Identity Management Basics Part 1 of Identity Management with OpenEdge Peter Judge OpenEdge Development

Slides:



Advertisements
Similar presentations
Suchin Rengan Principal Technical Architect Salesforce.com
Advertisements

Server Access The REST of the Story David Cleary
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Client Principal in the wild
OpenEdge BPM What’s Coming in 11.3 Michael Banks Suresh Inavolu.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Authenticating REST/Mobile clients using LDAP and OERealm
DEV-14: Understanding and Programming for the AppServer™
Understanding Active Directory
Fraser Technical Solutions, LLC
The Easiest Way to Write Web Applications Jordi Sastre IT Architect, PSC May 2012.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Chapter 10: Authentication Guide to Computer Network Security.
Coding with Identity Management & Security Part 2 of Identity Management with OpenEdge Peter Judge OpenEdge Development
DB-19: OpenEdge® Authentication Without the _User Table
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May First version. Modified from Enterprise edition.NBL.
MOVE-14: Migrating Your 4GL Authentication System to OpenEdge® 10
MultiTenancy - an Introduction for Techies Timothy D. Kuehn Senior OpenEdge Consultant TDK Consulting Services Inc
Copyright 2000 eMation SECURITY - Controlling Data Access with
Jeff Shiley. Start Point System Environment User Experience Our “Unique” Requirements Solution System Evaluation & Prototype Single Sign-on Component.
MOVE-9: Audit enable your Application the Easy Way Anthony D Swindells Engineering Fellow.
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.
Developing Applications for SSO Justen Stepka Authentisoft, LLC
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Identity on Force.com & Benefits of SSO Nick Simha.
Chapter 8 Cookies And Security JavaScript, Third Edition.
DEV-5: Introduction to WebSpeed ® Stephen Ferguson Sr. Training Program Manager.
Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
DEV-09: User Authentication in an OpenEdge™ 10.1 Distributed Computing Environment Michael Jacobs Development Architect.
The Client/Server Database Environment Ployphan Sornsuwit KPRU Ref.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Integrating and Troubleshooting Citrix Access Gateway.
ARCH-11: Building your Presentation with Classes John Sadd Fellow and OpenEdge Evangelist Sasha Kraljevic Principal TSE.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Progress Software Identity Management 101 Sarah Marshall OpenEdge QA Architect May 2012.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Your friend, Bluestem. What is Bluestem? “Bluestem is a software system which enables one or more high-security SSL HTTP servers in a domain (entrusted.
Web Services Security Patterns Alex Mackman CM Group Ltd
Securing Angular Apps Brian Noyes
DEV-8: AppServer ™ Mode Case Studies Simon Epps Solutions Engineer.
ARCH-5: Service Interfaces in Practice Christian Stiller Technical Architect.
IS2803 Developing Multimedia Applications for Business (Part 2) Lecture 1: Introduction to IS2803 Rob Gleasure
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
F5 APM & Security Assertion Markup Language ‘sam-el’
SAP R/3 User Administration1. 2 User administration in a productive environment is an ongoing process of creating, deleting, changing, and monitoring.
19 Copyright © 2008, Oracle. All rights reserved. Security.
562: Power of Single Sign-On in OpenEdge
Ask the Experts – Building Login-Based Sites in AEM
Federation made simple
Data and Applications Security Developments and Directions
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Introduction to SQL Server 2000 Security
The Client/Server Database Environment
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
ARCH-1: Application Architecture made Simple
(Authentication / Authorization)
Presentation transcript:

Identity Management Basics Part 1 of Identity Management with OpenEdge Peter Judge OpenEdge Development

© 2012 Progress Software Corporation. All rights reserved. 2 What is Identity Management? It’s about protecting your business data by  Controlling and verifying who accesses your data  Controlling what they can do with your data  Reviewing what they did with your data  Maintaining information about your users You make security decisions on behalf of your customers … understand the maximum loss they might suffer

© 2012 Progress Software Corporation. All rights reserved. 3 This is Nothing New Forces aligned against you are more prevalent, and they have more, and more sophisticated weapons And you’ve given people a door and invitation via the internet So now the things you used to do are no longer adequate

