Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | rosalyn-arnold |
View: | 232 times |
Download: | 3 times |
DB-19: OpenEdge® Authentication Without the _User Table
Stephen FergusonProgress Software
© 2007 Progress Software Corporation2 DB-19: OpenEdge Authentication Without The _User Table
Agenda
Authentication in OpenEdge The authentication process Identity Management with the OpenEdge
AppServer™ Configuration and deployment setup
© 2007 Progress Software Corporation3 DB-19: OpenEdge Authentication Without The _User Table
Why User Authentication?
Compliance with Security standards & Government regulations
Integrate with different authentication systems
OpenEdge Auditing
What are the user authentication challenges I can face?
© 2007 Progress Software Corporation4 DB-19: OpenEdge Authentication Without The _User Table
OpenEdge Authentication Advantages
1. Configurable user authentication systems• Configure which to use at production site
• Quickly extend support to new systems
• Support multiple authentication systems
2. Use OpenEdge 10.1+ security services• OpenEdge auditing core service
• OpenEdge database run-time security
© 2007 Progress Software Corporation5 DB-19: OpenEdge Authentication Without The _User Table
What’s the Value-Add?
OpenEdge run-time permission checking• Database table & field permissions
The ABL does not need to use _User table
OpenEdge auditing core service• Secure ABL, SQL, & database utility auditing• User login/logout and login-sessions• Faster database record auditing than triggers
What value is provided by OpenEdge 10.1+ security features?
© 2007 Progress Software Corporation6 DB-19: OpenEdge Authentication Without The _User Table
ABL Database Table and Field Permissions
Order dependent, comma separated list of account names
Table and field permissions stored in the database
Permission Examples
Table
_Can-Create
_Can-Read
_Can-Write
_Can-Delete
*
Steve
!Steve,*
Admin
Field_Can-Read
_Can-Write
!Group1,!Group2,*
*
© 2007 Progress Software Corporation7 DB-19: OpenEdge Authentication Without The _User Table
Agenda
Authentication in OpenEdge The authentication process Identity Management with the OpenEdge
AppServer™ Configuration and deployment setup
© 2007 Progress Software Corporation8 DB-19: OpenEdge Authentication Without The _User Table
The OpenEdge User Identity Challenge
The _User table was the only trusted user-id source
Almost no ABL applications use the _User table• No way for ABL application to tell OpenEdge that it is a
trusted authentication source
• No way for OpenEdge to validate that a user-id came from a trusted ABL application source
• Solution: allow ABL applications to become a trusted source of user authentication
Prior to OpenEdge 10.1A
© 2007 Progress Software Corporation9 DB-19: OpenEdge Authentication Without The _User Table
ProcessControl
Authentication and Authorization Process
Client-Principal
AuthenticationSystem
UserAccounts
Authenticate
AuthenticationSystem
UserAccounts
AuthenticationSystem
User Accounts
Account Check
Get Account Data
Application ResourcesAccessControl
Data
AuthorizationManager
LoginCredentials
AppServer Agent
Client
AuthenticationManager
© 2007 Progress Software Corporation10 DB-19: OpenEdge Authentication Without The _User Table
OpenEdge Authentication Strategies
OpenEdge Authentication with _User• Can still connect to OpenEdge database using
–U –P
• Authenticate and set the user-id for a database connection with SETUSERID()
OpenEdge Authentication without _User
Custom application design & implementation
What are my choices?
© 2007 Progress Software Corporation11 DB-19: OpenEdge Authentication Without The _User Table
OpenEdge Authentication
Use OpenEdge CLIENT-PRINCIPAL identity extensions• Use existing ABL authentication modules
• User login-logout and session information
• Single sign-on between ABL products
• Requires • Code additions
• Conditional configuration and deployment setup
© 2007 Progress Software Corporation12 DB-19: OpenEdge Authentication Without The _User Table
Introduced in OpenEdge 10.1A
User identity access token• CLIENT-PRINCIPAL object
Domain Registries• Identifies trusted user authentication systems
• Used to validate CLIENT-PRINCIPAL object
• User defined or loaded from database
OpenEdge session user-id• Synchronizes OpenEdge DB connection user-
ids
© 2007 Progress Software Corporation13 DB-19: OpenEdge Authentication Without The _User Table
The CLIENT-PRINCIPAL Object
CLIENT-PRINCIPALDomain: ApplicationUser-ID: JoshuaLogin-token: BW3G1&2G1836D872Login-date: 6/12/07 08:15:33.12Login-expires: 6/12/07 19:30.00.00State: LoginRoles: ManagerApp-data: Company=ABC Corp ...Seal: AC63Galx98wBwuuw2
AuthenticationSystem Data
User Account Information
Application Defined Data
Data Integrity Seal
Login-SessionID
User Account Restrictions
© 2007 Progress Software Corporation14 DB-19: OpenEdge Authentication Without The _User Table
ABL CLIENT-PRINCIPAL Object
Created and managed by ABL application Represents a single user login session Sets the current user-id for
• The ABL application & all database connections
• Individual OpenEdge database connection CLIENT-PRINCIPAL’s user-id can be used for
run-time permission checking
© 2007 Progress Software Corporation15 DB-19: OpenEdge Authentication Without The _User Table
Load Authentication Systems
SECURITY-POLICY:REGISTER-DOMAIN
( “Application”,cDomToken ) NO-ERROR.
