An AdeliaLoginModule is used to call a Visual Adelia Batch program to manage authentication in a Realm.

The program also manages password changes and an IsUserRole method to identify if the authenticated user belongs to a specific role (or group).

Module configuration

Extract from wagon.xml file:

<realm name="adelia" loginModuleName="AdeliaLoginModule"

className="com.hardis.adelia.cloud.security.realms.BasicRealm"/>

</realms>

</parameters>

</loginModule>

</loginModules>

Note: Enabling SSO avoids prompting the user if the credentials are missing when configuring a physical server associated with a logical server used in the application.

The latter are automatically substituted by those of the Realm.

SSO is also supported for the VAB authentication program.

↑ Top of page

Visual Adelia Batch fr.hardis.VAAUTH program

The Visual Adelia Batch program can be generated in UNICODE; you need to add the <item key="Unicode" value="true" /> item to the the loginModule definition.

The Visual Adelia Batch program must be generated for the Cloud platform with the Java Interface Bean generation option checked.

Notes:

- the VAB authentication program does not have access to the VFS. The standard File System is used.
- the VAB authentication program cannot be debugged.
- the VAB authentication program cannot interact with the desktop.

The program in charge of Realm authentication must comply with the following rules:

LoginModule:checkAuthentification

The LoginModule checkAuthentication method is carried out by the body of the VAB program.

The program must declare the following parameters:

Name of parameter	Type	Usage	Description
LstAttrRealm	LIST (ALPHA, ALPHA)	I	List of Realm attributes/parameters The attribute called 'login' returns the user used. The attribute called 'password' returns the password used.
LstAttrLoginModule	LIST (ALPHA, ALPHA)	I	List of LoginModule attributes/parameters.
nbAttempt	NUM_BIN_4	I	Connection attempt number.
retAuthChecked	NUM_BIN_2	O	Returned value indicating whether authentication has been successful or not: 0: authentication successful. -1: authentication failed: abort. -2: authentication failed: retry. -3: expired password.
retExtendedUser	ALPHA	O	User value used for the Adelia reserved word USER. If not input, the Adelia reserved word USER returns the user associated with the 'login' attribute.
RetErrMsg	ALPHA(1024)	O	If it fails, an explanatory failure message is displayed in the connection box.

LoginModule:changePassword

The LoginModule changePassword method is carried out by the CHANGE_PASSWORD public procedure.

The procedure must declare the following parameters:

Name of parameter	Type	Usage	Description
User	ALPHA	I	Name of user whose password needs to be changed.
oldPwd	ALPHA	I	Previous password.
newPwd	ALPHA	I	New password.
RetSuccess	BOOL	O	Returned value indicating whether the change has been successful or not.
RetErrMsg	ALPHA(1024)	O	If it fails, an explanatory failure message => will be displayed in the connection box.

IsUserInRole

The VaToolBx provides a VaToolBxCloudIsUserInRole method which is available in Cloud generation.

This method calls the Visual Adelia Batch program in charge of Realm authentication via the IS_USER_IN_ROLE public procedure.

The procedure must declare the following parameters:

Name of parameter	Type	Usage	Description
RoleName	ALPHA	I	Name of role to test (does the authenticated user belong to this role/group).
RetInRole	BOOL	O	Returned value indicating whether dependency is verified or not.

Further information concerning implementation

If authentication is successful, the AdeliaLoginModule returns an AdeliaUserIdentity object. This contains the following information:

Attribute name	Type	Description
m_UserName	String	Name of authenticated user.
m_ExtUserName	String	Name of user for the Adelia reserved word *USER.
m_Pwd	String	Password used to authenticate the User.
m_SSOEnabled	boolean	Indicates if SSO is enabled for the realm.
m_hInstPgm	aProgram	VAB authentication program instance: this program can be used when the VaToolBxCloudIsUserInRole method is called.

↑ Top of page

SSO information

Used for all Realm programs apart from the authentication program.

The MwServer.java makeConnection method calls an IConnectionInfoProvider to ensure there is a connection to the physical server if the credentials are missing from the MWCLIENT.ini configuration file.

The WagonConnectionInfoProvider has been enhanced to take into account the AdeliaLoginModule SSO. Before prompting the user, this provider retrieves the Realm UserIdentity and checks:

- that the UserIdentity is an AdeliaUserIdentity,
- that SSO is enabled.

Once these checks have been made, the AdeliaUserIdentity credentials are used to populate the ConnectionInfo for the MW connection.

Use for the authentication program

In the case of the authentication program, authentication is of course not yet validated and therefore no AdeliaUserIdentity is available.

To offset this problem, a ConnectionInfo object (with the credentials to validate from the Realm) is momentarily stored in the application context attribute map.

The attribute name is comprised as follows: (IConnectionInfoProvider.VAAuthConnectionInfoAttrName + ((IApplicationContext)Thread.currentThread()).getThreadWUID()).

The WagonConnectionInfoProvider has been enhanced to take into account this temporary ConnectionInfo object if no UserIdentity is found.

The attribute is deleted when the call is returned from the VAB authentication program.

↑ Top of page