Securing Applications Against Multiple Validation Sources
As you may know, m-Power applications can be configured to require Sign-on validation so that your user must first authenticate before accessing the underlying page. Also, as you may be aware, m-Power supports a variety of Sign-on validation types (Database user, Active Directory, Database table, etc…). Occasionally, some developers may desire to have the flexibility to have their applications secure against multiple validation types. For instance, perhaps you have a situation where your internal users are already setup in an Active Directory, but your external users are stored in a database table. Your challenge would be to allow m-Power to seamlessly validate against both of these sources, unbeknownst to the user.
m-Power now supports the ability, at the Data Dictionary level, to validate against multiple datasources automatically. This additional validity logic would be done behind the scenes and your end-user would be unaware that their credentials were being examined across multiple validation sources. Here is how to set up this functionality:
- Navigate to the Admin section
- Click "Edit Dictionary Files"
- Click "Sign On Configuration"
- Click "Text Mode"
- Find the following code: "</mrc_signon>"
- Directly before the above code, add the following:
<validation_sources> <source validation_type="4" datasource="mysql1" tablename="" col_user="" col_password=""/> <source validation_type="5" datasource="mysql1" tablename="mylib.mysec" col_user="usr" col_password="pwd"/> <source validation_type="1" datasource="as400_remote1" tablename="" col_user="" col_password=""/> </validation_sources>
Note: This example lists 3 alternative validation types but you can add as many or as few alternative validation sources as you wish.
- Modify the code you added in the previous step to validate against your validation types, filling out all necessary information.
Note: When you add in additional validation methods, it is required that all 5 attributes be present, though some attributes can be blank. Specifically, if specifying option 5, all values must be filled out. However, any other validation method requires only the first two attributes to be filled out, while the last 3 need to rename equal to blank.
- Restart Tomcat to ensure the change has gone into effect
When a user presents their username and password for validation, m-Power will attempt to validate their credentials against the primary validation source, as noted in the "<group….>" value. If the user's credentials are valid, they will proceed to the application. However, if the user's credentials fail, the system will attempt to validate against the first entry listed in the "<validation_sources…>" section. Again, if these credentials are valid, the user can proceed. If not, the next entry will be attempted, until no more entries remain. Once all entries have been exhausted, the user will see a message on their Sign-On screen that says their credentials are not valid.
Note: More information explaining general m-Power Security can be found here.