Try OpenEdge Now
skip to main content
Developing AppServer Applications
Design and Implementation Considerations : Security considerations : User authentication and authorization : Authorization on a state-reset or state-aware AppServer
 
Authorization on a state-reset or state-aware AppServer
The following code shows a typical authentication and authorization example:
DEFINE INPUT PARAMETER pcPassword AS CHARACTER NO-UNDO.
DEFINE INPUT PARAMETER pcUserId   AS CHARACTER NO-UNDO.

/* Authenticate user - if the user/password does not exist an error condition will automatically be raised. */
FIND FIRST app_user WHERE app_user.user_id = pcUserId
  AND app_user.password = ENCODE(pcPassword) NO-LOCK.

/* Authorize access to particular procedures */
IF NOT SESSION:EXPORT(app_user.can_run) THEN DO:
  /* Log failure message to AppServer agent logfile and refuse connection */
  MESSAGE "Failed to create export list for" app_user.user_id.
  RETURN ERROR.
END.
First, the user_id and password established by the client application's CONNECT( ) method are authenticated against an external source (in this case, valid users are identified in a database table named app_user). Secondly, the particular user is authorized to request execution of an established, user-specific, list of procedures (entry points) through the EXPORT( ) method.
To create a tight security model, establish an export list in conjunction with operating-system security to restrict access from the client applications host to the remote procedure sources. For more information on operating-system security, see Operating system.