Often it is necessary to return from the RPC method only those data to which the user calling the RPC method has authorization. Sending a userName of the current user as a parameter of the RPC method is not a sufficient security measure because the SmartWeb architecture cannot prevent the logged in user to call the allowed RPC method with any parameters. This means that the user could identify through the userName parameter as someone else. That is why it is necessary to identify the calling user in particular ways described below.
The Smart Web supports authentication through D2000 users or through applicatively defined users in which case the SmartWeb server realizes the authentication through calling defined authentication RPC method.
Identification of D2000 User in RPC Method
In the case that the Smart Web application realizes the authentication through D2000 users, it is possible to call the GetUserObjName function in any RPC method that will return the userName of currently logged in user.
Identification of Applicatively Defined User in RPC Method
In the case of applicatively defined users, the process is more complicated and requires creating of a data container through the CNT_CREATE method where the key to container values will be the HOBJ of the logged in session and the value to the key userName. The container will be filled with calling CNT_INSERT in the so-called logon method which will be called by SmartWeb in every successful login. Acquiring a user name is then realized through calling CNT_GETITEM in the RPC method. A sample implementation of this functionality is presented below. RPC methods that need to identify a logged in user only have to call the method getCurrentUserName
.
INT _CNT_sessions ; container of all active sessions of all users ; method is registered in Smart Web application as "logOn" method, ; which is called after every successful authentication RPC PROCEDURE logOn(IN TEXT _UserName, BOOL _Ok) INT _hobj_session BOOL _bFound _Ok := @TRUE _hobj_session := %GetRPCCallerProcess() ; control of session existence, cannot exist, opposite state is error CNT_FIND _CNT_sessions, _hobj_session, _UserName, _bFound IF _bFound THEN LOGEX "ERR: same SESSION of user already exists: " + %IToStr(_hobj_session) PRIORITY _LOG_PRTY_ERROR _Ok := @FALSE RETURN ENDIF ; registration of calling method onSessionClosed in "session change", ; meaning either standard logout or any other session ending _Ok := %OpenRefToObject(_hobj_session, @TRUE) IF !_Ok THEN LOGEX "ERR: unknown SESSION for opening: " + %IToStr(_hobj_session) PRIORITY _LOG_PRTY_ERROR RETURN ENDIF ON CHANGE (_hobj_session) GOTO onSessionClosed ; inserting of mapping "session HOBJ -> user name" inot container CNT_INSERT _CNT_sessions, _hobj_session, _UserName END logOn ; ended user session (by logout or by other ending of user session) PROCEDURE onSessionClosed(IN INT _procValue, IN ALIAS _hobj, IN INT _row, _col) BOOL _bFound INT _hobj_session TEXT _userName _hobj_session := _hobj\HBJ CNT_FIND _CNT_sessions, _hobj_session, _userName, _bFound IF ! _bFound THEN LOGEX "ERR: unknown SESSION was ended " + %IToStr(_hobj_session) PRIORITY _LOG_PRTY_ERROR RETURN ENDIF CNT_DELETE _CNT_sessions, _hobj_session %CloseRefToObject(_hobj_session) ON CHANGE (_hobj_session) GOTO onSessionClosed NONE END onSessionClosed ; RPC method returns name of currently logged in user RPC PROCEDURE getCurrentUserName(TEXT _userName) INT _hobj_session BOOL _bFound _hobj_session := %GetRPCCallerProcess() CNT_FIND _CNT_sessions, _hobj_session, _userName, _bFound IF ! _bFound THEN LOGEX "ERR: unknown SESSION was ended " + %IToStr(_hobj_session) PRIORITY _LOG_PRTY_ERROR RETURN ENDIF END getCurrentUserName BEGIN CNT_CREATE _CNT_sessions END
0 komentárov