Implementing Service Interface Authorization for Business Entity Methods

Introduction

The SmartFramework Service Interface supports backend authorization for individual methods of Business Entities (SaveChanges, FetchData, Invokable Methods) and Business Tasks through the SmartRequestAuthorizationProvider

Setup

The SmartRequestAuthorizationProvider has to be loaded as a service for the IRequestAuthorizationProvider interface through a services.xml file, e.g.:

services.xml
<ttServiceLoaderRow>
  <Order>5</Order>
  <ServiceTypeName>Consultingwerk.Framework.Authorization.IRequestAuthorizationProvider</ServiceTypeName>
  <ServiceClassName>Consultingwerk.SmartFramework.Authorization.SmartRequestAuthorizationProvider</ServiceClassName>
</ttServiceLoaderRow>

The Service Interface will query the SmartRequestAuthorizationProvider during every request for the curren users authorization.

Token Security for Security Objects

The SmartRequestAuthorizationProvider is implemented through token security for individual objects (security objects). This allows an administrator to define security tokens for individual objects and assign authorization or revoke rights to/from users and groups. Then the requested token is not defined for the specific security objects - or no authorization is assigned on that security objects for the current user or his groups - the normal token security check will be performed (automatic fall back to the system wide token security).

Definition of Security Objects

The SmartFramework Maintenance supports through the Security Object Maintenance Objekte function the definition of security objects. For the SmartRequestAuthorizationProvider and the Service Interface the security object name must match the Business Entity or Business Task name.

For the security object, administrators may maintain the name (the key value) and a  description:

The second tab folder Token allows to assign existing security tokens to the security object. This creates the security items which can be assigned (granted/revoked) to users or user groups in the Security Assignment screen:

Security Tokens used by the SmartRequestAuthorizationProvider

The following security tokens are used by the SmartRequestAuthorizationProvider to authorize Service Interface requests:

Object Type
Method
Token
Description
Business EntityFetchData (read)ServiceInterface.FetchDataReading of data from a Business Entity. Reading of framework meta data (Business Entities in Consultingwerk.SmartFramework.*) is never restricted.
Business EntityInvokeMethod (execute specific methods of a Business Entity)ServiceInterface.Invoke.<MethodName>A specific security token must be maintained in the Security Token Maintenance.
Business TaskInvokeTask (execute methods of a Business Tasks)ServiceInterface.Invoke.<MethodName>A specific security token must be maintained in the Security Token Maintenance.
Business EntitySaveChanges (saving of modifications)ServiceInterface.SaveChangesUpdate access through a Business Entity

The security tokens ServiceInterface.FetchData and ServiceInterface.SaveChanges are maintained and distributed by Consultingwerk. Customers should not create those tokens manually to avoid unique key conflicts (GUID).

Error message received when invoking a restricted method

When a web frontend tries to access a restricted method through the Resource Web Handler etc., an http 403 error (forbidden, https://en.wikipedia.org/wiki/HTTP_403) will be returned.

Response content:

 Content:
{"title":"An application error has occurred (Consultingwerk.Framework.Authorization.Exceptions.ServiceInterfaceMethodNotAuthorizedException)",
  "error":"Consultingwerk.Framework.Authorization.Exceptions.ServiceInterfaceMethodNotAuthorizedException",
  "message":"You are not authorized to invoke SaveChanges on Consultingwerk.SmartComponentsDemo.OERA.Sports2000.CustomerBusinessEntity.",
  "messageNum":0,
  "callStack":"SaveChanges Consultingwerk.OERA.ServiceInterface at line 4194  (
      C:\\work\\SmartComponents4NET\\116_64\\ABL\\Consultingwerk\\OERA\\ServiceInterface.r)
      SaveChanges Consultingwerk.OERA.ServiceInterface at line 4080  (C:\\work\\SmartComponents4NET\\116_64\\ABL\\Consultingwerk\\OERA\\ServiceInterface.r)
      ProcessUpdate Consultingwerk.OERA.JsdoGenericService.Service at line 2107  (C:\\work\\SmartComponents4NET\\116_64\\ABL\\Consultingwerk\\OERA\\JsdoGenericService\\Service.r)
      HandlePut Consultingwerk.OERA.JsdoGenericService.WebHandler.ResourceWebHandler at line 1073  (C:\\work\\SmartComponents4NET\\116_64\\ABL\\Consultingwerk\\OERA\\JsdoGenericService\\WebHandler\\ResourceWebHandler.r)
      HandleRequest OpenEdge.Web.WebHandler at line 51  (OpenEdge\/Web\/WebHandler.r)
      HandleRequest OpenEdge.Web.InternalWebRouter at line 90  (OpenEdge\/Web\/InternalWebRouter.r)",
  "properties":{"ServiceMethodName":"SaveChanges","ServiceObjectName":"Consultingwerk.SmartComponentsDemo.OERA.Sports2000.CustomerBusinessEntity",
  
(shortened) 
 
  }
}