SECURITY-POLICY:LOCK-REGISTRATION() NO-ERROR.
Loads OpenEdge session Domain Registry• Cannot use domain until locked
Can only be loaded once per session
Modify Application Startup Code - Example
© 2007 Progress Software Corporation16 DB-19: OpenEdge Authentication Without The _User Table
Load Authentication Systems
FOR EACH Trusted-Auth-Domain NO-LOCK:
SECURITY-POLICY:REGISTER-DOMAIN
(Trusted-Auth-Domain.cDomainName,
Trusted-Auth-Domain.cDomainKey,
Trusted-Auth-Domain.cDomainDescr,
Trusted-Auth-Domain.cDomainType) NO-ERROR.
END.
SECURITY-POLICY:LOCK-REGISTRATION NO-ERROR.
Example
Load from application tables
© 2007 Progress Software Corporation17 DB-19: OpenEdge Authentication Without The _User Table
Load Authentication Systems
SECURITY-POLICY:LOAD-DOMAINS (“Dictdb”) NO-ERROR.
Configure Authentication Systems and Domains in Data Admin• _sec-authentication-system
• _sec-authentication-domain
Load session Domain Registry
Can only be loaded once per session Single operation, more secure
Modify Application Startup Code
© 2007 Progress Software Corporation18 DB-19: OpenEdge Authentication Without The _User Table
CREATE CLIENT-PRINCIPAL hCP./* Required user account information */hCP:DOMAIN-TYPE = cDefDomType.hCP:DOMAIN-DESCRIPTION = cDefDomDesc.
hCP:DOMAIN-NAME = cDefDomainName.
hCP:USER-ID = cUserid.hCP:SESSION-ID = SUBSTRING(BASE64-ENCODE(GENERATE-UUID), 1, 22 )./* Optional user account information */...
Creating a CLIENT-PRINCIPAL
Application User Login Code
© 2007 Progress Software Corporation19 DB-19: OpenEdge Authentication Without The _User Table
Completing the Login
On successful login, start user login-session• CLIENT-PRINCIPAL’s access-token becomes read-only
hCP:SEAL( cDomainToken ). On failed login, invalidate user login object
• CLIENT-PRINCIPAL’s access-token is invalid
• Log to audit files when auditing enabled
hCP:AUTHENTICATION-FAILED ( “Invalid Password” ).
User Login Completion Code
© 2007 Progress Software Corporation20 DB-19: OpenEdge Authentication Without The _User Table
Setting the Session User-id
Set the OpenEdge session’s user-id• All connected databases
Setting session user-id across a single database• Equivalent to SETUSERID()
Success Login Code
SECURITY-POLICY:SET-CLIENT( hCP ) NO-ERROR.
SECURITY-POLICY:SET-DB-CLIENT
( hCP, “dbname” ) NO-ERROR.
© 2007 Progress Software Corporation21 DB-19: OpenEdge Authentication Without The _User Table
Logging Out
Logout the CLIENT-PRINCIPAL and cleanup
hCP:LOGOUT().
SECURITY-POLICY:SET-CLIENT( ? ) NO-ERROR.DELETE OBJECT hCP.hCP = ?.
Clear the sessionuser-id
Invalidate theCLIENT-PRINCIPAL
© 2007 Progress Software Corporation22 DB-19: OpenEdge Authentication Without The _User Table
Agenda
Authentication in OpenEdge The authentication process Identity Management with the OpenEdge
AppServer™ Configuration and deployment setup
© 2007 Progress Software Corporation23 DB-19: OpenEdge Authentication Without The _User Table
Context Management Basics
Target environment is client to stateless or statefree AppServer• Each interaction is independent
Maintain context between related interactions Store context between client requests in a
shared data store • All AppServer sessions can read and write it
• The context is held on the server
© 2007 Progress Software Corporation24 DB-19: OpenEdge Authentication Without The _User Table
Client
ProcessesContext
Data
Application Server
Login Credentials Create CLIENT-PRINCIPAL
EXPORT
Session-id
Session-idRetrieve
CLIENT-PRINCIPAL IMPORTReset User identity
Logout requestSession-id
Retrieve CLIENT-PRINCIPAL
hCp:LOGOUT
IMPORT
Application ServerShutdown
Purge
Asserting the Trusted User Identity (who)
Managing context - re-establishing identity
ContextSub-system
© 2007 Progress Software Corporation25 DB-19: OpenEdge Authentication Without The _User Table
Pushing Identity into Context
Store in context using hCP:SESSION-ID
IF NOT lOk THEN /* invalid or new user */
DO:
ASSIGN hCP:USER-ID = pcUser
hCP:DOMAIN-NAME = cDomainName
hCP:SESSION-ID =
SUBSTRING(BASE64-ENCODE(GENERATE-UUID),1,22).
lOk = hCP:SEAL(gcDomainKey).
ctx.rawCP = hCP:EXPORT-PRINCIPAL().