© 2012 Progress Software Corporation. All rights reserved. 4 It’s about protecting your business data by  Controlling and verifying who accesses your data  Controlling what they can do with your data  Reviewing what they did with your data  Maintaining information about your users What is Identity Management? Authorisation Auditing Administration Authentication

© 2012 Progress Software Corporation. All rights reserved. 5 Authentication  Identifies a user, using factors Something the user knows (e.g. password) Something the user has (e.g. security token) Something of the user (e.g. biometric)  Verify that users are who they say they are We need to be able to trust this fact, as do others

© 2012 Progress Software Corporation. All rights reserved. 6 Authorisation & Auditing  Authorisation What services can the user access? What data can the user see and/or modify? –Multi-tenancy –Record-level, field-level  Auditing Verifiable trace of a user’s actions

© 2012 Progress Software Corporation. All rights reserved. 7 Getting a Passport application forms passport my permanent record

© 2012 Progress Software Corporation. All rights reserved. 8 Using a Passport conferencevisa & entry stamp passport 12 3

© 2012 Progress Software Corporation. All rights reserved. 9 my permanent record Application Architecture passport Authentication system Domains Security token User interface application forms Claims / Assertions Security Token Service

© 2012 Progress Software Corporation. All rights reserved. 10 What is a Security Token?  A transportable block of data that can be used as proof of user identity by any systems or applications that have a trust relationship with the originator of the security token Exists for same reason passports do: so that a gatekeeper doesn’t have to ask you for everything every time you want to pass  Enables Single Sign On (SSO) Authenticate once and allow access many times across (ABL) processes  Secure, time sensitive and data-integrity protected

© 2012 Progress Software Corporation. All rights reserved. 11 The ABL CLIENT-PRINCIPAL  CLIENT-PRINCIPAL = ABL security token  Sets current identity in any connected db or AVM session  AVM creates if not created explicitly  Manage a user’s login session CREATE CLIENT-PRINCIPAL hCP. hCP:INITIALIZE( ) SECURITY-POLICY:SET-CLIENT(hCP). SET-DB-CLIENT(, hCP). SETUSERID(,, ). cmd> $PROEXE –U -P hCP = SECURITY-POLICY:GET- CLIENT(). rCP = hCP:EXPORT-PRINCIPAL. hCP:LOGOUT(). 10.1A+

© 2012 Progress Software Corporation. All rights reserved. 12 What Are Domains?  A group of users with a common set of Roles and responsibilities Level of security Data access privileges  Configured in db meta- schema _sec-authentication-domain _Domain-name _Domain-type _Domain-description _Domain-access-code _Domain-runtime-options _Tenant-name _Domain-enabled

© 2012 Progress Software Corporation. All rights reserved. 13 Authentication Systems (aka Plug-ins)  Validates requesting entity’s claims Full user login (i.e. user authentication), or Single Sign-On (SSO)  Specifies actual means of performing authentication ABL callbacks available for user- defined systems  Single authentication system can support multiple domains One domain has one authentication system _sec-authentication-system _Domain-type _Domain-type-description _PAM-plug-in _PAM-callback-procedure 11.1+

© 2012 Progress Software Corporation. All rights reserved. 14 User Credentials Example Schema ADD TABLE "ApplicationUser" AREA "Data" DESCRIPTION "The application's user table. Contains login names, passwords and mappings to login domains." DUMP-NAME "applicationuser" ADD FIELD "LoginName" AS character /* Domain necessary for re-use */ ADD FIELD "LoginDomain" AS character ADD FIELD "Password" AS character ADD FIELD "LastLoginDate" AS datetime-tz /* Last login IP address / host */ ADD FIELD "LastLoginLocation" AS character ADD INDEX "Login" ON "ApplicationUser" AREA "Indexes" UNIQUE INDEX-FIELD "LoginName" ASCENDING INDEX-FIELD "LoginDomain" ASCENDING

© 2012 Progress Software Corporation. All rights reserved. 15 Demo

© 2012 Progress Software Corporation. All rights reserved. 16 Demo: Desktop Main Form  Basic screen Want to show a list of customers

© 2012 Progress Software Corporation. All rights reserved. 17 Demo: login  Login as user anita_andrews Password is letmein (prepopulated)

© 2012 Progress Software Corporation. All rights reserved. 18 Demo: Customer List  See basic customer list from Sports2000.

