Exports the unsealed or sealed client-principal object as a portable security token with the currently defined property and attribute settings by converting it to a RAW value. You can assign this value to a RAW variable and send it to another ABL session (such as an application server session) or assign it to a field in a secure database. The receiving ABL session can then import the RAW value into another client-principal object using the IMPORT-PRINCIPAL( ) method. Depending on its sealed or unsealed state, you can use the imported object to assert or set the user identity it represents using the SEAL( ) method, SECURITY-POLICY:SET-CLIENT( ) method, or SET-DB-CLIENT function, as appropriate.

Return type: RAW

Applies to: Client-principal object handle

Syntax

EXPORT-PRINCIPAL( )

The client-principal object can be either sealed or unsealed.

Calling this method does not generate an audit event or an audit record.

Notes

  • A typical use case for exporting an unsealed security token is having a client log in by exporting an unsealed client-principal initialized with its asserted user identity to a remote authentication service over a secure connection. The authentication service then imports the client-principal and, after a successful user authentication, seals the client-principal, beginning a user login session. The service might then export and return the sealed client-principal to the requesting client, which imports the object to set its authenticated identity. The service might also cache the exported client-principal in secure storage for a future identity management request.
  • A typical use case for exporting a sealed security token is in a remote authentication service that responds to identity management requests from ABL sessions of an n-tier application. For each request, the authentication service retrieves and imports the sealed client-principal from secure storage that is associated with a given login session key and performs the requested action (such as invoking the LOGOUT( ) method to terminate the user login session). The service then exports the sealed (and changed) client-principal, replacing the previous copy in secure storage and possibly returning it to the requesting ABL session.

See also

IMPORT-PRINCIPAL( ) method, SET-CLIENT( ) method, SET-DB-CLIENT function