Try OpenEdge Now
skip to main content
Application Migration and Development Guide
Application Development with PAS for OpenEdge : Programming the Progress Application Server for OpenEdge : Managing client context for session-free and unbound session-managed connections : Implementing multi-tier security models
Implementing multi-tier security models
A Server session can act as a client of another server to manage security on behalf of an originating client in a multi-tier distributed application. In addition to accessing client context as described in the previous section (see Managing context from the server with OERequestInfo objects), this "server session as client" can also execute remote procedure calls using the following security models:
*Delegation — The server session establishes its application context in a remote login procedure by propagating the client context identifier from the originating client to the authentication server.
*Impersonation — The server session executes remote procedure calls in the context of the originating client by propagating that client's context identifier with each remote procedure call to another server, thus allowing the other server to establish the proper client context for the call.
*Single sign-on (SSO) — The server session sets the client context identifier of a server handle for a Server B based on the context established by executing the remote login procedure on the server handle for a Server A (the authentication server). When the initial server session connects to Server B, the server's Connect procedure then sets the session identity in an SSO operation using a sealed client-principal returned from a context store keyed on the client context identifier that was propagated in the prior call to the remote login procedure on Server A.
*WebSpeed® session — This replaces the server session along with a Web browser serving as the originating client and the WebSpeed application possibly calling out to a separate authentication server. In response to a browser login request, the Web server propagates the client context identifier from the authentication server to the browser using cookies or by embedding the context identifier in resource locators managed by the WebSpeed application. The browser then returns the same client context identifier with each subsequent request to the WebSpeed application in the same user login session.
For more information on client-principal objects and implementing basic security for multi-tier applications, see the sections on authentication in OpenEdge Development: Programming Interfaces.