Coding with Identity Management & Security Part 2 of Identity Management with OpenEdge Peter Judge OpenEdge Development

Slides:



Advertisements
Similar presentations
Server Access The REST of the Story David Cleary
Advertisements

Client Principal in the wild
Strength. Strategy. Stability. The Application Profiler.
TDPS Wireless v Enhancements E1 - Multi load E2 - Driver time scheduler.
REST support for B2B access to your AppServer PUG Challenge Americas Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.
OpenEdge BPM What’s Coming in 11.3 Michael Banks Suresh Inavolu.
DEV-13: You've Got a Problem, Here’s How to Find It
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
J4www/jea Week 3 Version Slide edits: nas1 Format of lecture: Assignment context: CRUD - “update details” JSP models.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
ASP.NET Programming with C# and SQL Server First Edition
Working with SQL and PL/SQL/ Session 1 / 1 of 27 SQL Server Architecture.
Authenticating REST/Mobile clients using LDAP and OERealm
DEV-14: Understanding and Programming for the AppServer™
Performance testing of Progress Appservers and a plug-in for Jmeter
©2011 Quest Software, Inc. All rights reserved. Steve Walch, Senior Product Manager Blog: November, 2011 Partner Training Webcast.
The Easiest Way to Write Web Applications Jordi Sastre IT Architect, PSC May 2012.
Web Development Challenges and How They are Solved in ps:eScript Matt Verrinder Progress Software UK Internet & Integration Technologies.
DB-19: OpenEdge® Authentication Without the _User Table
Identity Management Basics Part 1 of Identity Management with OpenEdge Peter Judge OpenEdge Development
10/26/00Splitting Access Databases...1 Preparing for Access 2000 Windows 2000/Office 2000 Roll-out.
DONE-10: Adminserver Survival Tips Brian Bowman Product Manager, Data Management Group.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.
MOVE-14: Migrating Your 4GL Authentication System to OpenEdge® 10
MultiTenancy - an Introduction for Techies Timothy D. Kuehn Senior OpenEdge Consultant TDK Consulting Services Inc
MOVE-9: Audit enable your Application the Easy Way Anthony D Swindells Engineering Fellow.
Developing Applications for SSO Justen Stepka Authentisoft, LLC
ARCH-03: Implementing the OpenEdge™ Reference Architecture – Part 1 John Sadd Progress Fellow and OpenEdge Evangelist.
DEV-5: Introduction to WebSpeed ® Stephen Ferguson Sr. Training Program Manager.
© 2007 by Prentice Hall 1 Introduction to databases.
Secure Credential Manager Claes Nilsson - Sony Ericsson
Exceptions Handling Exceptionally Sticky Problems.
DEV-09: User Authentication in an OpenEdge™ 10.1 Distributed Computing Environment Michael Jacobs Development Architect.
DEV-01 What’s New in Progress Dynamics ® Anthony Swindells Progress Fellow.
Stop! Don’t throw away that ADM2 code just yet… Jeff Ledbetter Product Architect, Roundtable Software.
Windows Role-Based Access Control Longhorn Update
ARCH-07: Implementing the OpenEdge™ Reference Architecture – Part 2
ARCH-7: A Class-Based Implementation of the OpenEdge® Reference Architecture John Sadd Fellow and OpenEdge Evangelist Applied Technology.
ARCH-11: Building your Presentation with Classes John Sadd Fellow and OpenEdge Evangelist Sasha Kraljevic Principal TSE.
Progress Software Identity Management 101 Sarah Marshall OpenEdge QA Architect May 2012.
How to Build an IT Portal with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
WEB SERVER SOFTWARE FEATURE SETS
A7: Architecting Your Application in OpenEdge ® 10 Mike Ormerod Applied Architect.
DEV-5: Using ProDataSets™ in OpenEdge ® 10 Cheryl LaBarge Product Readiness.
DEV-8: AppServer ™ Mode Case Studies Simon Epps Solutions Engineer.
ARCH-5: Service Interfaces in Practice Christian Stiller Technical Architect.
ASSIGNMENT 2 Salim Malakouti. Ticketing Website  User submits tickets  Admins answer tickets or take appropriate actions.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
Copyright 2007, Information Builders. Slide 1 iWay Web Services and WebFOCUS Consumption Michael Florkowski Information Builders.
Slide 1 © 2016, Lera Technologies. All Rights Reserved. Oracle Data Integrator By Lera Technologies.
19 Copyright © 2008, Oracle. All rights reserved. Security.
ArcGIS for Server Security: Advanced
Platform and Data Migration With Little Downtime
562: Power of Single Sign-On in OpenEdge
Chapter One: Mastering the Basics of Security
Configuring Windows Firewall with Advanced Security
Handling Exceptionally Sticky Problems
DEV-25: You've Got a Problem, Here’s How to Find It
Mike Furgal Director – DB and Pro2 Services March 20th, 2017
COMP-10: Managing OpenEdge® Development with the Roundtable® TSMS
ARCH-1: Application Architecture made Simple
Handling Exceptionally Sticky Problems
Preventing Privilege Escalation
Instructor Materials Chapter 5: Ensuring Integrity
Presentation transcript:

