Security.Applications
persistent class Security.Applications extends %Library.Persistent, %XML.Adaptor, %SYSTEM.Help
SQL Table Name: Security.Applications
This class defines the applications for a system.There are three types of applications which can be defined:
1) Web applications: CSP/ZEN and REST
2) Privileged routine applications
3) Doc DB Applications, previously known as Client Application
Depending on the type of application defined (Type property), properties may or may not be relevant to that type of application. See each property description for its relevance for each type of application.
Application names have the following properties:
1) Application names are case insensitive.
2) Maximum length of an application name is 64 characters.
The %Admin Secure:USE permission is required to operate on an application
The table for this class should be manipulated only through object access, the published API's or through the System Management Portal. It should not be updated through direct SQL access.
Property Inventory
- AutheEnabled
- AutoCompile
- CSPZENEnabled
- CSRFToken
- ChangePasswordPage
- ClientApplications
- CookiePath
- CorsAllowlist
- CorsCredentialsAllowed
- CorsHeadersList
- DeepSeeEnabled
- Description
- DispatchClass
- Enabled
- ErrorPage
- EventClass
- GroupById
- InbndWebServicesEnabled
- IsNameSpaceDefault
- JWTAccessTokenTimeout
- JWTAuthEnabled
- JWTRefreshTokenTimeout
- LockCSPName
- LoginPage
- MatchRoles
- Name
- NameSpace
- Package
- Path
- PermittedClasses
- Recurse
- RedirectEmptyPath
- Resource
- Routines
- ServeFiles
- ServeFilesTimeout
- SessionScope
- SuperClass
- Timeout
- Type
- UseCookies
- UserCookieScope
- WSGIAppLocation
- WSGIAppName
- WSGICallable
- WSGIDebug
- WSGIType
- iKnowEnabled
Method Inventory
- Copy()
- Create()
- Delete()
- Exists()
- Export()
- Get()
- GetClientApplicationHash()
- Import()
- IsDefault()
- IsPublic()
- Modify()
Properties
For CSP Web Application only.
Note that these bits correspond to the same bit numbers in the Security.System class
Bit 2 = AutheK5API
Bit 5 - AuthePassword
Bit 6 = AutheUnauthenticated
Bit 11 = AutheLDAP
Bit 13 = AutheDelegated
Bit 14 = LoginToken
Bit 20 = TwoFactorSMS
Bit 21 = TwoFactorPW
For CSP Web Application only.
If this is turned on, then when a CSP file is more recent than its compiled class,
it is recompiled. This is normally something you would turn on in development environments
and turn off in production environments.
For CSP Web Application only.
When enabled generate a token and cookie in the login page that is validated before accepting any username/password. Enabling this will prevent programatic access to pages in this application that just pass in the username/password on the initial request. It also prevents the use of the CSPSHARE=1 URL Parameter to pass the session token in the URL when cookies are required for the application.
that a password change is required.
For CSP Web Application only.
For CSP Web Application only.
This determines which urls the browser will send the session cookie back to InterSystems IRIS.
If your application name is 'myapp', it defaults to '/myapp/' meaning it will only send
the cookie for pages under '/myapp/'. You should restrict this to only what is required
by your application to prevent this session cookie being used by other CSP application
on this machine, or from being seen by any other application on this web server.
Set as comma-delimited string with Create() and Modify()
This is an allowlist.
Set as comma-delimited string with Create() and Modify()
For CSP Web Application only.
Corresponds with the Analytics option shown in Management Portal
For all application types.
For all application types.
For CSP Web Application only.
such as a timeout. For CSP Web Application only.
For CSP Web Application only.
Corresponds with the "Inbound Web Services" option shown in Management Portal.
For CSP Web Application only.
If true, then you can only access this CSP page if the url you enter matches the url stored in the CSPURL parameter value in the class. CSP pages have the CSPURL set to the original url requested automatically when they are compiled. If the url does not match, you get a page not found error.
For example if you have two CSP applications defined that both map to the same namespace and the same directory '/A' and '/B'. Then you view '/A/page.csp' this will load this page and create the class 'csp.page' with the CSPURL parameter set to '/A/page.csp'. With this flag set you may only access this page using the url '/A/page.csp'. If this flag is false you may access it via the pages '/B/page.csp', '/A/csp.page.cls', '/B/csp.page.cls'. Note that the flag is checked on the application associated with the CSPURL parameter, so even if the '/B' application has the flag turned off, if the '/A' application has it turned on you will get a page not found error from '/B/page.csp'.
If you modify the CSP class and change the CSPURL="" then this disables checking for this page.
For CSP Web Application only.
an authenticated identity and one is not available yet.
For all application types.
MatchRoles are in the format:
MatchRole1:TargetRole1:TargetRole2,MatchRole2:TargetRole3:TargetRole4
To specify a role to always be granted to an application, set MatchRole="", i.e. (:TargetRole1)
For Routine/Database pairs, Routines are in the format:
Routine1:dbname:Flag,Routine2:dbname:Flag
For Client application identification hash, ClientApplications are in the format:
Hash,Hash1,Hash2
Client Applications are in the format AppName.EXE.
