Getting Started: Learn
Control of user access to an endpoint on an app scope can be divided into two separate but related processes:
- Authentication determines a user's identity, typically through a username and password.
- Authorization checks permissions for a user's role, based on the user's authenticated identity, and determines whether to allow the user access to a resource. A resource is an endpoint whose access is controlled by an app scope.
As part of building a client app or deploying app scopes on the Akula Server, you must consider authentication and authorization policies. For example, will your client app support different types of users with different types of access? In that scenario, some users could have read-only access to a data source while others have read/write access. You have to make sure that your client app, and the app scope, are implemented correctly to handle different user types.
This document contains an overview of how to add security to your Akula apps, and includes the following sections:
Security design considerations
When designing your app, consider the following security issues:
- What mechanism will you use to store user credentials?
The Akula Server requires an external mechanism, called a realm, for managing user credentials such as usernames and passwords, and for storing information about user groups. One of your first decisions is to determine the system that you connect to the Akula Server that serves as your realm. For example, Akula provides support for using an Active Directory server to manage user credentials and user groups. Alternatively, you can use a JDBC or SQLite database, or create a custom connector to use an LDAP server or other mechanism.
- What permissions are associated with an endpoint on an app scope?
An endpoint corresponds to a URL paired with an HTTP access method, such as GET, PUT, POST, or DELETE. When you define an endpoint as part of creating an Akula app scope, you associate permissions with the endpoint. That association specifies the permissions that a user must have to access the endpoint. Each endpoint, and each HTTP access method to an endpoint, can define its own unique set of permissions.
- Which role can access an endpoint?
In Akula, authorization is role based, where a role is associated with one or more user groups and one or more permissions. Therefore, all users in a group have all of the permissions associated with the role that contains the group. For example, you define two roles: sales and sales_managers. All users in a group in the sales role could then have read-only access (HTTP GET) to an endpoint. However, all users in a group in the sales_managers role can have read and write access (HTTP GET and HTTP PUT) to the endpoint.
- Will you use SSL to secure data sent to and from the Akula Server?
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a client, such as a client browser or other type of client app. An encrypted link ensures that all data passed between the web server and client remains private. The Akula Server and Akula client apps support both HTTP requests and HTTPS requests using SSL.
These are just some of the security issues that you have to take into consideration when building secure mobile apps.
Steps to adding security to your apps
To add security:
- Determine your security realm. The Akula security mechanism requires an external realm that defines a collection of users and groups.
- Define the security manager in the
AKULA_HOME\global\security_template.xml file. A security manager defines the following information:
- The realm
- The session timeout duration for a client log in
- Optionally, a session caching strategy
- For each endpoint in the app scope, edit the endpoint_config.xml file to set the permissions required to access it.
- Use the Akula Command-line Management Utility to create the security roles for the app scope.
- Use the Akula Command-line Management Utility to associate user groups to roles.
- Use the Akula Command-line Management Utility to associate permissions with a role. It is the role that the user group is in, and the permissions associated with that role, that determines the endpoints that a user can access.
For more information on applying security
This document contains only an introduction to building secure Akula apps. For detailed information, see:
- Authentication and Authorization
- Defining a Security Manager
- Allow Cross Origin Requests in a Browser App
- Using SSL with Akula
- Using Endpoints
- Checking User Permissions on the Client