Coding with Identity Management & Security Part 2 of Identity Management with OpenEdge Peter Judge OpenEdge Development

© 2012 Progress Software Corporation. All rights reserved. 2 What is Identity Management? It’s about protecting your business data by  Controlling and verifying who accesses your data  Controlling what they can do with your data  Reviewing what they did with your data  Maintaining information about your users You make security decisions on behalf of your customers … understand the maximum loss they might suffer

© 2012 Progress Software Corporation. All rights reserved. 3 It’s about protecting your business data by  Controlling and verifying who accesses your data  Controlling what they can do with your data  Reviewing what they did with your data  Maintaining information about your users What is Identity Management? Authorisation Auditing Administration Authentication

© 2012 Progress Software Corporation. All rights reserved. 4 Getting a Passport application forms passport my permanent record

© 2012 Progress Software Corporation. All rights reserved. 5 Using a Passport conferencevisa & entry stamp passport 12 3

© 2012 Progress Software Corporation. All rights reserved. 6 my permanent record Application Architecture passport Authentication system Domains Security token User interface application forms Claims / Assertions Security Token Service

© 2012 Progress Software Corporation. All rights reserved. 7 Application Architecture conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation

© 2012 Progress Software Corporation. All rights reserved. 8 Authorisation: Defence in Depth Firewalls, SSH/TLS Service name SESSION:EXPORT Operation name Roles Multi-tenancy CAN-* Login, ACL, SELinux Doors, locks, guards Physical Security AVM Operating System Network AppServer Activate Procedure Service Interface Business Logic

© 2012 Progress Software Corporation. All rights reserved. 9 If When Authorisation Fails  Record  Rewind Deeper you are in the stack, the harder it is to unwind Deeper you are in the stack, the less info you have  Return Nondescript error messages undo, throw new AppError( substitute("User &1 not authorised for service &2", phCP:qualified-user-id, pcServiceName)). undo, throw new AppError( "User not authorised for service").

© 2012 Progress Software Corporation. All rights reserved. 10 Roles & Responsibilities AnonymousCustomerEmployeeSystem See catalogueXXX Modify catalogueX Update shopping cartXX Add usersX Dump & load dataX Provision servicesX Level of trust

© 2012 Progress Software Corporation. All rights reserved. 11 _File Operations find _File where _File-Name eq "Customer" _Desc : "Customer master data" _Can-Create : _Can-Write : _Can-Delete : _Can-Read : "*" find _File where _File-Name eq "Order" _Desc : "Order header data" _Can-Create : "*" _Can-Write : "*" _Can-Delete : "*" _Can-Read : "*" find _File where _File-Name eq "ApplicationUser" _Desc : "Application login data" _Can-Create : _Can-Write : _Can-Delete : _Can-Read :

© 2012 Progress Software Corporation. All rights reserved. 12 What Are Domains?  A group of users with a common set of Roles and responsibilities Level of security Data access privileges  Configured in db meta- schema Authentication systems Tenants _sec-authentication-domain _Domain-name _Domain-type _Domain-description _Domain-access-code _Domain-runtime-options _Tenant-name _Domain-enabled A+11.1+

© 2012 Progress Software Corporation. All rights reserved. 13 Per-role Domains Customer create _sec-authentication-domain. _Domain-name = 'customer'. _Domain-type = 'TABLE-ApplicationUser'. _Domain-access-code = audit-policy:encrypt-audit- mac-key( 's00perSecr1tK3y4CUSTOMER'). _Domain-enabled = true. Anonymous create _sec-authentication-domain. _Domain-name = 'anonymous'. _Domain-type = 'FTP'. _Domain-access-code = audit-policy:encrypt-audit- mac-key( 's00perSecr1tK3y4ANONYMOUS'). _Domain-enabled = true. Employee create _sec-authentication-domain. _Domain-name = 'employee'. _Domain-type = 'TABLE-ApplicationUser'. _Domain-access-code = audit-policy:encrypt-audit- mac-key( 's00perSecr1tK3y4EMPLOYEE'). _Domain-enabled = true.

