Enabling user authentication and authorization [message #1855595] |
Sat, 22 October 2022 10:42 |
J D Messages: 102 Registered: February 2021 |
Senior Member |
|
|
Hi there everyone,
I want to enable user authentication and authorization in my Scout application, and I've been reading a lot of forum posts on this subject. However, I am still unclear about certain things.
My principal resource has been the old Minicrm permissions tutorial:
https://wiki.eclipse.org/Scout/Tutorial/5.0/Minicrm/Permissions
I've successfully created roles and permissions in my database behind a remote REST server. The tables are ready and populated. I now want to display a login screen to authenticate users against their existing profiles (name, password, role etc) but I cannot do that at all.
For example, I cannot find the config.ini file referred to in the post, so I cannot disable anonymous access. Does it still exist in Scout 22?
My understanding of the posts I read is this:
a) login screen is displayed if anonymous access is disabled
b) user authentication is done using the execLoadSession method of the ServerSession. class which for me should send the user credentials to the database for validation
c) user permissions are obtained using the execLoadPermissions method of the ServerAccessControlService class which for me will load the permissions from the remote REST server's database corresponding to the userId obtained in step (b) above
d) if (b) and (c) are OK, the application desktop is displayed, and the user can start using the application
In addition, I would rather not keep user passwords in a config.ini file even if those passwords are encrypted. There are several reasons for that but one of the main reasons is my user passwords have special characteristics (length, types of characters, expiry dates etc) and the backend database manages all that. The encrypted password is sent to the remote server and is never saved by the client.
Can anyone please help me out with these issues?
Cheers,
JD
|
|
|
Re: Enabling user authentication and authorization [message #1856392 is a reply to message #1855595] |
Thu, 08 December 2022 11:38 |
|
User authentication is handled by a servlet filter in your *.ui.html module. It is automatically generated by the Scout archetype. You can enable various authenticators and set their orders, or add your own authenticators. Every request to the UI server needs to pass this servlet filter. Either, the request is already authenticated (and is then forwarded to the application), or one of several authentication methods is run (e.g. form based login with username/password, single sign on, or external authentication services).
If a requested is successfully authenticated, it is passed to the application. If a Scout session already exists, the appropriate model code is called. Otherwise, a new session is created, which in turn loads information about the user and fills the list of permissions that are then checked at various points in the model code (using ACCESS.check() utilities) to hide elements or protected certain services. The list of permissions is collected by an AccessControlService in your *.shared module (also generated by the Scout archetype).
In short:
- User authentication = Who are you? = UiServletFilter + Authenticators
- User authroization = What are you allowed to do? = AccessControlService + Permissions
How you implement these things depends entirely on your project environment. The framework should be flexible enough to adjust to various setups, from small, single-user applications (username/password in the config.properties file) to large-scale enterprise application (authentication handled by Active Directory).
Regards,
Beat
|
|
|
Powered by
FUDForum. Page generated in 0.02870 seconds