This chapter presents some typical security implementations in Servoy applications.

Basic Servoy Authentication 

Practical where the security will be managed by the developer of the application.


Custom Authentication

To allow tenant administrators or 'super users' to administrate users, or when using an external authentication source, custom authentication is required.

Custom authentication allows the developer to use a users table in the database for authentication or access an external authentication directory.

 To use external authentication, most likely a plugin is required.


When first introduced in Servoy, this method of using Login and Authenticator solutions was referred to as Enhanced Security. When looking for any references to this method in other resources (such as the Servoy Forum), try searching for 'Enhanced Security'.

Solution onOpen Method

For almost every implementation of security, the solution should have an onOpen method assigned. This event is triggered right after the authentication process is complete. Some of the functions of this method in regards to security include:

Login Method Example

The code below is an example of a typical custom login method. In this scenario, the login page contains the following form variables:

The tenant is verified during login before actual authentication occurs.

function login(){

	errorMessage = null;

		errorMessage = 'Please specify a user name';
		return false;
		errorMessage = 'Please specify a password';
		return false;

	var tenantID = security.authenticate("myAuthenticator","getTenant",[userName]);
			return true;
		} else {
			errorMessage = "No tenant found. Please check your password";
	errorMessage = 'Login Failed';

Authentication Method Example

The code below is an example of a typical authentication method.

function loginUser(user, password) {
	if (!(user && password)) {
		application.output('Unexpected credentials received', LOGGINGLEVEL.DEBUG);
		return false;
	var authenticated = ... //either query database or use LDAP

	if (authenticated) {
		var ok = security.login(user, user, ['group']) // Assume a group for each department
		application.output('User ' + user + ' authenticated: ' + ok, LOGGINGLEVEL.DEBUG);
		return ok;
	application.output('User ' + user + ' could not be authenticated', LOGGINGLEVEL.DEBUG);
	// Sleep for 3 seconds to discourage brute force attacks
	return false;

When authentication fails, adding a pauze can be useful to discourage brute force password attacks.

Note that there is the option to query the database or get an external authentication. A user groups table might be read to create the array of groups the user has privileges with. Also note that the only thing that is returned is a true or false and that reporting errors to the user does not occur at the authentication level.

Fully Custom Security

In a fully custom security implementation, both authentication and authorization information is handled outside of Servoy built in security paradigm.


The developer writes code to assign form and table security to each part of the solution. This style of solution is normally managed by exclusion: instead of assigning permission to every part, just assign permissions to the part you want controlled. An example of fully custom security can be found on the ServoyForge site in the Security framework.


Login form for NG and WebClients only

For NG and WebClients it is possible to set just a login form, instead of creating 'Login' and 'Authenticator' solutions, see the 'loginForm'
solution property

When 'loginForm' and 'mustAuthenticate' are both set, the 'loginForm' is displayed for user authentication, and the validation of the login
is done by calling security.login