© 2012 Progress Software Corporation. All rights reserved. 14 Per-role Domains, Ctd. create _sec-authentication-domain. _Domain-name = 'system'. _Domain-type = '_extsso'. _Domain-access-code = audit-policy:encrypt-audit- mac-key( 's00perSecr1tK3y4SYSTEM'). _Domain-enabled = true. System

© 2012 Progress Software Corporation. All rights reserved. 15 Per-role Domains, Ctd. create _sec-authentication-domain. _Domain-name = 'app-admin'. _Domain-type = '_extsso'. _Domain-access-code = audit-policy:encrypt-audit- mac-key( 's00perSecr1tK3y4APPADMIN'). _Domain-enabled = true. create _sec-authentication-domain. _Domain-name = 'db-admin'. _Domain-type = '_oslocal'. _Domain-access-code = audit-policy:encrypt-audit- mac-key( 's00perSecr1tK3y4DBADMIN'). _Domain-enabled = true. DB Admin App Admin create _sec-authentication-domain. _Domain-name = 'system'. _Domain-type = '_extsso'. _Domain-access-code = audit-policy:encrypt-audit- mac-key( 's00perSecr1tK3y4DBSYSTEM'). _Domain-enabled = false. System

© 2012 Progress Software Corporation. All rights reserved. 16 Per-role Domains with Multi-tenancy Customer Tenant 1 create _sec-authentication-domain. _Domain-name = 'customer.tenant1'. _Domain-type = 'TABLE-ApplicationUser'. _Domain-access-code = audit-policy:encrypt-audit- mac-key( 's00perSecr1tK3y4CUSTOMER.T1'). _Domain-enabled = true. _Tenant-name = 'tenant-ONE'. Customer Tenant 2 create _sec-authentication-domain. _Domain-name = 'customer.tenant2'. _Domain-type = 'TABLE-ApplicationUser'. _Domain-access-code = audit-policy:encrypt-audit- mac-key( 's00perSecr1tK3y4CUSTOMER.T2'). _Domain-enabled = true. _Tenant-name = 'tenant-TWO'. Customer Tenant 3 create _sec-authentication-domain. _Domain-name = 'customer.tenant3'. _Domain-type = 'TABLE-ApplicationUser'. _Domain-access-code = audit-policy:encrypt-audit- mac-key( 's00perSecr1tK3y4CUSTOMER.T3'). _Domain-enabled = true. _Tenant-name = 'tenant-THREE'.

© 2012 Progress Software Corporation. All rights reserved. 17 Multiple Domains per Tenant create _sec-authentication-domain. _Domain-name = 'system.tenant1'. _Domain-type = '_oslocal'. _Tenant-name = 'tenant-ONE'. create _sec-authentication-domain. _Domain-name = 'customer.tenant1'. _Domain-type = 'TABLE-ApplicationUser'. _Tenant-name = 'tenant-ONE'. Tenant 1 Customer create _sec-authentication-domain. _Domain-name = 'employee.tenant1'. _Domain-type = 'LDAP'. _Tenant-name = 'tenant-ONE'. Tenant 1 System Tenant 1 Employee

© 2012 Progress Software Corporation. All rights reserved. 18 Roles & Responsibilities AnonymousCustomerEmployeeSystem See catalogueXXX Modify catalogueX Update shopping cartXX Add usersX Dump & load dataX Provision servicesX Level of trust

© 2012 Progress Software Corporation. All rights reserved. 19 Roles  Roles a way of mapping sets of capabilities to classes of users  May not serve the principle of least privilege (which states that one should have the minimal privileges necessary, and no more)  On the other end of the spectrum, one can define one role for every set of resource capabilities one might want to allow  Map roles to static sets of capabilities Role definition from OWASP

