PROBLEM
Web applications may provide services that need to be protected. To access protected services, a web application needs to verify the identity of the end-user.
SOLUTION
Authentication is the process of determining the identity of an end-user using authentication factors. For web applications authentication is typically done using a login process. Using a login form the end-user provides some credentials, such as a user name and password (two-factor authentication). The credentials are verified against a directory service, like LDAP. If the credentials are verified, the end-user is considered authenticated.
HOW IT WORKS
Skyway Builder Standard Edition enables developers to easily add security to an application. Security is implemented using Spring's security module, appropriately named Spring Security.
Securing Project Resources
From the Enterprise Configuration tab on the Project Editor (Skyway Builder Standard Edition) a developer can configure the URL patterns, services and data access objects that must be secured. At runtime, whenever a requested URL matches one of the configured URL patterns, runtime components verify if a user has been authenticated, and if not, forwards the request to a view to collect the user's credentials. Once the user has been authenticated, it proceeds to the original URL.
The views used for security functions, which are implemented as JSPs, can be customized or replaced altogether. The security functions for which views can be configured include login, logout, and access denied.
- Skyway security allows out-of-the-box configuration of the two most common security information providers: database and LDAP. In addition, it lets developers plug other security providers included in Spring Security, or their own custom providers by implementing a single method.
Securing Services
Skyway operations can be invoked externally as Web services or native operations. External invocations on operations of a secured service are intercepted to ensure that the request contains authenticated credentials. If it does, the request is allowed to reach the operation. The authenticated credentials are propagated transparently to external invocations during the operations execution chain within the same project. It is important to note that a service is secured only for external invocation; operation invocations within a project are not intercepted, since it's assumed that the developer secured the entry point.
RELATED RECIPES