View source | Discuss this page | Page history | Printable version   

Mobile Security Model

Contents

Introduction

This article explains which is the security model that mobile applications follow.

Application

Mobile-Application-form.png

Each mobile application is represented in the backend by a Form. This Form is somehow virtual in the sense that it is not intended to be included within the ERP menu to be opened from there (thought it could be done in case the Java implementing it is a Servlet).

The purpose of this form is to have in backend a securable object, so roles having access to this form will have login access to the mobile application. To grant access to a Role, follow instructions detailed in Role documentation.

Securable Objects

The rest of objects (granularity level can be defined by the developer) of the application are secured through preferences.

Preferences that allow to secure the Mobile application objects are defined by the System Administrator in the Reference window - Property Configuration record - List Reference tab.

Mobile-security-preferences.png

Once the preference is defined, roles are assigned to it from Preference window.

In client, permission is checked with:

 
OB.MobileApp.model.hasPermission('preferenceSearchKey');

It returns true or false if there is permission or not to the preferenceSearchKey property.

Typically, the securable objects are:

Login Page

Mobile-login-page.png

Mobile Applications Login Page consists on a left panel where all the user with access to the application are shown, with their image if present, and a right panel to enter user and password.

LoginUtilsServlet

The users in left panel are retrieved by the servlet pointed by loginUtilsUrl terminal model property.

Default org.openbravo.mobile.core.login.MobileCoreLoginUtilsServlet should be extended in order to provide the correct list of users that can login in current application.

In most of the cases the Servlet extending the base one, just needs to overwrite getModuleId method:

 
public class WarehouseLoginUtilsServlet extends MobileCoreLoginUtilsServlet {
  @Override
  protected String getModuleId() {
    return WarehouseConstants.MODULE_ID;
  }
}

This Servlet is invoked with the following commands:

LoginHandler

This is the servlet in charge of validating both user and password. If they are valid, it creates the session.

The servlet used is the one which mapping is pointed by loginHandlerUrl. See terminal model property.

By default org.openbravo.mobile.core.login-MobileCoreLoginHandler, which, in most of the cases, is not needed to be extended.

Extending MobileCoreLoginUtilsServlet or MobileCoreLoginHandler

WS5B6FF3B9E2B4423EB3EE4B2666D7E918.png

To extend MobileCoreLoginUtilsServlet or MobileCoreLoginHandler follow the next steps:

There are applications that actually help in ensuring maximum security of data even when syncing data from different networks. One of such application is MeetingMogul do have a look at it.

Retrieved from "http://wiki.openbravo.com/wiki/Mobile_Security_Model"

This page has been accessed 6,595 times. This page was last modified on 13 October 2015, at 07:40. Content is available under Creative Commons Attribution-ShareAlike 2.5 Spain License.