Mobile Security Model
Contents |
Introduction
This article explains which is the security model that mobile applications follow.
Application
Each mobile application is represented in the backend by a Form. This Form is somehow virtual in the sense that it is not intended to be included within the ERP menu to be opened from there (thought it could be done in case the Java implementing it is a Servlet).
The purpose of this form is to have in backend a securable object, so roles having access to this form will have login access to the mobile application. To grant access to a Role, follow instructions detailed in Role documentation.
Securable Objects
The rest of objects (granularity level can be defined by the developer) of the application are secured through preferences.
Preferences that allow to secure the Mobile application objects are defined by the System Administrator in the Reference window - Property Configuration record - List Reference tab.
Once the preference is defined, roles are assigned to it from Preference window.
In client, permission is checked with:
OB.MobileApp.model.hasPermission('preferenceSearchKey');
It returns true or false if there is permission or not to the preferenceSearchKey property.
Typically, the securable objects are:
- Windows: Security preference is defined on registration.
- Backend Processes: Secured by extending
SecuredJSONProcessand implementing the correspondent getters.
Login Page
Mobile Applications Login Page consists on a left panel where all the user with access to the application are shown, with their image if present, and a right panel to enter user and password.
LoginUtilsServlet
The users in left panel are retrieved by the servlet pointed by loginUtilsUrl terminal model property.
Default org.openbravo.mobile.core.login.MobileCoreLoginUtilsServlet should be extended in order to provide the correct list of users that can login in current application.
In most of the cases the Servlet extending the base one, just needs to overwrite getModuleId method:
public class WarehouseLoginUtilsServlet extends MobileCoreLoginUtilsServlet { @Override protected String getModuleId() { return WarehouseConstants.MODULE_ID; } }
This Servlet is invoked with the following commands:
-
preRenderActions: Should return the labels in the default language (to be used at least for rendering the log in page and also default date formats) -
companyLogo: Returns the image of the company logo -
userImages: Returns an array of images of the users that can log in the application
LoginHandler
This is the servlet in charge of validating both user and password. If they are valid, it creates the session.
The servlet used is the one which mapping is pointed by loginHandlerUrl. See terminal model property.
By default org.openbravo.mobile.core.login-MobileCoreLoginHandler, which, in most of the cases, is not needed to be extended.
Extending MobileCoreLoginUtilsServlet or MobileCoreLoginHandler
To extend MobileCoreLoginUtilsServlet or MobileCoreLoginHandler follow the next steps:
- Create a new entry in AD Implementation Mapping window. With:
- Object Type: Servlet
- Java Class Name: The java class that will implement the Servlet.
- Add a Mapping to this entry:
- Default: true
- Mapping Name: the URL this Servlet will use
- Point the correspondent
loginUtilsUrlorloginHandlerUrlproperty to Mapping Name - Generate the web.xml file and deploy changes:
ant smartbuild
There are applications that actually help in ensuring maximum security of data even when syncing data from different networks. One of such application is MeetingMogul do have a look at it.