Choosing the web server authentication model

Web servers support a number of authentication models to manage client access to resources provided by a web application. The JSDO supports the following authentication models, which correspond to the ways that a web application can be protected:

Although no authentication is required, the client app must still call the login( ) method on the session instance without user credentials in order to establish a JSDO login session for the specified web application. If you do pass credentials for this authentication model, the method ignores them.

To have a JSDOSession or Session instance manage access to the web application's resources for you, you need to pass these credentials in a call to the instance's login( ) method. Typically, you would require the user to enter their credentials into a login dialog provided by your client app, either using a form of your own design or using a template provided by Progress Software (see Using default web pages to support client app login). Once authenticated, all further access to web application resources is provided according to the user's authorization settings, and the client app is ready to load a Data Service Catalog.

Note: The option to manage page refresh that is provided for client web apps using the JSDOSession class is not supported for HTTP Basic. For more information, see Supporting page refresh for web apps (available in Progress Data Objects Version 4.3 or later).

Note: It is possible to configure a client app so that, prior to logging in, it opens a protected web page provided by the web application. However, this is an atypical client app configuration. For more information, see Using protected web resources.

Like HTTP Basic, Form-based authentication requires user credentials for access to protected resources; the difference is that the web application itself sends a form to the client to get the credentials. However, when you have a JSDOSession or Session instance manage access to the web application's resources, you handle Form-based authentication in the same way that you handle Basic—get the user's credentials yourself and pass them to the login( ) method. Internally, the JSDO session intercepts the form sent to the client by the web application and handles the authentication without the form being displayed. Once authenticated, all further access to web application resources is provided according to the user's authorization settings, and the client app is ready to load a Data Service Catalog.

Note: Similar to HTTP Basic, using HTTP Forms, it is possible to configure a client app so that, prior to logging in, it opens a protected web page provided by the web application. However, this is an atypical client app configuration. For more information, see Using protected web resources.

Caution: Progress recommends that you always use SSL (HTTPS) when logging into a web application, but especially for a web application configured for HTTP Basic authentication. If you do not, the login( ) method sends its user credentials to the web server as clear text.

You must know the web server authentication model, the client app type and platform, and how web application resources are protected on the web server. You can then set the authenticationModel property in a JSDOSession object constructor or on an instantiated Session object accordingly. For more information on security considerations for Data Object Services, see the sections on REST application security in OpenEdge Development: Web Services and in the administration documentation for your particular OpenEdge application server.

As noted later in this section, OpenEdge, provides default web resources with every deployed web application that you can use to help implement a login sequence, or you can define similar web resources of your own. For more information, see Using default web pages to support client app login.