© 2012 Progress Software Corporation. All rights reserved. 19 Demo: Help About : Login info  See user name, expiration date, etc

© 2012 Progress Software Corporation. All rights reserved. 20 Demo: Logout > Refresh Customer List  Now logout, see clear screen  Try “Refresh Customer List” and see error Expected because we’re not logged in

© 2012 Progress Software Corporation. All rights reserved. 21 Application Architecture: Login passport Security token User interface application forms Claims / Assertions Security Token Service my permanent record Authentication system Domains

© 2012 Progress Software Corporation. All rights reserved. 22 Application Architecture: Login User interface Claims / Assertions passport Security token application forms Claims / Assertions Security Token Service my permanent record Authentication system Domains RUN login.p ON SERVER hAppServer (cUser, cDomain, cPassword, OUTPUT lcToken) 1

© 2012 Progress Software Corporation. All rights reserved. 23 Application Architecture: Login passport Security token application forms Claims / Assertions Security Token Service my permanent record Authentication system Domains RUN login.p ON SERVER hAppServer (cUser, cDomain, cPassword, OUTPUT lcToken) login.p INPUT PARAM pcUser INPUT PARAM pcDomain INPUT PARAM pcPword OUTPUT PARAM pcToken pcToken = STS:Login (pcUser, pcDomain, pcPword). 1 2

© 2012 Progress Software Corporation. All rights reserved. 24 Application Architecture: Login passport Security token application forms Claims / Assertions Secure Token Service my permanent record Authentication system Domains /* save token in local session */ 3 login.p INPUT PARAM pcUser INPUT PARAM pcDomain INPUT PARAM pcPword OUTPUT PARAM pcToken pcToken = STS:Login (pcUser, pcDomain, pcPword). 2 RUN login.p ON SERVER hAppServer (cUser, cDomain, cPassword, OUTPUT lcToken) 1

© 2012 Progress Software Corporation. All rights reserved. 25 Application Architecture: Login passport Security token application forms Claims / Assertions Secure Token Service my permanent record Authentication system Domains login.p INPUT PARAM pcUser INPUT PARAM pcDomain INPUT PARAM pcPword OUTPUT PARAM pcToken pcToken = STS:Login (pcUser, pcDomain, pcPword). 2 RUN login.p ON SERVER hAppServer (cUser, cDomain, cPassword, OUTPUT lcToken) 1 /* save token in local session */ 3

© 2012 Progress Software Corporation. All rights reserved. 26 Managing Security Context charToken = hCP:SESSION-IDrawToken = hCP:EXPORT- PRINCIPAL Client Context Server Context Entire security context for session in sealed C-P Sealed C-P moves between server and client Server validates C-P & uses it to establish security context Used in stateful apps that run in stateless server environments More data transmitted per call = more overhead Less secure, unless C-P encrypted or in SSL session Entire security context for session stored on server, using C-P’s SESSION-ID as key (“CCID”) CCID moves between server and client. CCID used to find context in cache & rehydrate C-P Server validates C-P & uses it to establish security context Used in stateful applications Less data transmitted = lower overhead More secure, since C-P not at risk of exposure

© 2012 Progress Software Corporation. All rights reserved. 27 Application Architecture: Login passport Security token application forms Claims / Assertions Secure Token Service my permanent record Authentication system Domains login.p INPUT PARAM pcUser INPUT PARAM pcDomain INPUT PARAM pcPword OUTPUT PARAM pcToken pcToken = STS:Login (pcUser, pcDomain, pcPword). 2 /* save token in local session */ 3 RUN login.p ON SERVER hAppServer (cUser, cDomain, cPassword, OUTPUT lcToken) 1

© 2012 Progress Software Corporation. All rights reserved. 28 Desktop.MainForm.cls method public logical LoginUser( input pcUserName as char, input pcDomain as char, input pcPassword as char): run Security/Login.p on hAppServer ( pcUserName, pcDomain, pcPassword, output cUserContextId). if cUserContextId eq '' then return false. /* set the CCID on the business logic server so that it's transported with every request. */ hAppServer:request-info:ClientContextId = cUserContextId. return true. end method.

