Try OpenEdge Now
skip to main content
OpenEdge Authentication Gateway Guide
Reference entries : ABL reference : VALIDATE-SEAL( ) method (enhanced for STS)
 

VALIDATE-SEAL( ) method (enhanced for STS)

What's new

VALIDATE-SEAL( ) now generates an audit event when the method finds the client principal to be expired for the first time. When this happens, the method generates an audit event for a logout operation.

Description

Validates the message authentication code (MAC) generated by the SEAL( ) method to seal a client-principal object.
You can use this method to validate the seal whenever necessary.
Return type: LOGICAL
Applies to: Client-principal object handle

Syntax

VALIDATE-SEAL ( [domain-access-code ] )
domain-access-code
An optional character expression containing the access code that is defined for the user's domain and that originally was used to seal the client-principal object. The AVM converts this value to a UTF-8 before using it, which ensures a consistent value regardless of code page settings.
ABL raises ERROR if the client-principal object is not:
*Sealed
*In the LOGIN state
If you specify a domain access code, the AVM uses the specified value to validate the seal.
Caution: Given any client-principal that is sealed with it, this domain access code provides session and database access when validated using a single sign-on (SSO) operation against a trusted domain registry that contains a matching domain with the same access code. Therefore, Progress Software corporation strongly recommends that you take steps to hide or otherwise protect any domain access code that you specify in your ABL code from access (hacking) by unauthorized users.
If you do not specify a domain access code, the AVM uses the access code defined for the domain in the trusted domain registry to validate the seal.
The AVM validates the seal by comparing it to the MAC generated from either the specified domain access code or the matching domain access code stored in the trusted domain registry. If the seal matches the generated MAC, the seal is valid and this method returns TRUE. Otherwise, the seal is invalid and this method returns FALSE.
The AVM also checks the LOGIN-EXPIRATION-TIMESTAMP attribute. If the client-principal object expires before you can validate its seal, the AVM sets the LOGIN-STATE attribute to "EXPIRED", and returns FALSE.
VALIDATE-SEAL( ) only generates an audit event when the method finds the client principal to be expired for the first time. When this happens, the method generates an audit event for a logout operation.
The following code fragment illustrates how to use the VALIDATE-SEAL( ) method:
DEFINE VARIABLE hCP    AS HANDLE    NO-UNDO.
DEFINE VARIABLE key    AS CHARACTER NO-UNDO.
DEFINE VARIABLE val-ok AS LOGICAL   NO-UNDO.
. . .
CREATE CLIENT-PRINCIPAL hCp.
. . .
val-ok = hCP:VALIDATE-SEAL(key).

See also

LOGIN-STATE attribute, SEAL( ) method in OpenEdge Development: ABL Reference