About 4D Mobile application security

Once data from 4D database tables exposed through 4D Mobile is integrated into the Wakanda catalog, you need to restrict access to certain "sensitive" resources.

Unlike 4D applications, with Web applications you cannot use the interface to control the data exposed: for example, just because a field is not displayed in the form does not mean that it is inaccessible to the user. HTTP requests and the use of JavaScript can allow malicious users to potentially obtain any information from an insufficiently protected Web server.

The purpose of this section is not to list all the security measures to take with 4D Mobile applications but to provide you with leads to help secure the data exposed in a minimal way. 

• Protection of 4D Mobile accesses to the 4D database: You must control 4D Mobile (via REST) connection requests. You can use either:
  
  • 4D passwords (see Automatic controls by 4D password paragraph),
  • the On 4D Mobile Authentication database method.

• Control 4D Mobile exposure on the 4D side: Each table, attribute and method can be exposed (or not) through 4D Mobile. Only expose the data and methods that are strictly necessary; for instance, there is no need to expose any unused fields.

• Protection of exposed data: You must use the security systems provided by Wakanda to control the contents that are accessible by means of browsers. There are several ways to do so (not exclusive):
  
  • Adjust the scope of the 4D database attributes and methods in Wakanda at the model level (refer to the scope property for attributes or for methods in the Wakanda documentation). In particular, you can set their scope as Public on Server, which means that they can be access freely for code run on the server, but they will not be accessible on Web clients. This setting is done in the .js configuration file of the external model (see Modifying the external file).
    
  • Use calculated attributes: calculated attributes work like standard attributes but their values are returned by specific functions (onGet, onSet...) that are executed when accessing the fields. This means that you can expose only the necessary calculated attributes without exposing the fields of the 4D database. Access to the 4D fields are performed from the Wakanda server in a secure manner.
    You can add calculated fields in the .js configuration file of the external model (see Modifying the external file). For more information, refer to the Attributes page of the Wakanda documentation.
  • Combine extended datastore classes and restricting queries: this powerful concept lets you control not only the attributes exposed but also the data that they can display. Extending a datastore class means creating a copy (the derived class) that you can alter by adding calculated attributes or by deleting existing attributes. You can also associate a restricting query with it: in this case, any access to the data of the derived class automatically triggers this query, which returns only the records matching the criteria. This principle allows you to relate the data with the user connected to the Wakanda server. For example, in the context of a sales database, the query returns all the customers related to the current salesperson. Of course, only the derived class can be accessed by Web clients.
    You can create extended datastore classes and add restricting queries in the .js configuration file of the external model (see Modifying the external file). For more information, refer to the Programming Restricting Queries page of the Wakanda documentation.

  Note: The following minimum configuration is required to support restricting queries in 4D Mobile:
  - 4D and 4D Server v14.1
  - Wakanda Enterprise Server v8