© 2012 Progress Software Corporation. All rights reserved. 29 Application Architecture: Login passport Security token application forms Claims / Assertions Secure Token Service my permanent record Authentication system Domains /* save token in local session */ 3 RUN login.p ON SERVER hAppServer (cUser, cDomain, cPassword, OUTPUT lcToken) 1 login.p INPUT PARAM pcUser INPUT PARAM pcDomain INPUT PARAM pcPword OUTPUT PARAM pcToken pcToken = STS:Login (pcUser, pcDomain, pcPword). 2

© 2012 Progress Software Corporation. All rights reserved. 30 Security/Login.p define input parameter pcUser as character no-undo. define input parameter pcDomain as character no-undo. define input parameter pcPassword as character no-undo. define output parameter pcToken as character no-undo. pcToken = Security.SecurityTokenService:Instance :LoginUser(pcUser, pcDomain, pcPassword).

© 2012 Progress Software Corporation. All rights reserved. 31 method public char LoginUser(input pcUserName as char, input pcUserDomain as char, input pcPassword as char): define variable hClientPrincipal as handle no-undo. create client-principal hClientPrincipal. hClientPrincipal:initialize( pcUserName, pcUserDomain), ?, /* unique session id */ add-interval(now, 8, 'hours'), /* login expiration */ pcPassword). /* passes authentication work off to authentication system */ security-policy:set-client(hClientPrincipal). /* writes security context into DB */ WriteClientPrincipalToStore(hClientPrincipal). /* return character value */ return hClientPrincipal:session-id. end method. Security.SecurityTokenService.cls

© 2012 Progress Software Corporation. All rights reserved. 32 method public char LoginUser(input pcUserName as char, input pcUserDomain as char, input pcPassword as char): define variable hClientPrincipal as handle no-undo. create client-principal hClientPrincipal. hClientPrincipal:initialize( pcUserName, pcUserDomain), ?, /* unique session id */ add-interval(now, 8, 'hours'), /* login expiration */ pcPassword). /* passes authentication work off to authentication system */ security-policy:set-client(hClientPrincipal). /* writes security context into DB */ WriteClientPrincipalToStore(hClientPrincipal). /* return character value */ return hClientPrincipal:session-id. end method. Security.SecurityTokenService.cls

© 2012 Progress Software Corporation. All rights reserved. 33 create _sec-authentication-system. _Domain-type = 'TABLE-ApplicationUser'. _Domain-type-description = 'The ApplicationUser table serves as the authentication domain'. _PAM-plug-in = true. _PAM-callback-procedure = 'Security/AppUserAuthenticate.p'. _sec-authentication-system

© 2012 Progress Software Corporation. All rights reserved. 34 procedure AuthenticateUser: def input param phClientPrincipal as handle no-undo. def input param pcSystemOptions as character extent no-undo. def output param piPAMStatus as integer init ? no- undo. def output param pcErrorMsg as character no-undo. find ApplicationUser where ApplicationUser.LoginName eq phCP:user-id and ApplicationUser.LoginDomain eq phCP:domain-name no-lock no-error. if not available ApplicationUser then piPAMStatus = Progress.Lang.PAMStatus:UnknownUser. else if ApplicationUser.Password ne encode(phCP:primary-passphrase) then piPAMStatus = Progress.Lang.PAMStatus:AuthenticationFailed. else /* we're good to go */ piPAMStatus = Progress.Lang.PAMStatus:Success. return. end procedure. Security/AppUserAuthenticate.p

© 2012 Progress Software Corporation. All rights reserved. 35 Security.SecurityTokenService.cls method public char LoginUser(input pcUserName as char, input pcUserDomain as char, input pcPassword as char): define variable hClientPrincipal as handle no-undo. create client-principal hClientPrincipal. hClientPrincipal:initialize( pcUserName, pcUserDomain), ?, /* unique session id */ add-interval(now, 8, 'hours'), /* login expiration */ pcPassword). /* passes authentication work off to authentication system */ security-policy:set-client(hClientPrincipal). /* writes security context into DB */ WriteClientPrincipalToStore(hClientPrincipal). /* return character value */ return hClientPrincipal:session-id. end method.

