Exports the unsealed or sealed client-principal
object as a portable security token with the currently defined property
and attribute settings by converting it to a RAW value. You can
assign this value to a RAW variable and send it to another ABL session
(such as an AppServer™ agent) or assign it to a field in a secure
database. The receiving ABL session can then import the RAW value
into another client-principal object using the IMPORT-PRINCIPAL( ) method. Depending on its sealed or unsealed state, you
can use the imported object to assert or set the user identity it
represents using the SEAL( ) method, SECURITY-POLICY:SET-CLIENT( ) method,
or SET-DB-CLIENT function, as appropriate.
Return type: RAW
Applies
to:
Client-principal object handle
Syntax
The client-principal object can be either sealed
or unsealed.
Calling this method does not generate an audit
event or an audit record.
Notes
- A typical use case for exporting an unsealed security token is having a client log in by
exporting an unsealed client-principal initialized with its asserted user identity to a
remote authentication service over a secure connection. The authentication service then
imports the client-principal and, after a successful user authentication, seals the
client-principal, beginning a user login session. The service might then export and return
the sealed client-principal to the requesting client, which imports the object to set its
authenticated identity. The service might also cache the exported client-principal in
secure storage for a future identity management request.
- A typical use case for exporting a sealed security token is in a remote authentication
service that responds to identity management requests from ABL sessions of an n-tier
application. For each request, the authentication service retrieves and imports the sealed
client-principal from secure storage that is associated with a given login session key and
performs the requested action (such as invoking the LOGOUT( ) method to terminate the user
login session). The service then exports the sealed (and changed) client-principal,
replacing the previous copy in secure storage and possibly returning it to the requesting
ABL session.