Force user to enter login and password

Prevent direct access to the application and force the end user to enter a login and password.

How should I configure my application to use Simple SSO provider?

Modify the application configuration in order to delegate the execution to the service. Add a DELEGATE tag in the EXECUTION component of your application configuration file (xcf).

<EXECUTION>
  <PATH>$(res.path)</PATH>
  <MODULE>myApp.42r</MODULE>
  <DELEGATE service="services/SimpleSSOServiceProvider">
  </DELEGATE>
</EXECUTION>

In this example, “SimpleSSOServiceProvider” corresponds to the configuration file of your service, that should be located by default in $FGLDIR/web_utilities/services.

<EXECUTION>
  <PATH>$(res.path.fgldir.services)/simplesso/bin</PATH>
  <MODULE>SSOService.42r</MODULE>
</EXECUTION>

Make your service configuration point on your service executable. In this example, that is SSOService.42r.

How the authentication is handled by the service?

End-user types the usual URL of the application he wants to execute in his browser (step 1 in the workflow).

Screen shot of browser with URL entered of localhost:6394/wa/r/myApp

Figure 1. Application URL

The start of the application is delegated to the service.

The HTTP incoming request is now handled by the Genero service. It checks the existence of a valid cookie (step 2 of the workflow) and analyzes the URL query string parameters in order to find values for the login/password. As this is the first start, there is no existing valid cookie (step 3b of the workflow) and the query string is null as there is not yet a submit from the login page (step 4 on the workflow). As a result, the connection is refused and the user is directed by the service to a login XHTML page:

Genero login page showing username and password fields, a login button, and a checkbox asking would you like to keep the password

Figure 2. Login page

When the login button is clicked, as it is an XHTML form, all data entered in fields of the form, as well the checking of the box “Would you like to keep password?”, are automatically set as parameters in the URL query string.

Important: For the ease of this tutorial, the data in the query string is shown in clear using a GET method. In other words, the user name and password are visible in the query string. In the sample, we use a POST method for hiding the query string . On a production site, you need to use HTTPS in order to encrypt and secure everything, and avoid clear data being sent through the network.

How is handled the URL in the 4GL service

Once the login page has been submitted (step 4 on the workflow), the incoming URL is split in 2 parts:

the base URL
the query string

The query string is parsed to retrieve values for the username, the password, the state of the “keeping password” checkbox, and any potential query string parameters the user may have manually entered in the URL.

CALL parseQueryString(query) RETURNING user, pwd, userQueryString, isCookie

Important: The functions included in the sample are examples. On a production site, we recommend you review all functions to match your needs and to avoid data transmitted in clear.

Once user and password have been retrieved from the query string, the service checks to see whether the username and password are valid.

If the username and password are valid, the application can be started. The Genero REST service returns the HTTP code 307 and the description _GENERO_INTERNAL_DELEGATE_ to notify the dispatcher to start the application as response to current user-agent request.

In addition, if the username and password have a match, a new cookie is sent to the browser. An instantaneous redirection is done, this valid cookie is checked by the service (it returns to step 2 of the workflow) and the connection is accepted (step 3a of the workflow). The next time the user starts the application, the 4GL service will check the validity of this cookie. According to the cookie's expiration, the application may start automatically without requiring the user logging in again or returning a new login page.

If the username and password do not match, the user is redirected to a login page with a 403 error.