© 2012 Progress Software Corporation. All rights reserved. 36 Security.SecurityTokenService.cls method protected void WriteClientPrincipalToStore( input phClientPrincipal as handle): define buffer lbSecurityContext for SecurityContext. /* scope this transaction as small as possible */ do for lbSecurityContext transaction: find lbSecurityContext where lbSecurityContext.SessionId eq phClientPrincipal:session-id exclusive-lock no-wait no-error. if not available lbSecurityContext then do: create lbSecurityContext. lbSecurityContext.SessionId = phClientPrincipal:session-id. end. lbSecurityContext.ClientPrincipal = phClientPrincipal:export- principal(). lbSecurityContext.LastAccess = now. end. end method.

© 2012 Progress Software Corporation. All rights reserved. 37 Security.SecurityTokenService.cls method public char LoginUser(input pcUserName as char, input pcUserDomain as char, input pcPassword as char): define variable hClientPrincipal as handle no-undo. create client-principal hClientPrincipal. hClientPrincipal:initialize( pcUserName, pcUserDomain), ?, /* unique session id */ add-interval(now, 8, 'hours'), /* login expiration */ pcPassword). /* passes authentication work off to authentication system */ security-policy:set-client(hClientPrincipal). /* writes security context into DB */ WriteClientPrincipalToStore(hClientPrincipal). /* return character value */ return hClientPrincipal:session-id. end method.

© 2012 Progress Software Corporation. All rights reserved. 38 Application Architecture: Login passport Security token application forms Claims / Assertions Secure Token Service my permanent record Authentication system Domains login.p INPUT PARAM pcUser INPUT PARAM pcDomain INPUT PARAM pcPword OUTPUT PARAM pcToken pcToken = STS:Login (pcUser, pcDomain, pcPword). 2 RUN login.p ON SERVER hAppServer (cUser, cDomain, cPassword, OUTPUT lcToken) 1 /* save token in local session */ 3

© 2012 Progress Software Corporation. All rights reserved. 39 Desktop.MainForm.cls method public logical LoginUser( input pcUserName as char, input pcDomain as char, input pcPassword as char): run Security/Login.p on hAppServer ( pcUserName, pcDomain, pcPassword, output cUserContextId). if cUserContextId eq '' then return false. /* set the CCID on the business logic server so that it's transported with every request. */ hAppServer:request-info:ClientContextId = cUserContextId. return true. end method.

© 2012 Progress Software Corporation. All rights reserved. 40 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation

© 2012 Progress Software Corporation. All rights reserved. 41 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation RUN getcustomerlist.p ON SERVER hAppServer (OUTPUT DATASET dsCustomer) 1

© 2012 Progress Software Corporation. All rights reserved. 42 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation RUN getcustomerlist.p ON SERVER hAppServer (OUTPUT DATASET dsCustomer) 1 activate.p STS:ValidateToken (INPUT cToken). security-policy:set- client ( >) 2

© 2012 Progress Software Corporation. All rights reserved. 43 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation RUN getcustomerlist.p ON SERVER hAppServer (OUTPUT DATASET dsCustomer) 1 activate.p STS:ValidateToken (INPUT cToken). security-policy:set- client ( >) AuthoriseService ("getcustomer.p"). 2 3

© 2012 Progress Software Corporation. All rights reserved. 44 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation getcustomerlist.p OUTPUT PARAM DATASET dsCustomer RUN getcustomerlist.p ON SERVER hAppServer (OUTPUT DATASET dsCustomer) 4 1 activate.p STS:ValidateToken (INPUT cToken). security-policy:set- client ( >) AuthoriseService ("getcustomer.p"). 2 3

© 2012 Progress Software Corporation. All rights reserved. 45 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation RUN getcustomerlist.p ON SERVER hAppServer (OUTPUT DATASET dsCustomer) 1 activate.p STS:ValidateToken (INPUT cToken). security-policy:set- client ( >) AuthoriseService ("getcustomer.p"). deactivate.p security-policy:set- client ( >) 5 getcustomerlist.p OUTPUT PARAM DATASET dsCustomer 4 2 3

© 2012 Progress Software Corporation. All rights reserved. 46 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation deactivate.p security-policy:set- client ( >) 5 getcustomerlist.p OUTPUT PARAM DATASET dsCustomer 4 3 activate.p STS:ValidateToken (INPUT cToken). security-policy:set- client ( >) AuthoriseService ("getcustomer.p"). 2 RUN getcustomerlist.p ON SERVER hAppServer (OUTPUT DATASET dsCustomer) 1

© 2012 Progress Software Corporation. All rights reserved. 47 Desktop.MainForm.cls method protected void RefreshCustomerList(): define variable hAppServer as handle no-undo. run BusinessLogic/GetCustomerList.p on hAppServer (output dataset dsCustomerOrder). open query qryCustomer preselect each ttCustomer by ttCustomer.CustNum. bsCustomer:Handle = query qryCustomer:handle. query qryCustomer:reposition-to-row(1). end method.