© 2012 Progress Software Corporation. All rights reserved. 20 Configuration: Roles create _Sec-role. _Role-name = 'ShoppingCart.Data.Write'. _Role-creator = _Role-description = 'Allows users to mod the shopping cart table'. create _Sec-granted-role. _Role-name = 'ShoppingCart.Data.Write'. _Grantee = /* one record per user */ _Grantor = create _Sec-role. _Role-name = 'Customer.Data.Read'. _Role-creator = _Role-description = 'Allows users to read the customer table'. create _Sec-granted-role. _Role-name = 'Customer.Data.Read'. _Grantee = /* one record per user */ _Grantor = 10.1A+

© 2012 Progress Software Corporation. All rights reserved. 21 Using Roles /* when the user has been successfully authenticated */ /* hCP:qualified-user-id = */ for each _Sec-granted-role where _Grantee = hCP:qualified-user-id: hCP:roles = hCP:roles + ',' + _Sec-granted-role._Role-name. end. /* Roles: ShoppingCart.Data.Write, Customer.Data.Read... */ /* later, when the user attempts access */ pcOperation = 'ShoppingCart.Data.Read'. if not can-do(hCP:roles, pcOperation) then undo, throw new AppError( 'User not authorised for operation').

© 2012 Progress Software Corporation. All rights reserved. 22 Configuration: Operation Access create _Sec-role. _Role-name = 'Customer.Service.GetCustomers'. _Role-creator = _Role-description = 'Allows users to access the Get Customer operation'. create _Sec-role. _Role-name = 'Customer.Service.GetCustomerOrders'. _Role-creator = _Role-description = 'Allows users to access the Customer Order operation'. create _Sec-role. _Role-name = 'ShoppingCart.Service.UpdateCart'. _Role-creator = _Role-description = 'Allows users to access the update a shopping cart'.

© 2012 Progress Software Corporation. All rights reserved. 23 Using Operation Access /* BusinessLogic/si_ShoppingCartService.p */ routine-level on error undo, throw. {dsShoppingCart.i} procedure UpdateShoppingCartService: define input-output parameter dataset for dsShoppingCart. Security.AuthorisationService:AuthoriseOperation( 'ShoppingCart.Service.UpdateCart'). ShoppingCartService:Instance:UpdateShoppingCartService( input-output dataset dsShoppingCart by-reference). end procedure.

© 2012 Progress Software Corporation. All rights reserved. 24 Roles & Responsibilities AnonymousCustomerEmployeeSystem See catalogueXXX Modify catalogueX Update shopping cartXX Add usersX Dump & load dataX Provision servicesX Level of trust

© 2012 Progress Software Corporation. All rights reserved. 25 Configuration: Service Names create _Sec-role. _Role-name = 'Customer.Service.Access'. _Role-description = 'Allows access to the Customer service'. _Role-name = 'ShoppingCart.Service.Access'. _Role-description = 'Allows access to the ShoppingCart service'. define private temp-table ttService no-undo field service as character field role as character create ttService. service = "BusinessLogic/si_ShoppingCartService.p". role = "ShoppingCartService.Service.Access". create ttService. service = "BusinessLogic/GetCustomers.p" role = "Customer.Service.Access" create ttService. service = "BusinessLogic/si_GenericFetchData.p". role = "ShoppingCartService.Service.Access".

© 2012 Progress Software Corporation. All rights reserved. 26 AppServer Access /* ttService populated from database or config files */ define private temp-table ttService no-undo field service as character field role as character define variable cDelim as character no-undo. define variable cExportList as character no-undo. cDelim = ''. for each ttService break by service: if first-of(ttService.service) then assign cExportList = cExportList + cDelim + ttService.service cDelim = ','. end. session:export(cExportList). ~9.0+

© 2012 Progress Software Corporation. All rights reserved. 27 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation

© 2012 Progress Software Corporation. All rights reserved. 28 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation RUN getcustomerlist.p ON SERVER hAppServer (OUTPUT DATASET dsCustomer) 1 activate.p STS:ValidateToken (INPUT cToken). security-policy:set- client ( >) AuthoriseService ("getcustomer.p"). deactivate.p security-policy:set- client ( >) 4 getcustomerlist.p OUTPUT PARAM DATASET dsCustomer 3 2

