IRT Logo
Systems Engineering and Architecture


IRT Information

Rapid Application Development
Securing Your Application with WebAuth

In order to secure a new HTMLDB web app with WebAuth authentication, there are several components to install and configure. What follows is a step-by-step guide to WebAuthing your HTMLDB application.

Before you Begin

  • Consult with the customer to find out what the user roles are and how they affect the application.some roles may require limited visibility, requiring custom per-item or per-page authorization.
  • Choose a password that will uniquely identify your application. This password should not be based on a single dictionary word, and should contain at least one non-alphabetic character. You are not going to have to recall this password, so you can make it as obscure as you like. Notify that you are ready to activate your application password; the actual exchange of this information should be handled by telephone. You will be asked to supply both the password and the application id. Please allow a full working day for the password to be activated.

Initial Setup

  1. Download schema.sql. This defines the tables needed in the local workspace schema to support this authentication scheme.
  2. Run schema.sql in the SQL command line tool one line at a time. This creates the tables needed to support application-managed user administration.
  3. Download users.sql. This sample SQL demonstrates how to create an initial application administrator user.
  4. Modify as appropriate and run the SQL to create new admin users and roles following the example given in users.sql.
  5. Download auth.sql. This script contains the page sentry (authentication) function and the authorization function.
  6. Install and customize auth.sql in the SQL script tool:
    1. SQL Workshop (middle tab, upper right tab bar).
    2. SQL Scripts: Scripts (bottom left icon).
    3. Click 'Upload' button.
    4. Title=IRTAUTH, browse to local copy of auth.sql, click 'Add Script' button.
    5. on the line in the report for 'IRTAUTH', click on the pencil-and-paper icon in the far left column to edit the script.
    6. replace 'shared-secret-goes-here' on line 81 with your chosen shared secret.
    7. Click 'Apply Changes'.
    8. Click 'Run' link under Actions column in table row corresponding to newly modified script.
    9. Click 'Run Script' button.

User Management UI
Next you need to create a way to administer the users of the webauthed applications in your workspace. There are three options:

  1. (Recommended) Import the User Admin Template App into your workspace and use this as a starting point for developing your application. If you wish to, you can apply a new style template for a different look and feel.
  2. Use the User Admin Template App as a standalone user administration app for all applications in in your workspace. This option has the advantage of being very quick to implement and the disadvantage of being decoupled from the app, so the admin needs to remember two application URLs. If you do have more than one application in your workspace, all applications will have the same set of users and roles.
  3. Follow the steps in the document webauthPageCreation.doc. This has the disadvantage of taking somewhat longer (about an hour) and the advantage of the resulting user administration screens being fully integrated into the application, so you do not need to remember two different URLs. This option has the same end result as the recommended procedure of using the template app as a starting point, but may be your best option when retro-fitting an existing HTMLDB application to use WebAuth for authentication.

You should be aware that the current user admin screens all assume one application per workspace; if you plan to have several webauthed apps in a given workspace you will need to modify and extend the current user admin screens to scope user permissions by their associated applications.

Authentication

  1. Create a from-scratch authentication scheme (Application Builder: Shared Components: Authentication). Do not use the wizard, just hit 'Create Scheme' after naming it WEBAUTH, and edit as follows: Under Page Session Management set Page Sentry Function to 
    return irtauth.irt_page_sentry;
  2. Make the newly created scheme current.

Authorization
If you chose to create a standalone user admin app, you are now finished. If you chose to integrate the user admin pages into your application, take these last 3 steps to secure those pages within your application:

  1. Create a from-scratch authorization scheme (Application Builder: Shared Components: Authorization). Name it 'User Admin', chose type 'PL/SQL Function returning Boolean', and under 'Expression1' enter 
    return irtauth.authorize(:APP_USER, 'Manage Users');
  2. Apply the newly created authorization scheme to both user-admin pages ('edit page attributes'; scroll down to 'authorization').
  3. Edit the tabs that control both user admin screens such that the tabs do not display when 
    return irtauth.authorize(:APP_USER, 'Manage Users');
    returns false, i.e. make the tab display conditional on the given 'PL/SQL function returning Boolean'. If you are using a two level tab scheme don't forget to edit the parent tab as well as the standard tab in this manner.