© 2012 Progress Software Corporation. All rights reserved. 48 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation RUN getcustomerlist.p ON SERVER hAppServer (OUTPUT DATASET dsCustomer) 1 deactivate.p security-policy:set- client ( >) 5 getcustomerlist.p OUTPUT PARAM DATASET dsCustomer 4 3 activate.p STS:ValidateToken (INPUT cToken). security-policy:set- client ( >) AuthoriseService ("getcustomer.p"). 2

© 2012 Progress Software Corporation. All rights reserved. 49 Security/Activate.p hClientPrincipal = Security.SecurityTokenService:Instance: GetClientPrincipal( session:current-request-info:ClientContextId). /* authenticate client-principal */ security-policy:set-client(hClientPrincipal).

© 2012 Progress Software Corporation. All rights reserved. 50 Security.SecurityTokenService.cls method public handle GetClientPrincipal(input pcContextId as char): define variable hClientPrincipal as handle no-undo. define variable rClientPrincipal as raw no-undo. define buffer lbSecurityContext for SecurityContext. /* scope this transaction as small as possible */ do for lbSecurityContext transaction: find lbSecurityContext where lbSecurityContext.SessionId eq pcContextId exclusive-lock no-wait no-error. if not available lbSecurityContext then undo, throw new AppError('Context does not exist'). assign rClientPrincipal = lbSecurityContext.ClientPrincipal lbSecurityContext.LastAccess = now. end. create client-principal hClientPrincipal. hClientPrincipal:import-principal(rClientPrincipal). return hClientPrincipal. end method.

© 2012 Progress Software Corporation. All rights reserved. 51 Security/Activate.p hClientPrincipal = Security.SecurityTokenService:Instance: GetClientPrincipal( session:current-request-info:ClientContextId). /* authenticate client-principal */ security-policy:set-client(hClientPrincipal).

© 2012 Progress Software Corporation. All rights reserved. 52 create _sec-authentication-system. _Domain-type = 'TABLE-ApplicationUser'. _Domain-type-description = 'The ApplicationUser table serves as the authentication domain'. _PAM-plug-in = true. _PAM-callback-procedure = 'Security/AppUserAuthenticate.p'. _sec-authentication-system

© 2012 Progress Software Corporation. All rights reserved. 53 procedure AfterSetIdentity: def input param phClientPrincipal as handle no-undo. def input param pcSystemOptions as character extent no-undo. /* At this point the CLIENT-PRINCIPAL is sealed and the user authenticated */ /* Load user/application (as opposed to security) context here */ return. end procedure. Security/AppUserAuthenticate.p

© 2012 Progress Software Corporation. All rights reserved. 54 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation RUN getcustomerlist.p ON SERVER hAppServer (OUTPUT DATASET dsCustomer) 1 3 activate.p STS:ValidateToken (INPUT cToken). security-policy:set- client ( >) AuthoriseService ("getcustomer.p"). 2 deactivate.p security-policy:set- client ( >) 5 getcustomerlist.p OUTPUT PARAM DATASET dsCustomer 4

© 2012 Progress Software Corporation. All rights reserved. 55 {BusinessLogic/dsCustomerOrder.i} define output parameter dataset for dsCustomerOrder. define variable oBusinessEntity as CustomerOrderBE no- undo. oBusinessEntity = new CustomerOrderBE(). oBusinessEntity:GetCustomers(output dataset dsCustomerOrder). /* eof */ BusinessLogic/GetCustomerList.p

© 2012 Progress Software Corporation. All rights reserved. 56 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation RUN getcustomerlist.p ON SERVER hAppServer (OUTPUT DATASET dsCustomer) 1 getcustomerlist.p OUTPUT PARAM DATASET dsCustomer 4 3 activate.p STS:ValidateToken (INPUT cToken). security-policy:set- client ( >) AuthoriseService ("getcustomer.p"). 2 deactivate.p security-policy:set- client ( >) 5

