Authorization Example

Purpose

This example demonstrates how to:

  1. Use the authenticateUser event to perform additional authentication or authorization of a client before permitting access to a model. Even though a client can gain access to the Verastream server, you can further restrict access to a small number of users. This event handler will be called even when server security (client authentication) is disabled: you can use any method you like to authenticate clients.
  2. Use the client credentials (user name and password) to choose different credentials to be used to login to the host system or application.
  3. Restrict access to particular parts of the model, based upon the client. This example uses the client identity to permit or deny access to table procedures.

Implementation

The example uses the modelLoaded event to create two databases in the shared model hash map. The first, called authorizations, looks up client user names and passwords. Access to the model is permitted only if a matching user name and password are found. The second, called hostcredentials, contains a host user name and password for each client.

The credentials initially provided for in the example are:

 
Name Password Procedures Allowed
admin adminpass all
moe moepass all
larry larrypass GetAccount, GetTransactions
curly curlypass AccountSearch
guest guestpass none

The example uses the authenticateUser event to permit or deny access to the model. If the user can be authenticated, the event handler then checks to see whether or a different host user name or password should be used. If so, the user name and password model variables are set to those values before the session logs in to the host.

A ProcedureEventHandler uses the executeProcedure event to decide whether or not a client has access to a particular procedure. This event handler is attached to all table procedures which require access checks. Before the procedure is executed, this event handler compares the name of the procedure against a set of procedures which this client can call. If the access is permitted, the event handler uses the doDefaultProcedure method to call the procedure and return its results.

Finally, the modelUnloaded event is used to remove the databases stored in the shared model hash map when the server unloads the model.

Model Design

This example uses a variant of the CCSDemo sample model. Event handlers are attached to the LifeCycle event source and to each of the procedures.

Execution using the Design Tool

The event handlers can be called in the Design Tool by first using the Connection Events Test dialog to set the client user name and password, and then using the Procedure Test dialog to invoke the procedures. If you make changes to the password or authorization database, recompile the examples and reload the event handlers to use the new credentials.

Use the Event Handler Preferences dialog's Environment tab to set the client user name and password which will be used when the Design Tool first loads the model. If the user name and password are not accepted by the authenticateUser event handler, you will be warned that authentication failed when you first connect to the Host Emulator.

The Connection Events Test dialog is used to enter the client credentials and to simulate clients connecting to and disconnecting from the server. Use the Client user name and Client password controls to enter different client credentials, and then click one of the New Client buttons to simulate logging in to the model as that client. Unrecognized user names or passwords will generate a message stating that the user could not be authorized.

After entering some client credentials, use the Procedure Test dialog to find out which table procedures that client can access. The procedure test dialog already has representative parameter values filled in.

Execution using the Web Builder

Deploy the Authorization model to the development server. Be sure that server security is turned off unless the user names and passwords used for testing are also recognized by your login authentication system.

Use the Web Builder to create a procedure-based web application. Be sure to select the "Require username and password" option in the web application properties.

Run the web application. Enter some client credentials in the login screen. If the credentials are not valid (according to the authenticateUser event handler) client login attempt will be refused. If the login is successful, access to the different procedures will be allowed only if permitted by the procedure event handler.