Visual Guard is a security solution for PowerBuilder and PowerServer applications. It adds authentication, authorization management, and security auditing features.
This guide explains how to integrate your application with Visual Guard and implement these features without coding.
Before making changes to the PowerBuilder client app, let's follow the steps below to make sure 1) the PowerBuilder application can run successfully, 2) the app has been deployed as an installable cloud app successfully, and 3) the PowerServer C# solution has been successfully generated.
In this tutorial, we will take Sales Demo as an example.
Step 1: Select Windows Start | Appeon PowerBuilder 2022, and then right-click Example Sales App and select More | Run as administrator.
Step 2: When the Sales Demo workspace is loaded in the PowerBuilder IDE, click the Run button in the PowerBuilder toolbar.
Step 3: When the application main window is opened, click the Address icon in the application ribbon bar and make sure data can be successfully retrieved.
Step 4: Create and configure a PowerServer project for the Sales Demo app (detailed instructions are provided in Quick Start > Guide 1).
IMPORTANT: In the .NET Server page > Advanced tab, select Use built-in OAuth Server from the Auth Template list box.
Step 5: Deploy the application as an installable cloud app. The PowerServer C# solution is generated, but the installable cloud app cannot run yet because further settings and changes are required, as explained in the subsequent sections.
-
Declare the PowerBuilder application in Visual Guard and configure it – the examples below are based on the Sales Demo app.
-
Configure the Sales Demo app for the Visual Guard Identity Server after declaring the Sales Demo app in Visual Guard, you need to configure it for identity server (OIDC) integration. Please follow the steps below:
a) select a platform for the client application.
b) Specify the type of application under “Primary information”.
c) Define Identity resources (scopes).
d) Define supported grant types.
e) Define secret keys.
-
In Visual Guard Console, select the Sales Demo app, set the permissions and add the PowerServer security.
-
Open the Sales Demo app node.
-
Select “Permissions”, right-click and create a new permission. For instance “CanCreateOrder”.
-
Right click on the permission and select “add PowerServer Security”.
This will load the DataWindows and tables related to this application.
-
-
You can also map DataWindows to business entities/database tables. This allows granting fine-grain authorizations at table level, instead of the DataWindow level.
-
Right click on the Sales Demo app and click “Map PB Components”.
-
Save and Close.
-
-
Assign Authorizations (permissions) to Roles or Permission Sets.
-
Grant roles to Users or User Groups.
a) Edit users to grant/revoke roles.
b) For audit/verification purposes, you can edit users and view their permissions.
Below is a default set of instructions for modifying the PowerBuilder client application. If needed, you can find more options and explanations in the article Integrating Visual Guard with a PowerBuilder application.
Step 1: Add the Visual Guard libraries to the PowerBuilder target and generate the corresponding Visual Guard configuration files.
1) Add the Visual Guard PBLs and DLL in the application.
-
Open the workspace of your project in PowerBuilder.
-
In the solution explorer, expand the workspace node.
-
Right-click the Target node for the workspace and select Properties.
-
In Library List tab, select the following two libraries:
-
Novalys.visualguard.security.pbrt.pbl
This PBL contains the main Visual Guard classes. You should NOT modify the content of this library.
-
Novalys.visualguard.security.pbrte.pbl
The classes included in this PBL can be modified to extend the Visual Guard features.
-
-
Add the following DLL file from the Visual Guard installation folder to \VisualGuardConsole\VG PB Runtime\.
-
Novalys.VisualGuard.Security.pbrt.dll
This DLL file contains the base classes and SSO manager.
-
2) Generate your configuration file (for example, myconfigfile.cfg) for connecting to the Visual Guard Repository.
Step 2: Authenticate user with an existing login window.
// Declare the security manager as global variable
vge_n_cst_vgmanager guo_vgmanager
// Create the security manager
guo_vgmanager = CREATE vge_n_cst_vgmanager
// Declare configuration file with your parameters to connect at Visual Guard Server
guo_vgmanager.of_setconfigfile ("myconfigfile.cfg")
// Declare the trace file if you use tracing action execution in your application
guo_vgmanager.of_settracefile ("mytracefile.log")
// Authenticate a Visual Guard User and load the security data
if isvalid(guo_vgmanager) Then
if guo_vgmanager.of_VerifyUser(VGlogin, VGpassword) > 0 Then
Open(w_Main)
Else
Return
End if
End ifNotes:
-
Besides a classic login/password authentication method, Visual Guard supports other authentication methods for PowerBuilder/PowerServer: you can authenticate users with their Windows account, they can enter their windows credentials manually or use Single Sign-On to access the application automatically; you can implement strong authentication (MFA) and more.