© 2012 Progress Software Corporation. All rights reserved. 29 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation deactivate.p security-policy:set- client ( >) 4 getcustomerlist.p OUTPUT PARAM DATASET dsCustomer 3 activate.p STS:ValidateToken (INPUT cToken). security-policy:set- client ( >) AuthoriseService ("getcustomer.p"). 2 RUN getcustomerlist.p ON SERVER hAppServer (OUTPUT DATASET dsCustomer) 1

© 2012 Progress Software Corporation. All rights reserved. 30 Desktop.MainForm.cls method protected void RefreshCustomerList(): define variable hAppServer as handle no-undo. run BusinessLogic/GetCustomerList.p on hAppServer (output dataset dsCustomerOrder). open query qryCustomer preselect each ttCustomer by ttCustomer.CustNum. bsCustomer:Handle = query qryCustomer:handle. query qryCustomer:reposition-to-row(1). end method.

© 2012 Progress Software Corporation. All rights reserved. 31 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation RUN getcustomerlist.p ON SERVER hAppServer (OUTPUT DATASET dsCustomer) 1 deactivate.p security-policy:set- client ( >) 4 getcustomerlist.p OUTPUT PARAM DATASET dsCustomer 3 activate.p STS:ValidateToken (INPUT cToken). security-policy:set- client ( >) AuthoriseService ("getcustomerlist.p"). 2 /* pseudo-code as run by AppServer agent */ if not can-do(session:export, request-info:ProcedureName) then undo, throw new Error().

© 2012 Progress Software Corporation. All rights reserved. 32 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation RUN getcustomerlist.p ON SERVER hAppServer (OUTPUT DATASET dsCustomer) 1 deactivate.p security-policy:set- client ( >) 4 getcustomerlist.p OUTPUT PARAM DATASET dsCustomer 3 activate.p STS:ValidateToken (INPUT cToken). security-policy:set- client ( >) AuthoriseService ("getcustomerlist.p"). 2

© 2012 Progress Software Corporation. All rights reserved. 33 Security/Activate.p hClientPrincipal = Security.SecurityTokenService:Instance: GetClientPrincipal( session:current-request-info:ClientContextId). /* authenticate client-principal */ security-policy:set-client(hClientPrincipal). /* authorise service access */ Security.AuthorisationService:Instance :AuthoriseService( hClientPrincipal, session:current-request-info:ProcedureName).

© 2012 Progress Software Corporation. All rights reserved. 34 Security/Activate.p hClientPrincipal = Security.SecurityTokenService:Instance: GetClientPrincipal( session:current-request-info:ClientContextId). /* authenticate client-principal */ security-policy:set-client(hClientPrincipal). /* authorise service access */ Security.AuthorisationService:Instance :AuthoriseService( hClientPrincipal, session:current-request-info:ProcedureName).

© 2012 Progress Software Corporation. All rights reserved. 35 Security/Activate.p hClientPrincipal = Security.SecurityTokenService:Instance: GetClientPrincipal( session:current-request-info:ClientContextId). /* authenticate client-principal */ security-policy:set-client(hClientPrincipal). /* authorise service access */ Security.AuthorisationService:Instance :AuthoriseService( hClientPrincipal, session:current-request-info:ProcedureName).

© 2012 Progress Software Corporation. All rights reserved. 36 Security.AuthorisationService define private temp-table ttService no-undo field service as character field role as character index idx1 as primary service. /* pcServiceName: BusinessLogic/GetCustomerList.p */ method public void AuthoriseService( input phCP as handle, input pcServiceName as character): define variable lIsAuthorised as logical no-undo. lIsAuthorised = can-find( first ttService where ttService.service eq pcServiceName). for each ttService where ttService.service eq pcServiceName while lIsAuthorised: lIsAuthorised = not can-do(phCP:roles, ttService.role). end. if not lIsAuthorised then undo, throw new AppError("User not authorised for service"). end method.