Privileged routines can be any format.
For CSP Web Application only.
For CSP Web Application only.
If not specified it defaults to "csp".
For CSP Web Application only.
For CSP Web Application only.
This is a COS pattern, (1"B",1"A".1N) match {B.cls, A0.cls ... A9.cls}
For CSP Web Application only.
If WPath is the Web Path and PPath is the Physical Path, then with recurse turned on,
WPath/xxx/yyy will look in PPath/xxx/yyy. If recurse is turned off, only files directly
contained in WPath are used.
For REST Web Application only.
For example, if the request is for WPath/csp/appname and the app /csp/appname/
has this property enabled, then instead of serving the request with the next level down
(csp, if it exists), the request will be served by /csp/appname/.
For all application types.
If no resource is defined, then it is a public application which anyone can run.
For Privileged Routine Applications only.
These are in the format Routine/Class:dbname:Flag, where dbname is the name of the database where the routine resides; Flag=0 is a routine, Flag=1 is a class name.
For CSP Web Application only.
This also allows the stream server to serve files from this path.
0 - No - Never serve files from this application path
1 - Always - Always serve files from this application path, ignore CSP security setting for this path for static files. This is the default for new applications as it is backward compatible with serving files from the web server.
2 - Always and cached - Always serve files from this application path and allow the CSP gateway to cache these files to avoid having to request them from InterSystems IRIS. This is the mode we expect deployed application to use
3 - Use CSP security - If the user has permissions to view a csp/cls page in this application then allow them to view a static file, if they do not have permissions to view a csp/cls page then return a 404 page not found page.
For CSP Web Application only.
For REST and CSP Web Application only.
This setting affects whether session cookies are sent for cross-site requests.
The default setting for a new application is Strict.
0 - None - Send cookie with cross-site requests .
1 - Lax - Send cookie with top-level cross-site navigation.
2 - Strict - Do not send cookie with cross-site requests. Default.
For CSP Web Application only.
If blank, it defaults to %CSP.Page.
For CSP Web Application only.
Bit 0 = System Application - Reserved
Bit 1 = CSP/REST Web Application (Default)
Bit 2 = Privileged routine application
Bit 3 = DocDB/Client Application
For REST and CSP Web Application only.
You can set this on a per-application basis. It does NOT affect the user's use of
cookies in their application, simply how the session is managed. The available
options are:
'Never' use cookies - This will just use the CSPCHD parameter to persist the session
state from page to page and will not send a cookie to the browser at all.
'AutoDetect' (the default) - This will start by sending the cookie to the browser and
also including the CSPCHD parameter in all the links and forms. Then when the user clicks
on the next link if the browser accepted the cookie it will switch to the 'Always'
mode and turn off the use of the CSPCHD parameters. If the browser did not accept
the cookie it will turn into the 'Never' mode.
'Always' use cookies - Do not include the CSPCHD parameter. Default.
0 = Never, 1 = AutoDetect, 2 = Always
For REST and CSP Web Application only.
This setting affects whether session cookies are sent for cross-site requests.
Users can override the default by specifying the SameSite value in their SetCookie call.
0 - None - Send cookie with cross-site requests .
1 - Lax - Send same-site cookies with top-level cross-site navigation.
2 - Strict - Do not send same-site cookies with cross-site requests. Default.
Methods
Copy an existing application in the Security database to a new one.
Parameters:
Name - Name of the Application to be copied
NewName - Name of the Application to be created
NewDescription - Full name of the application
Create an Application in the Security database.
For all application types.
Parameters:
Name - Name of the application to create
Properties - Array of properties to set.
Properties only need to be defined if required for that type of application. Properties are in the format defined by the property definitions for the class with the following exceptions:
"MatchRoles" - MatchRole/TargetRoles pairs to assign to the application
MatchRoles are in the format:
MatchRole1:TargetRole1:TargetRole2,MatchRole2:TargetRole3:TargetRole4
"Routines" - Routine/Database pairs
Routines are in the format:
Routine1:dbname:Flag,Routine2:dbname:Flag
"ClientApplications" - Client application identification hash
ClientApplications are in the format:
Hash,Hash1,Hash2
kill prop Set prop("AutheEnabled")=authenticationType Set prop("DispatchClass")=dispatch Set prop("NameSpace")=namespace set name=xxx set sc=##class(Security.Applications).Create(name,.prop)
This method will delete an application from the security database.
For all application types.
Parameters:
Name - Name of application to delete
This method checks for the existence of an application in the security database.
For all application types.
Parameters:
Name - Name of the application to check existence of
Return values:
If Value of the method = 0 (Application does not exist, or some error occured)
Application = Null
Status = Application "x" does not exist, or other error message
If Value of the method = 1 (Application exists)
Application = Object handle to application
Status = $$$OK
For all application types.
