Authentication via database table

[RobD]

I've read through the help and some forum topics trying to find information on this but no luck so far (at least not that I understand).

What I want to do is authenticate users by checking a username and password entered in a form against records in a database table, then if they are authenticated, display menus/forms etc depending on roles they have (also in another database table.

Is this possible, and if so can someone give me a practical example (the DB is MySQL)

[Wai]

The Ebase Xi security model enables you to do this. It's quite a large topic but the authentication process can be broken down as follows:

1. Request for a form is made through the browser
2. Check whether authentication is required
3. If yes, the logon web service logic is called and executed
4. User is authenticated and forwarded to the requested form
5. The security subject in the session now holds info about the logged in user which you can query

The following example code shows how you can do this using Server-side JavaScript:

1. On the before-form event you can have a script which checks if the user is logged on, if not redirect to logon page:

Code: Select all

if (!system.securityManager.isUserLoggedOn()){
  form.gotoForm("LOGON");
}

2. The following example code shows how to call the logon web service using the server-side JavaScript API:

Code: Select all

try {	
	system.securityManager.logon( [
        ["APP_NAME", fields.USER_ID.value],
        ["APP_NAME", fields.PASSWORD.value]
         ] );       

	form.gotoForm("MY_HOME");
}
catch (e) {
 // Display error message
 event.owner.addErrorMessage("1022", null);
}

The APP_NAME is optional. You can leave the quotes blank. It's useful if you want to define separate security logic for multiple applications.

3. The above call will execute the system web service LOGON_SERVICE, which will run the script LOGON_SERVICE_LOGIC.

It's up to you to define what needs to happen in this script, and in this case you will do a database table lookup with the passed in user id and password. For example:

Code: Select all

if (fields.PARAM1_SOURCE.value == "APP_NAME" )
{
  try {
    fields.USER_ID.value = fields.PARAM1_VALUE.value;
    fields.PASSWORD.value = fields.PARAM2_VALUE.value;
    tables.USERS.fetchTable();
	
    if ( tables.USERS.rowCount > 0 ){
			
      fields.USERID.value = fields.USER_ID.value;	

      tables.ebaseRoles.insertRow();
      tables.ebaseRoles.ROLEID.value = "SUPER_USER";
      tables.ebaseRoles.updateTable();

      tables.customRoles.insertRow();
      tables.customRoles.ROLEID.value =   tables.USERS.ROLE.value;
      tables.customRoles.updateTable();
		
     }
     // exit   
   }
   catch (e){
     fields.USERID.value = null;	
     fields.ERRORCODE.value = "999991";
     fields.ERRORDESCRIPTION.value = e;
   }
}

As a mininum, the authentication web service needs to return a USERID for the login to be successful. In the above example we also return an Ebase role and a Custom role. The custom role in this example is coming back from the same Users table, but you could have done another Roles table fetch to bring those back. You can also set user credentials (key/value).

5. Back in your form, you can query the user role:

Code: Select all

if ( system.securityManager.hasRole("Admin") ){
  controls.ADMIN_MENU.show();
}
else{
  controls.ADMIN_menu.hide();
}

Hope that helps.