDB, then the User Maintenance form should also allow updating the password stored in this table (e.g. when creating new users). To allow the update of the password field in the SmartUserViewer the maintainPasswordInSmartUser setting in the IConfigurationProvider service needs to by set to “true”. By default this is read from either the .applicationsettings JSON file (OpenEdge 11) or .applicationsettings.xml XML file (OpenEdge 10).
{
"appServerKeepAlivePeriod":"120",
"homePageUrl":"http://www.consultingwerk.de",
"defaultPartition":"Default",
"maintainPasswordInSmartUser":"true",
"systemDescription":"Development",
"rollbaseRestApiUrl":"https://www.rollbase.com/rest/api/",
}
Authorization
Security Realms
Introduction
Security Realms describe a specific group of functions for which authorization is maintained using a centralized security assignment and enquiry system.
Security Realms are registered in the Security Realm Maintenance function of the SmartFramework.
Security Realms have the following attributes:
| Field Name | Description |
|---|---|
| Realm Code | A unique identifier of the security realm used when querying authorization using the ISecurityService or the Validate Class |
| Realm Description | A description of the security realm |
| Security Service | The service that defines the security realm specific data, used for the maintenance of the security assignment |
| Default Restricted | Defines if users are not allowed to use functions of this security realm unless they are granted or if they are allowed to use functions of this realm unless they are forbidden (grant/revoke) |
| Assignment Company Dependent | If the assignment of authorizations in this realm is stored per login company or for the whole system. Relevant for users or groups that exists in more than a single login company |
Security Realm Services
Security Realm Services provide the meta-data used during the maintenance of security assignment. Securirty Realm Services need to implement the ISecurityRealmService interface.
Overview of Security Realms
The SmartFramework provides a number of default security realms which are described in the following
| Realm Code | Realm Description | Used by |
|---|---|---|
SFS | Smart Field Enabled | Used by the SmartFieldAuthorizationProvider. The SmartFieldAuthorizationProvider implements the IFieldAuthorizationProvider interface and controls if data bound fields in SmartViewerControl derived user controls may be enabled for by the current user, i.o.W. the user is allowed to update the field value |
SFV | Smart Field Visibility | Used by the SmartFieldAuthorizationProvider. The SmartFieldAuthorizationProvider implements the IFieldAuthorizationProvider interface and controls if data bound fields in SmartViewerControl derived user controls shall be hidden. |
SMF | Smart Menu Function | Used by the MenuBusinessEntity to determine if the current user has access to a menu function of not. Used while reading menu structures from the SmartMenu table. |
SMT | Smart Message Translation | Used by the MessageBusinessEntity to validate if the current user is allowed to maintain message translations in the given language |
SST | Smart Security Token | General purpose function. Tokens can be used to protect specific application functionality. There is no default behavior for security tokens. Tokens may be queried using IsTokenRestricted method of the ITokenSecurityService implementation. |
STI | Smart Toolbar Security Item | Allows to disable specific toolbar buttons on toolbars or ribbons. Used by the ToolbarAuthorizationProvider which implements the IToolbarAuthorizationProvider service interface and is used by the SmartToolbarController. |
The SmartFramework provides a number of default security realms which are described in the following
| Realm Code | Realm Description | Used by |
|---|---|---|
SFS | Smart Field Enabled | Used by the SmartFieldAuthorizationProvider. The SmartFieldAuthorizationProvider implements the IFieldAuthorizationProvider interface and controls if data bound fields in SmartViewerControl derived user controls may be enabled for by the current user, i.o.W. the user is allowed to update the field value |
SFV | Smart Field Visibility | Used by the SmartFieldAuthorizationProvider. The SmartFieldAuthorizationProvider implements the IFieldAuthorizationProvider interface and controls if data bound fields in SmartViewerControl derived user controls shall be hidden. |
SMF | Smart Menu Function | Used by the MenuBusinessEntity to determine if the current user has access to a menu function of not. Used while reading menu structures from the SmartMenu table. |
SMT | Smart Message Translation | Used by the MessageBusinessEntity to validate if the current user is allowed to maintain message translations in the given language |
SST | Smart Security Token | General purpose function. Tokens can be used to protect specific application functionality. There is no default behavior for security tokens. Tokens may be queried using IsTokenRestricted method of the ITokenSecurityService implementation. |
STI | Smart Toolbar Security Item | Allows to disable specific toolbar buttons on toolbars or ribbons. Used by the ToolbarAuthorizationProvider which implements the IToolbarAuthorizationProvider service interface and is used by the SmartToolbarController. |
Smart Field Enabled and Smart Field Visibility (SFS and SFV)
Before assigning authorization for field security relevant fields need to be entered in the Field Security Item Maintenance form.
Field Security Items are maintained using the following settings:
Field Name | Description |
|---|---|
Field Name | Either the fully qualified field name as known to the client (temp-table) or *.fieldname when the table name should be irrelevant |
Security Key | A security key of viewer controls. Allows to define field security for specific viewers only. Must match the “SecurityKey” attribute of the relevant viewer(s). Optional. |
Object Name | The name of the container (Form). Allows to define field security for specific forms only. Optional. |
Description | A description for the field security item. |
The same field security items are used to control if a user is allowed to update a field value and if a field may be shown.
Smart Menu Function (SMF)
Menu Functions are maintained using the Menu Function Maintenance.
Smart Message Translation (SMT)
Message Translation can be individually by turned on and off for any defined language in the system.
Smart Security Token (SST)
Security Tokens can be created using the Security Token Maintenance form.
Tokens are represented by a Token Code which is used to query the token authorization at runtime and a description.
Smart Toolbar Security Item (STI)
Toolbar Security Items are maintained using the Toolbar Security Item Maintenance form.
Toolbar Security Items are represented by the tool’s key (as known to the actual .NET Controls) and may be specific to a form or global for any form.
When adding records to the Toolbar Security Item Maintenance form users can select currently executed Forms using the lookup button on the Container / Object lookup. This will then also populate the Toolbar Item drop down list with the toolbar items of the selected form. User can select Forms or viewers and browsers in which case the authorization may be maintained for individual Viewers or Browsers within the Form.
Assigning Authorization for Security Realms
Menu Security Assignment
Menu Visibility for User Groups
Security Service
Validate Class
Additional Security Hooks
Toolbar Authorization Provider
Field Authorization Provider
Request Authorization Provider
Server Session Activator