© 2012 Progress Software Corporation. All rights reserved. 37 deactivate.p security-policy:set- client ( >) 4 Application Architecture: Business Logic conference Auditing Application business logic User interfaceSecurity tokenAuthentication Domains Authorisation RUN getcustomerlist.p ON SERVER hAppServer (OUTPUT DATASET dsCustomer) 1 activate.p STS:ValidateToken (INPUT cToken). security-policy:set- client ( >) AuthoriseService ("getcustomer.p"). 2 getcustomerlist.p OUTPUT PARAM DATASET dsCustomer 3

© 2012 Progress Software Corporation. All rights reserved. 38 {BusinessLogic/dsCustomerOrder.i} define output parameter dataset for dsCustomerOrder. define variable oBusinessEntity as CustomerOrderBE no- undo. Security.AuthorisationService:Instance :AuthoriseOperation("Customer.Service.GetCustomers"). oBusinessEntity = new CustomerOrderBE(). oBusinessEntity:GetCustomers( output dataset dsCustomerOrder). /* eof */ BusinessLogic/GetCustomerList.p

© 2012 Progress Software Corporation. All rights reserved. 39 Security.AuthorisationService method public void AuthoriseOperation( input pcOperation as character): define variable hCP as handle no-undo. hCP = security-policy:get-client(). if not can-do(hCP:roles, pcOperation) then undo, throw new AppError("User not authorised for service"). end method.

© 2012 Progress Software Corporation. All rights reserved. 40 {BusinessLogic/dsCustomerOrder.i} define output parameter dataset for dsCustomerOrder. define variable oBusinessEntity as CustomerOrderBE no- undo. Security.AuthorisationService:Instance :AuthoriseOperation("GetCustomers"). oBusinessEntity = new CustomerOrderBE(). oBusinessEntity:GetCustomers( output dataset dsCustomerOrder). /* eof */ BusinessLogic/GetCustomerList.p

© 2012 Progress Software Corporation. All rights reserved. 41 {BusinessLogic/dsCustomerOrder.i} method public void GetCustomers( output parameter dataset dsCustomerOrder): define data-source srcCustomer for Customer. define data-source srcOrder for Order. buffer ttCustomer:attach-data-source( data-source srcCustomer:handle). buffer ttOrder:attach-data-source( data-source srcOrder:handle). /* multi-tenancy magic happens here. CAN-READ too. based on the asserted user via SECURITY-POLICY GET-CLIENT */ dataset dsCustomerOrder:fill(). buffer ttCustomer:detach-data-source(). buffer ttOrder:detach-data-source(). end method. /* eof */ CustomerOrderBE.cls

© 2012 Progress Software Corporation. All rights reserved. 42 Desktop.MainForm.cls method protected void RefreshCustomerList(): define variable hAppServer as handle no-undo. run BusinessLogic/GetCustomerList.p on hAppServer (output dataset dsCustomerOrder). open query qryCustomer preselect each ttCustomer by ttCustomer.CustNum. bsCustomer:Handle = query qryCustomer:handle. query qryCustomer:reposition-to-row(1). end method.

© 2012 Progress Software Corporation. All rights reserved. 43 Application security principles Applications must have security designed in. Some proven application security principles 1. Identify and secure the weakest link 2. Practice defense in depth 3. Be reluctant to trust 4. Remember that hiding secrets is hard 5. Follow the principle of least privilege 6. Fail and recover securely 7. Compartmentalize 8. Keep it simple, stupid 9. Keep trust to yourself 10. Assume nothing

© 2012 Progress Software Corporation. All rights reserved. 44 Summary  Identity management is a process that helps protect your business data Strength in depth  OpenEdge provides components of identity management CLIENT-PRINCIPAL Multi-tenancy, Domains & Authentication Systems  Run with least privilege Use Domains and Roles to keep privileges ‘tight’ Reset to lower privileges when done  Configuration > Code Code is the weakest link

© 2012 Progress Software Corporation. All rights reserved. 45 Extra materials  This session Slides to be posted on PUG Challenge site Supporting code at  Other PUG Challenge sessions Identity Management Basics (Part 1) Peter Judge, PSC Advanced OpenEdge REST/Mobile Security Mike Jacobs, PSC Programming with the Client-Principal Object Chris Longo, BravePoint Image Credits: Passport designed by Catia G, Time designed by wayne25uk, Database designed by Anton Outkine, Code designed by Nikhil Dev, Ninja designed by John O'Shea, Imposter designed by Luis Prado, User designed by T. Weber, Fingerprint designed by Andrew Forrester, Document designed by Samuel Green, Certificate designed by VuWorks, Network designed by Ben Rex Furneaux, Beer designed by Leigh Scholten; all from The Noun Project

October 6–9, 2013 Boston #PRGS13 Special low rate of $495 for PUG Challenge attendees with the code PUGAM And visit the Progress booth to learn more about the Progress App Dev Challenge!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.