Try OpenEdge Now
skip to main content
Developing AppServer Applications
Programming the AppServer : Managing state-free and stateless client context : Implementing multi-tier security models

Implementing multi-tier security models

An AppServer agent can act as a client of another AppServer to manage security on behalf of an originating client in a multi-tier distributed application. In addition to accessing client context as described in the previous section (see Managing context from the AppServer with OERequestInfo objects), this "agent as client" can also execute remote procedure calls using the following security models:
*Delegation — The agent establishes its application context in a remote login procedure by propagating the client context identifier from the originating client to the AppServer (authentication server).
*Impersonation — The agent executes remote procedure calls in the context of the originating client by propagating that client's context identifier with each remote procedure call to another AppServer, thus allowing the AppServer to establish the proper client context for the call.
*Single sign-on (SSO) — The agent sets the client context identifier of a server handle for an AppServer B based on the context established by executing the remote login procedure on the server handle for an AppServer A (the authentication server). When the agent connects to AppServer B, the AppServer's Connect procedure then sets the session identity in an SSO operation using a sealed client-principal returned from a context store keyed on the client context identifier that was propagated in the prior call to the remote login procedure on AppServer A.
*WebSpeed agent — This replaces the AppServer agent along with a Web browser serving as the originating client and the WebSpeed application possibly calling out to a separate authentication server (AppServer). In response to a browser login request, the Web server propagates the client context identifier from the authentication server to the browser using cookies or by embedding the context identifier in resource locators managed by the WebSpeed application. The browser then returns the same client context identifier with each subsequent request to the WebSpeed application in the same user login session.
For more information on client-principal objects and implementing basic security for multi-tier applications, see the sections on authentication in OpenEdge Development: Programming Interfaces.