As part of a successful application-performed authentication operation, you can invoke this method on an unsealed client-principal in order to seal the object using the domain access code you pass as a parameter. Sealing the client-principal begins a login session to assert the identity it represents. You can then pass the sealed object as input to the SECURITY-POLICY:SET-CLIENT( ) method method or the SET-DB-CLIENT function to set the identity for the current ABL session and one or more of its database connections using a single sign-on (SSO) operation.
Note: You only need to call the SEAL( ) method if your ABL application successfully performs its own authentication of the user’s credentials and therefore needs to initialize and seal a client-principal to represent the authenticated user identity and begin a user login session. The domain that you use to initialize the client-principal is typically configured with either the built-in _extsso authentication system or a user-defined authentication system that is enabled for SSO-only operations to validate and set a user identity.
For all other supported authentication systems, such as _oeusertable, _oslocal, or user-defined authentication systems that are enabled for user authentication using an ABL authentication plugin, you can pass an appropriately initialized unsealed client-principal object directly as input to the SET-CLIENT( ) method or SET-DB-CLIENT function to authenticate the identity, seal the client-principal object, create the login session, and set the identity for the ABL session or database connection in a single user authentication operation.You can seal a client-principal object only once per user login session. You can then use the VALIDATE-SEAL( ) method to validate the seal whenever necessary.
Return type:
Applies to:
SEAL ( domain-access-code )
Caution: The sealed client-principal created by this method is not usable if no trusted domain registry contains the same combination of domain name and access code.
Also, note that given any client-principal that is sealed with it, this domain access code provides session and database access when validated using a single sign-on (SSO) operation against a trusted domain registry that contains a matching domain with the same access code. Therefore, Progress Software corporation strongly recommends that you take steps to hide or otherwise protect the domain access code in your ABL code from access (hacking) by unauthorized users.If successful, this method returns TRUE. The method also sets the SEAL-TIMESTAMP attribute with the time stamp for when the client-principal object was sealed, and sets the LOGIN-STATE attribute to "LOGIN". If not successful, the method returns FALSE.The method also checks the LOGIN-EXPIRATION-TIMESTAMP attribute. If the client-principal object expires before you can seal it, the AVM sets the LOGIN-STATE attribute to "EXPIRED" and the method returns FALSE.
DEFINE VARIABLE hCP AS HANDLE NO-UNDODEFINE VARIABLE key AS CHARACTER NO-UNDO.DEFINE VARIABLE lResult AS LOGICAL NO-UNDO.. . .CREATE CLIENT-PRINCIPAL hCp.. . .lResult = hCP:SEAL(key).
Note: You typically call this method on an unsealed client-principal object in the INITIAL state only as a result of a successful application-performed user authentication in order to seal the object in the LOGIN state. If you want to invalidate an unsealed client-principal object in the INITIAL state because the identity it represents has failed an application-performed user authentication operation, call the AUTHENTICATION-FAILED( ) method, which seals the client-principal in the FAILED state. If you want to invalidate, and terminate the login session for, a sealed client-principal object that is in the LOGIN state, call the LOGOUT( ) method, which sets the sealed client-principal to the LOGOUT state.
© 2013 Progress Software Corporation and/or its subsidiaries or affiliates. |