END.
/* Now reset to current user identity */
lOk = SECURITY-POLICY:SET-CLIENT(hCP).
Assign values
SEAL the principal
EXPORT the principal
© 2007 Progress Software Corporation26 DB-19: OpenEdge Authentication Without The _User Table
Re-asserting Identity from Context
Store in context using hCP:SESSION-ID
/* Re-assert identity – from context if possible */
CREATE CLIENT-PRINCIPAL hCP NO-ERROR.
lOk = hCP:IMPORT-PRINCIPAL(ctx.rawCP) NO-ERROR.
IF lOk AND (hCP:LOGIN-STATE <> "LOGIN":U)
THEN DO:
/* an invalid client-principal was imported */
END.
lOk = SECURITY-POLICY:SET-CLIENT(hCP).
IMPORT principal
Validate
Set client
© 2007 Progress Software Corporation27 DB-19: OpenEdge Authentication Without The _User Table
Clean-up – Logging out the User
Log out at true end of session Only do a logout when user really changes
• Not with each Application Server roundtrip!IF VALID-HANDLE(hCP) THEN
DO:
IF hCP:LOGIN-STATE = "LOGIN":U THEN hcp:LOGOUT() NO-ERROR.
/* also delete context using hCP:SESSION-ID */
SECURITY-POLICY:SET-CLIENT( ? ) NO-ERROR.
DELETE OBJECT hCP NO-ERROR.
hCP = ?.
END.
Log out
Clear the session
© 2007 Progress Software Corporation28 DB-19: OpenEdge Authentication Without The _User Table
Primary User Authentication APIs
LoginClient ( INPUT cUserid AS CHAR, INPUT rAuthToken AS RAW, [….,]
OUTPUT cSessionId AS CHAR ).
AnyProcedure ( […,]
INPUT cSessionId AS CHAR).
LogoutClient ( INPUT cSessionId AS CHAR ).
© 2007 Progress Software Corporation29 DB-19: OpenEdge Authentication Without The _User Table
Managing CLIENT-PRINCIPAL Context
Faster to import CLIENT-PRINCIPAL from context than re-create and re-seal
Be explicit about • Login (SEAL)
• Logout
© 2007 Progress Software Corporation30 DB-19: OpenEdge Authentication Without The _User Table
Agenda
Authentication in OpenEdge The authentication process Identity Management with the OpenEdge
AppServer™ Configuration and deployment setup
© 2007 Progress Software Corporation31 DB-19: OpenEdge Authentication Without The _User Table
Enabling an Existing Application
1. Enable OpenEdge database 10.1+ features• For migrated databases
2. Set database options
3. Create authentication system domains and domain types
Steps to enable 10.1+ authentication features
proutil dbname –C updateschema
© 2007 Progress Software Corporation32 DB-19: OpenEdge Authentication Without The _User Table
Setting Database Options
Data Admin → Admin → Database Options
SynchronizeRegistries
ABL run-time permissionchecking
© 2007 Progress Software Corporation33 DB-19: OpenEdge Authentication Without The _User Table
Authentication System Domains and Types
Data Admin → Admin → Security → Authentication System Maintenance
© 2007 Progress Software Corporation34 DB-19: OpenEdge Authentication Without The _User Table
In Summary
Define your own trusted authentication systems
No longer tied to _User Extensible user authentication
provides core functionality OpenEdge 10.1+ gives you the
tools to migrate now
© 2007 Progress Software Corporation35 DB-19: OpenEdge Authentication Without The _User Table
For More Information, go to…
PSDN
Implementing the OpenEdge Reference Architecture: • 8: Context Management
• OpenEdge Principals
Progress eLearning Community:• What's New In OpenEdge 10.1: Auditing
Documentation:• Core Business Services
© 2007 Progress Software Corporation36 DB-19: OpenEdge Authentication Without The _User Table
Relevant Exchange Sessions
DB-8: Jump Starting Your OpenEdge Auditing Solution
DB-14: OpenEdge run-time database security revealed
ARCH-4: A Stateful Application in a Stateless World
© 2007 Progress Software Corporation37 DB-19: OpenEdge Authentication Without The _User Table
Questions?
© 2007 Progress Software Corporation38 DB-19: OpenEdge Authentication Without The _User Table
Thank you foryour time
© 2007 Progress Software Corporation39 DB-19: OpenEdge Authentication Without The _User Table