© 2012 Progress Software Corporation. All rights reserved. 57 Security/Deactivate.p define variable hClientPrincipal as handle no-undo. hClientPrincipal = dynamic-function( 'GetAgentClientPrincipal' in hStartupProc) security-policy:set-client(hClientPrincipal). /* eof */

© 2012 Progress Software Corporation. All rights reserved. 58 Desktop.MainForm.cls method protected void RefreshCustomerList(): define variable hAppServer as handle no-undo. run BusinessLogic/GetCustomerList.p on hAppServer (output dataset dsCustomerOrder). open query qryCustomer preselect each ttCustomer by ttCustomer.CustNum. bsCustomer:Handle = query qryCustomer:handle. query qryCustomer:reposition-to-row(1). end method.

© 2012 Progress Software Corporation. All rights reserved. 59 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation RUN getcustomerlist.p ON SERVER hAppServer (OUTPUT DATASET dsCustomer) 1 getcustomerlist.p OUTPUT PARAM DATASET dsCustomer 4 3 activate.p STS:ValidateToken (INPUT cToken). security-policy:set- client ( >) AuthoriseService ("getcustomer.p"). 2 deactivate.p security-policy:set- client ( >) 5 startup.p security-policy:load- domains() STS:Login('agent', 'system'). security-policy:set-client ( >). 0

© 2012 Progress Software Corporation. All rights reserved. 60 Security/Startup.p define input parameter pcStartupData as character no-undo. define variable cAgentSessionId as character no-undo. define variable hClientPrincipal as handle no-undo. /* load domains */ security-policy:load-domains('sports2000'). /* immediately set session user to a low-privilege agent user */ cAgentSessionId = Security.SecurityTokenService:Instance :LoginUser('agent', 'system','oech1::3c373b2a372c3d'). hClientPrincipal = Security.SecurityTokenService:Instance :GetClientPrincipal(cAgentSessionId). security-policy:set-client (hClientPrincipal). function GetAgentSessionId returns character (): return cAgentSessionId. end function. function GetAgentClientPrincipal returns handle(): return hClientPrincipal. end function. /* eof */

© 2012 Progress Software Corporation. All rights reserved. 61 Security/Shutdown.p Security.SecurityTokenService:Instance :LogoutUser( dynamic-function('GetAgentSessionId' in hStartupProc)). /* eof */

© 2012 Progress Software Corporation. All rights reserved. 62 Separate AppServers for STS & Business Logic Security Token Service AppServer Business Logic AppServer UI Client

© 2012 Progress Software Corporation. All rights reserved. 63 Separate AppServers for STS & Business Logic Security Token Service AppServer Business Logic AppServer UI Client Security/Startup.p session:export( 'Security/Login.p' + ',Security/LoginSSO.p' + ',Security/Logout.p' + ',Security/GetClientPrincipal.p' + ',Security/ValidateToken.p' + ',Security/ValidateClientPrincipal.p ' + ',Security/RegisterServer.p' + ',Security/DeregisterServer.p').

© 2012 Progress Software Corporation. All rights reserved. 64 Separate AppServers for STS & Business Logic LoginUser() login.p Security Token Service AppServer Business Logic AppServer UI Client

© 2012 Progress Software Corporation. All rights reserved. 65 Separate AppServers for STS & Business Logic getcustomer.p ValidateToken() GetClientPrincipal() Security Token Service AppServer Business Logic AppServer UI Client

© 2012 Progress Software Corporation. All rights reserved. 66 Separate AppServers for STS & Business Logic getcustomer.p security-policy:set-client( ) Security Token Service AppServer Business Logic AppServer UI Client Domain name, Access code

© 2012 Progress Software Corporation. All rights reserved. 67 _sec-authentication-system & -domain create _sec-authentication-system. _Domain-type = 'TABLE- ApplicationUser'. _PAM-plug-in = true. _PAM-callback-procedure = 'Security/AppUserAuthenticate.p'. create _sec-authentication-system. _Domain-type = 'TABLE- ApplicationUser'. _PAM-plug-in = true. _PAM-callback-procedure = 'Security/NoLoginAuthenticate.p'. create _sec-authentication-domain. _Domain-name = 'employee'. _Domain-type = 'TABLE-ApplicationUser'. _Domain-access-code = audit-policy:encrypt-audit-mac-key( ‘s00perSecr1tK3y4EMPLOYEE'). _Domain-enabled = true. Security Token Service Business Logic Service Common

