Web servers support a number of authentication models to manage client access to resources provided by a web application. The JSDO supports the following authentication models, which correspond to the ways that a web application can be protected:

  • Anonymous authentication — No credentials
  • HTTP Basic authentication — Credentials sent with every request, using Basic authentication
  • HTTP Form-based authentication — Credentials sent using Form authentication; an authentication token is received on the initial request, which is sent back for each further request.
    Note: Similar to HTTP Basic, using HTTP Forms, it is possible to configure a client app so that, prior to logging in, it opens a protected web page provided by the web application. However, this is an atypical client app configuration. For more information, see Use protected web resources.
CAUTION: Progress recommends that you always use TLS (HTTPS) when logging into a web application. If HTTP is used, credentials are sent as clear text. Using HTTPS is particularly important for Basic authentication because Base64 encoded credentials are sent on every request.

You must know the web server authentication model, the client app type and platform, and how web application resources are protected on the web server. You can then set the authenticationModel property in a JSDOSession object constructor or on an instantiated Session object accordingly. For more information on security considerations for Data Object Services, see the sections on REST application security in OpenEdge Development: Web Services and in the administration documentation for your particular OpenEdge application server.

As noted later in this section, OpenEdge, provides default web resources with every deployed web application that you can use to help implement a login sequence, or you can define similar web resources of your own. For more information, see Use default web pages to support client app login.