Delegation use cases

Three examples of possible uses for the delegation mechanism.

Simple local authentication / authorization mechanism

You can develop a simple delegation service to authenticate and authorize users to have access to one or several applications on the Genero Application Server.

A sample local authentication / authorization implementation of Single Sign On (SSO) for Genero, with support for re-login after a period of inactivity, can be found under the Four Js Genero GitHub repository. See https://github.com/FourjsGenero/ex_simplesso.

The delegation service will respond to the request with an HTML form, asking for a user name and password. In this case, HTTPS is required; otherwise the user name and password will be sent in clear text.

A request with user name and password as parameters is processed by the delegation service. The service checks for the user name and password in its database. If the user name and password are correct, a digest authentication will be created, stored in the database, and sent back to the user-agent in a cookie. The delegation service will instruct the user agent to delegate on the same URL (so the user agent will use its newly set cookie).

A request with a cookie will be processed by the delegation service. The cookie will be checked in the database. The corresponding user id, as well as the user role (administrator, user, guest, and so on), will be set as application parameters and the Genero Application Server will be instructed to allow the launch of the application.

Authentication / authorization Single sign-on (SSO) mechanism

You can develop a delegation service to authenticate and authorize users to access one or more applications on the Genero Application Server based on standard SSO services such as OpenID Connect.

The delegation service responds to a simple request for delegation to the SSO service, with reference to the requested application.

A request with a cookie is processed by the delegation service. The cookie is checked by the SSO service (by means specific to the SSO protocol). The corresponding user id and user role (as allowed by the SSO protocol) will be set as application parameters and the Genero Application Server will be instructed to allow the launch of the application.

Samples for implementing OpenID Connect and SAML authentication and authorization services are provided in $FGLDIR/web_utilities/services, ready for you to use.

Monitoring or logging requests for a Genero Web service

You can develop a simple delegation service to monitor and log all requests to a given service. Each request can be logged in a dedicated database by the delegation service. The Genero Application Server can then be instructed to pass the request to the GWSProxy. The delegation for Web services is called each time a request is sent to that service.

For applications, logging is only performed at application start up.