Getting Started: Learn

Control of user access to an endpoint on an app scope can be divided into two separate but related processes:

  • Authentication determines a user's identity, typically through a username and password.
  • Authorization checks permissions for a user's role, based on the user's authenticated identity, and determines whether to allow the user access to a resource. A resource is an endpoint whose access is controlled by an app scope.

As part of building a client app or deploying app scopes on the Akula Server, you must consider authentication and authorization policies. For example, will your client app support different types of users with different types of access? In that scenario, some users could have read-only access to a data source while others have read/write access. You have to make sure that your client app, and the app scope, are implemented correctly to handle different user types.

This document contains an overview of how to add security to your Akula apps, and includes the following sections:

Security design considerations

When designing your app, consider the following security issues:

  • What mechanism will you use to store user credentials?

    The Akula Server requires an external mechanism, called a realm, for managing user credentials such as usernames and passwords, and for storing information about user groups. One of your first decisions is to determine the system that you connect to the Akula Server that serves as your realm. For example, Akula provides support for using an Active Directory server to manage user credentials and user groups. Alternatively, you can use a JDBC or SQLite database, or create a custom connector to use an LDAP server or other mechanism.

  • What permissions are associated with an endpoint on an app scope?

    An endpoint corresponds to a URL paired with an HTTP access method, such as GET, PUT, POST, or DELETE. When you define an endpoint as part of creating an Akula app scope, you associate permissions with the endpoint. That association specifies the permissions that a user must have to access the endpoint. Each endpoint, and each HTTP access method to an endpoint, can define its own unique set of permissions.

  • Which role can access an endpoint? 

    In Akula, authorization is role based, where a role is associated with one or more user groups and one or more permissions. Therefore, all users in a group have all of the permissions associated with the role that contains the group. For example, you define two roles: sales and sales_managers. All users in a group in the sales role could then have read-only access (HTTP GET) to an endpoint. However, all users in a group in the sales_managers role can have read and write access (HTTP GET and HTTP PUT) to the endpoint. 

  • Will you use SSL to secure data sent to and from the Akula Server?

    SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a client, such as a client browser or other type of client app. An encrypted link ensures that all data passed between the web server and client remains private. The Akula Server and Akula client apps support both HTTP requests and HTTPS requests using SSL.

  • Will a JavaScript client app support cross origin requests?

    A client app written using the Akula Client SDK for JavaScript runs in a browser on a mobile device. Browsers enforce a cross-origin policy which means that a script running on a page originating from one site is only allowed to access scripts on other pages originating from that same site. The script cannot access a script on a page originating from a different site. You can configure the Akula Server to allow cross origin requests. To do so, you specify the list of sites allowed to access the Akula Server across origins. This technique is referred to as Cross-Origin Resource Sharing (CORS).

These are just some of the security issues that you have to take into consideration when building secure mobile apps.

Steps to adding security to your apps

To add security:

  1. Determine your security realm. The Akula security mechanism requires an external realm that defines a collection of users and groups.

  2. Define the security manager in the AKULA_HOME\global\security_template.xml file. A security manager defines the following information:
    • The realm
    • The session timeout duration for a client log in
    • Optionally, a session caching strategy

  3. For each endpoint in the app scope, edit the endpoint_config.xml file to set the permissions required to access it.

  4. Use the Akula Command-line Management Utility to create the security roles for the app scope.

  5. Use the Akula Command-line Management Utility to associate user groups to roles.

  6. Use the Akula Command-line Management Utility to associate permissions with a role. It is the role that the user group is in, and the permissions associated with that role, that determines the endpoints that a user can access.

For more information on applying security

This document contains only an introduction to building secure Akula apps. For detailed information, see: