If your application performs authentication, there are three basic design options for using a client-principal object:

  • Client authentication — The client session authenticates its own user identity and seals the client-principal object (starting a user login session). Client authentication is most appropriate for a client-server application with limited or no access to an application server.
  • Server authentication — An unsealed client-principal object is initialized with user credentials in the user's client session, then exported to an authentication server (application server), which authenticates the identity, seals the object (starting a user login session), and returns the sealed client-principal back to the user's client (and to any other application server session in the application on request) in order to establish session and database connection identity using SSO. The authentication server typically also manages the logout, termination, and clean up of the login session for the user. Sever authentication is most appropriate for a multi-tier application, but is potentially the most secure authentication option for any ABL application, especially if it resides on a locked-down server where all server code is protected from access by anyone except a local server administrator.