Runtime Security Authentication

 

Documentation home

 

 

Runtime Authentication

Authentication is the process of verifying that a user can access the system. The end result of the authentication process is an accepted userid; optionally, additional information about the user can also be extracted at this point e.g. roles and credentials, and this additional information can be accessed later when the user is running applications e.g. to obtain an email address, to check a security authorization or to determine whether the user is eligible for workflow tasks.

 

Implementation options

Ebase Xi contains a number of options for implementing runtime authentication:

 

·         Using the Logon Service: this is the recommended technique: it is the easiest to implement and offers the most flexibility. The Logon Service is a System Service (a special type of Integration Service) supplied with the system that can be customized to meet your requirements using standard Ebase scripts. The Logon Service is responsible for checking a user is valid (e.g. by checking a userid/password) and for extracting any additional roles and credentials that are required. The Logon Service can be invoked automatically when a new session connects or it can be invoked programmatically at any time e.g. when a user attempts to access a restricted service. For details, click on the links below:

 

o        Implementing a Logon Service

o        Invoking the Logon Service when a user first connects (using the XILogonExit logon exit program)

o        Invoking the Logon Service programmatically from a script

 

·         Other logon exits. A logon exit is a pluggable Java component which is invoked automatically when runtime security is enabled and a user first connects. If the supplied logon exits do not provide the required functionality, it is possible to write your own Java implementation.

 

o        EbaseLogonExit: deprecated since the introduction of XILogonExit

o        Writing a logon exit

 

Use of application server security

The application server e.g. Tomcat, can be configured to use the Windows domain user from each client. When this is done, the Ebase system will use this userid automatically and no additional configuration is required to achieve this. If there is also a requirement to extract role and credential information for each user as they connect, this can be done by invoking the Logon Service via the XILogonExit as described above. In this scenario, the Logon Service would not need to authenticate the user, just perform a lookup against Active Directory using the userid. Sample code to do this is shown in the Logon Service documentation.