-
You can also enable several authentication methods at the same time, and let users choose one of them when opening the application. The enabled authentication types are specified in the myconfigfile.cfg file.
-
The method VerifyUser will authenticate the user and set the HTTP Request Header. Then, on each request to PowerServer, the Visual Guard Token will be passed as Bearer token with the Authorization Request Header, and will control the resources accessible by the user according to his authorizations.
Step 3: Modify the PowerServer project settings.
Add the configuration file myconfigfile.cfg and the DLL file Novalys.VisualGuard.Security.pbrt.dll to the Files preloaded in uncompressed format section under the Client App page.
Step 4: Save the changes and deploy the PowerServer project (using the "Build & Deploy PowerServer Project" option) so that the above settings can take effect in the installable cloud app.
-
Go to the PowerServer C# solution > ServerAPIs project, add a reference to “Novalys.VisualGuard.Security.PowerServer.dll”. (You can get this DLL file from the Visual Guard Setup or the NuGet website).
-
Edit the ServerAPIs project > Startup.cs file:
1) Comment out this script:
//services.AddPowerServerAuthentication(this.Configuration);
2) Add this script:
//Adds Visual Guard Identity Server authentication/authorization to Power Server. services.AddVGPSIdentityServer(this.Configuration);The scripts will look like this:
// This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { // Configures the services of the PowerServer AppConfig module services.AddPowerServerAppConfig(this.Configuration, this.HostingEnvironment); // Configures the services of the PowerServer Authentication module //services.AddPowerServerAuthentication(this.Configuration); //Adds Visual Guard Identity Server authentication/authorization to Power Server. services.AddVGPSIdentityServer(this.Configuration); // Configures the services of the PowerServer HealthCheck module services.AddPowerServersHealthChecks(this.Configuration); // Configures the services of the PowerServer Logging module services.AddPowerServerLogging(); // Configures the services of the PowerServer OpenAPI module services.AddPowerServerOpenAPI(); services.AddPowerServerDataProvider(this.GetType().Assembly); } -
Continue editing the Startup.cs file. Add this script to implement the Visual Guard middleware:
//Adds Visual Guard Middleware app.UseVGPSMiddleware();The scripts will look like this:
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app) { app.UsePowerServerPathBase(); if (this.HostingEnvironment.IsDevelopment()) { // Enables the exception page during development. It will list all exceptions for debugging app.UseDeveloperExceptionPage(); // Configures the HTTP request pipeline for the PowerServer OpenAPI module app.UsePowerServerOpenAPI(); } // Adds middleware for redirecting HTTP Requests to HTTPS. //app.UseHttpsRedirection(); // Configures the HTTP request pipeline for the PowerServer Logging module app.UsePowerServerLogging(); app.UseRouting(); // Enables the compression of responses app.UseResponseCompression(); //Adds Visual Guard Middleware app.UseVGPSMiddleware(); // Enables authentication app.UseAuthentication(); // Enables authorization app.UseAuthorization(); // Enables the welcome page app.UseWelcomePage("/"); // Configures the HTTP request pipeline for the PowerServer HealthCheck module app.UsePowerServerHealthChecks(); app.UseEndpoints(endpoints => { // Adds the controller to the HTTP request pipeline endpoints.MapControllers(); }); } -
Configure the ServerAPIs project > AppConfig > AppConfig.json file. You can specify actions to be excluded, Visual Guard Identity Server URI, enable/disable trace, etc.
"VGPSConfiguration": { "ExcludeActions": [ "action1", "action2" ], "IdentityServerUrl": "https://vgidentityserver.azurewebsites.net", "TraceLevel": "Verbose", "VGRACMode": "Silence", "PolicyName": "ServerAPIs" }