© 2012 Progress Software Corporation. All rights reserved. 68 _PAM-callback-procedure procedure AuthenticateUser: /* snipped parameters*/ find ApplicationUser where ApplicationUser.LoginName eq phCP:user-id and ApplicationUser.LoginDomain eq phCP:domain- name no-lock no-error. if not available ApplicationUser then piPAMStatus = Progress.Lang.PAMStatus:UnknownUser. else if ApplicationUser.Password ne encode(phCP:primary-passphrase) then piPAMStatus = Progress.Lang.PAMStatus:AuthenticationFailed. else /* we're good to go */ piPAMStatus = Progress.Lang.PAMStatus:Success. return. end procedure. procedure AuthenticateUser: /* snipped parameters*/ /* we're not allowed to do any logins here */ piPAMStatus = PAMStatus:InvalidConfiguration. return. end. Security Token Service Business Logic Service

© 2012 Progress Software Corporation. All rights reserved. 69 Separate AppServers for STS & Business Logic getcustomer.p Security Token Service AppServer Business Logic AppServer UI Client security-policy:set-client( ) CustomerBE:Get Data( )

© 2012 Progress Software Corporation. All rights reserved. 70 Separate AppServers for STS & Business Logic LogoutUser() logout.p Security Token Service AppServer Business Logic AppServer UI Client

© 2012 Progress Software Corporation. All rights reserved. 71 ValidateToken() Separate AppServers for STS & Business Logic Security Token Service AppServer Business Logic AppServer UI Client getcustomer.p

© 2012 Progress Software Corporation. All rights reserved. 72 Separate AppServers for STS & Business Logic Security Token Service AppServer Business Logic AppServer UI Client ? getcustomer.p

© 2012 Progress Software Corporation. All rights reserved. 73 Separate AppServers for STS & Business Logic Security Token Service AppServer Business Logic AppServer UI Client getsecrets.p

© 2012 Progress Software Corporation. All rights reserved. 74 OpenEdge Provides …  A security token CLIENT-PRINCIPAL available in multiple clients Automatic creation in some cases  Token available in activate procedure  PAM modules Configurable, plug-in architecture Guaranteed, consistent, trusted code-paths

© 2012 Progress Software Corporation. All rights reserved. 75 OpenEdge Does Not …  Have a prescriptive model  Manage security context for an entire application  Automatic import of external systems’ tokens For example, SAML for federated authentication

© 2012 Progress Software Corporation. All rights reserved. 76 Coming Soon … {std/disclaimer.i}  More authentication systems / PAM modules Better SSO support (Windows workstation) LDAP ActiveDirectory  Upgraded security for _User  OpenEdge realm for BPM & REST Progress.Security.Realm.IHybridRealm

© 2012 Progress Software Corporation. All rights reserved. 77 Summary  Identity management is a process that helps protect your business data  Applications must have security designed in Delegation of responsibility Multiple layers  OpenEdge provides components of identity management CLIENT-PRINCIPAL Authentication Systems Transportation of security token

© 2012 Progress Software Corporation. All rights reserved. 78 Extra materials  This session Slides to be posted on PUG Challenge site Supporting code at  Other PUG Challenge sessions Coding with Identity Management & Security (Part 2) Peter Judge, PSC Advanced OpenEdge REST/Mobile Security Mike Jacobs, PSC Programming with the Client-Principal Object Chris Longo, BravePoint Image Credits: Passport designed by Catia G, Time designed by wayne25uk, Database designed by Anton Outkine, Code designed by Nikhil Dev, Imposter designed by Luis Prado, User designed by T. Weber, Fingerprint designed by Andrew Forrester, Document designed by Samuel Green, Certificate designed by VuWorks, Network designed by Ben Rex Furneaux, Beer designed by Leigh Scholten; all from The Noun Project

October 6–9, 2013 Boston #PRGS13 Special low rate of $495 for PUG Challenge attendees with the code PUGAM And visit the Progress booth to learn more about the Progress App Dev Challenge!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.