W
wood
Guest
There are basically two approaches, depending on where you are enforcing security and the need to have a Single-Sign -On solution. The 'easiest' way to simply assert tenancy when you need it. The application must be working as a SUPER-TENANT, but if that is the case you can use the SET-EFFECTIVE-TENANT("tenantname") when necessary. (or use the TENANT-WHERE clause). For WebSpeed this might be sufficient. The WebSpeed agents would be super-tenants, and you would at the start of every http request figure out the relevant tenant and set the effective tenancy. If you want to have a full Single-Sign-On between an ABL client and an AppServer, you need to basically have the SET-DB-CLIENT(handleToCP) when you start processing a request. In a Stateless AppServer, you would need to have a mechanism to persist the client-principal once you have created it. One typcial way to do this is to have a sessionID that lets you recover a previously created and sericalized Client-Principal (C-P) object. - At some point (e.g. Connection.p) create and seal the C-P object, and export it to a safe store (file or db) under the session:context-Id. - on each appserver call (activate.p), use the session:context-id to find and import the C-P. - use SET-DB-CLIENT(hCP) to assert tenancy. There are some options. I found a PUG Challenge presentation by BravePoint that I may help explain this: pugchallenge.org/.../CPObjectPUG1.pdf
Continue reading...
Continue reading...