E
egarcia
Guest
The Progress Application Server and classic AppServer both have support for user roles, where a role controls the amount of access a given group of users have. All authorizations in an Application Server are role-based; access privileges cannot be granted on a user-by-user basis. Therefore, user accounts are granted permissions according to their assigned roles. The Kendo UI Builder tool, starting in version 2.1, provides support for user roles. To take advantage of this new functionality, the web application developer must obtain the user role information for the logged-in user from the server, and then set the allowed user roles in the KUIB app for the user. Use the approach in this article to add user role support to your web application. Developing your web application When developing a web app, a set of client user roles can be defined on the application. The intent is that at run time, only users assigned to one of these user roles will be allowed to access the application. User access can be further refined by specifying user roles for the modules within the application. The user roles for the individual modules are selected from the set of user roles specified for the application. A further refinement for individual views can be specified. When a new view is added to the module, its user roles can be specified from its parent module's user roles. Example user roles for application: ManagerRole UserRole AdminRole AccountingRole Example user roles for modules in application: Accounting Module allows user roles: AccountingRole General Module allows user roles: ManagerRole, UserRole, AdminRole, AccountingRole Admin Module: allows user roles: ManagerRole, AdminRole Example user roles for views in modules in General Module: Public View allows user roles: ManagerRole, UserRole, AdminRole, AccountingRole Semi Private View allows user roles: ManagerRole, AdminRole Private View: allows user roles: ManagerRole Running your web application When a user successfully logs into a web application, they will only be shown modules if the user account is assigned to at least one of the user roles defined for that module. For those accessible modules, the user will be allowed to display views if the user account is assigned to one or more of the user roles defined for that view. Suggested Approach The web app must perform the following actions to work with user roles: Get the allowed user roles for the logged-in user from the server. Set those roles in the app. The API getUserRolesFromServer() in Kendo UI Builder can be used to performed these two actions with a single call. This API calls internally a custom invoke operation set up by the developer. Example: return this.progressDataService.getUserRolesFromServer({ resource: 'UserContext', method: 'GetRoles', inParam: { clientID: 'MyApp' }, outParam: 'allowedRoles' }); In this example, the UserContext resource corresponds to a Business Entity UserContext.cls with a method called GetRoles(). The inParam property specifies the value of the parameters passed to the method as an invoke operation. The outParam property tells the name of the property in the reponse that contains the user roles. The invoke operation should return a list of the allowed client user roles for the current user. NOTE: It is highly recommended that the server code never return the server user role names for security purposes, but should return the corresponding client user roles names. How to Configure the OpenEdge Service Create a Business Entity that will be used to provide the invoke operation. The invoke method will be used to return the user role information. It provides the user roles information by querying the roles attribute in the Client-Principal. In order to obtain role information from the Client-Principal, the service should be configured to use authentication. How to Configure Service to use authentication To enable FORM-based authentication in PASOE, edit the oeablSecurity.properties file and set the client.login.model property to "form". #client.login.model=anonymous client.login.model=form The users setup and their roles can be found in the users.properties file. The users.properties that ships with PASOE includes the following users and roles among others: User Roles restuser ROLE_PSCUser restadmin ROLE_PSCUser,ROLE_PSCAdmin Note: The example invoke method below uses these roles when mapping the input user roles, sent from the KUIB app. Example Invoke Method: GetRoleInfo() The GetRoleInfo() method accepts a string with an ID to identify the client app. It returns an array of strings representing the list of roles available for the current user. It assumes the backend user role setup specified in the above chart. This method is an example, and needs to be updated to include the supported user roles provided in the service it is supporting, as well as the expected user role names used in the client app. @openapi.openedge.export(type="REST", useReturnValue="false", writeDataSetBeforeImage="false"). @progress.service.resourceMapping(type="REST", operation="invoke", URI="/GetRoles", alias="", mediaType="application/json"). method public void GetRoles(input clientID as character, output allowedRoles as character extent): define variable i as integer no-undo. define variable role as character no-undo. define variable hCP as handle no-undo. /* extent(allowedRoles) = 1. */ /* allowedRoles[1] = 'user1'.*/ hCP = session:current-request-info:GetClientPrincipal() no-error. message hCP error-status:get-message(1). if clientID <> "MyApp" then do: return error "Unexpected clientID". end. if hCP <> ? then do: extent(allowedRoles) = num-entries(hCP:roles). do i = 1 to num-entries(hCP:roles): case entry(i, hCP:roles): when "ROLE_PSCAdmin" then role = "AdminRole". when "ROLE_PSCUser" then role = "UserRole". end case. allowedRoles = role. end. end. else do: extent(allowedRoles) = 1. end. message hCP:roles. end. How to Configure the KUIB App The user roles need to be added to the web app on the the app level, and if appropriate, on the module and view levels. In the applcation module's login view, the controller.public.js file contains a default onLogin() method. This method is called after the user has logged into the application. It needs to be updated to set the user roles for the current user. Changes to: application\login\controller.public.js onLogin() { return this.progressDataService.getUserRolesFromServer({ resource: 'UserContext', method: 'GetRoles', inParam: { clientID: 'MyApp' }, outParam: 'allowedRoles' }); } .
Continue reading...
Continue reading...