Parameters:
FileName - Output file name
NumExported (byref) - Returns number of records exported
Applications - Comma separated list of Applications to export, "*" = All
Type - Bitmap describing the type of applications to export, -1 = all
Bit 0 = System Application - Reserved
Bit 1 = CSP/REST Web Application
Bit 2 = Privileged routine application
Bit 3 - Client/DocDB Application
Gets an applications properties from the security database.
For all application types.
Parameters:
Name - Name of the application to get
Return values:
Properties - See the Create method for more information on properties returned
Parameters:
FileName - Filename to import Application records from
NumImported (byref) - Returns number of records imported
Flags - Control import
Bit 0 - Do not import records, just return count
Note: On failure, no records will be imported
Modify an existing application's properties in the security database.
Parameters:
Name - Name of the application to modify
Properties - Array of properties to modify.
See the Create() method for a description of the Properties parameter.
Queries
Names - Comma separated list of application names, "*" = All
Type - Bitmap describing the type of application, -1 = all
Bit 0 = System Application - Reserved
Bit 1 = CSP Application
Bit 2 = Privileged routine application
Bit 3 - Client Application
Note: This query may change in future versions
Names - Comma separated list of application names, "*" = All
Type - Bitmap describing the type of application, -1 = all
Bit 0 = System Application - Reserved
Bit 1 = CSP Application
Bit 2 = Privileged routine application
Bit 3 - Client Application
Note: This query may change in future versions
Indexes
Inherited Members
Inherited Methods
- %%CLASSNAMELogicalToStorage()
- %%CLASSNAMEStorageToLogical()
- %AddToSaveSet()
- %AddToSyncSet()
- %BMEBuilt()
- %BuildIndicesAsync()
- %BuildIndicesAsyncResponse()
- %CheckConstraints()
- %CheckConstraintsForExtent()
- %ClassIsLatestVersion()
- %ClassName()
- %ComposeOid()
- %ConstructClone()
- %Delete()
- %DeleteExtent()
- %DeleteId()
- %DispatchClassMethod()
- %DispatchGetModified()
- %DispatchGetProperty()
- %DispatchMethod()
- %DispatchSetModified()
- %DispatchSetMultidimProperty()
- %DispatchSetProperty()
- %Exists()
- %ExistsId()
- %Extends()
- %GUID()
- %GUIDSet()
- %GetLock()
- %GetParameter()
- %GetSwizzleObject()
- %Id()
- %InsertBatch()
- %IsA()
- %IsModified()
- %IsNull()
- %KillExtent()
- %KillExtentData()
- %LoadFromMemory()
- %LockExtent()
- %LockId()
- %New()
- %NormalizeObject()
- %ObjectIsNull()
- %ObjectModified()
- %Oid()
- %OnBeforeAddToSync()
- %OnDeleteFinally()
- %OnDetermineClass()
- %OnOpenFinally()
- %OnSaveFinally()
- %Open()
- %OpenId()
- %OriginalNamespace()
- %PackageName()
- %PhysicalAddress()
- %PurgeIndices()
- %Reload()
- %RemoveFromSaveSet()
- %ResolveConcurrencyConflict()
- %RollBack()
- %Save()
- %SaveDirect()
- %SaveIndices()
- %SerializeObject()
- %SetModified()
- %SortBegin()
- %SortEnd()
- %SyncObjectIn()
- %SyncTransport()
- %UnlockExtent()
- %UnlockId()
- %ValidateIndices()
- %ValidateObject()
- %ValidateTable()
- Help()
- XMLDTD()
- XMLExport()
- XMLExportToStream()
- XMLExportToString()
- XMLNew()
- XMLSchema()
- XMLSchemaNamespace()
- XMLSchemaType()
Storage
Storage Model: Storage (Security.Applications)
^|$$$SecurityMapApplications|SYS("Security","ApplicationsD")(ID) |
= | %%CLASSNAME
AutheEnabled
AutoCompile
ClientApplications
CookiePath
Description
Enabled
ErrorPage
EventClass
HyperEvent
LockCSPName
LoginPage
MatchRoles
Name
NameSpace
Package
Path
Recurse
Resource
Routines
ServeFiles
SuperClass
Timeout
Type
UseCookies
ChangePasswordPage
ServeFilesTimeout
TwoFactorEnabled
CSPZENEnabled
InbndWebServicesEnabled
GroupById
IsNameSpaceDefault
PermittedClasses
DispatchClass
DeepSeeEnabled
iKnowEnabled
CSRFToken
SessionScope
UserCookieScope
Version
RedirectEmptyPath
JWTAuthEnabled
JWTAccessTokenTimeout
JWTRefreshTokenTimeout
WSGIAppName
WSGIAppLocation
WSGICallable
WSGIDebug
WSGIType
CorsAllowlist
CorsCredentialsAllowed
CorsHeadersList
|