In part one of our look at security on OpenEdge Mobile we focused on making the client-side secure. As promised, in this short blog, we’ll take a deeper dive into the server-side of OpenEdge Mobile.
First of all, let’s briefly review the architecture of OpenEdge Mobile:
On the Web Server Tier, OpenEdge provides application security templates which the application developers and production admins can customize to protect resources (a.k.a. Mobile Web Applications, see Figure 1 above). Mobile Web Apps are protected via similar mechanisms. The templates configure the industry standard Spring Security Version 3.1 framework which is co-packaged with the OpenEdge application to manage security for the mobile application’s REST resources.
Spring security is a comprehensive, peer-reviewed framework and having it tightly integrated with the OpenEdge platform is a huge benefit for system architects and developers. No longer do architects and developers need to develop “home grown” solutions to provide authentication and authorization, as they can now fully leverage the respected and well documented Spring framework for their security needs. The Spring templates are located in the WEB-INF directory of an OpenEdge project in Progress Developer Studio for OpenEdge.
Here’s a snippet of the web.xml file contained in the WEB-INF directory:
Note that we’ve enabled an authentication model of “anonymous” here. Let’s drill down one level to explore appSecurity-anonymous.xml:
REST Manager (or ‘RESTMAN’) is an administration utility for managing the lifecycle of mobile applications. We’ll make ‘RESTMAN’ the topic of a future blog. Let’s move down the file….
Moving down the file further, we can see how we can evaluate access to protected resources:
This has been a very brief tour of server-side security in OpenEdge 11.2. As previously mentioned, in a future post we’ll dissect some of the capabilities outlined above, e.g. the ‘RESTMAN’ utility. We’ll also explore how OpenEdge enables Single-Sign-On across the end-to-end platform for secure access to protected resources.
Gary is responsible for developing go-to-market strategies, providing technical marketing support and developing best practice materials for the Rollbase aPaaS platform.
Copyright © 2018 Progress Software Corporation and/or its subsidiaries or affiliates.
All Rights Reserved.
Progress, Telerik, and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks for appropriate markings.