Feedback
 
Did this article resolve your question/issue?

   

Your feedback is appreciated.

Please tell us how we can make this article more useful. Please provide us a way to contact you, should we need clarification on the feedback provided or if you need further assistance.

Characters Remaining: 1025

 


Article

How to configure OERealm authentication with PASOE

« Go Back

Information

 
Article Number000062375
EnvironmentProduct: OpenEdge
Version: 11.5, 11.6.x, 11.7.x
OS: All supported platforms
Other: Progress Developer Studio for OpenEdge, Pacific AppServer for OpenEdge, OERealm Authentication, Spring security
Question/Problem Description
How to configure OERealm authentication with PASOE
Steps to Reproduce
Clarifying Information
Error Message
Defect/Enhancement Number
Cause
Resolution
This article assumes that the following project types were selected for you application in OE studio:

PDSOE 11.7 -> ABL Web App
PDSOE 11.6 -> ABL Web App
PDSOE 11.5 -> REST ( The RESTContent directory can be deleted)

Some of the information like paths and names in this article are specific to this example and might have to be modified to fit other environments.

Database Configuration


•    Create a new Security Domain with an authentication system type of "_oeusertable" (authentication via _User table) or use an existing Security Domain which has already been defined in your database. You can review the existing Security Domains defined within your database or create new ones by going into the Data Administration tool and going to the Admin menu -> Security -> Domain Maintenance -> Domains... . A similar option exists in the OpenEdge Explorer/Management. Alternatively you can also create a Security Domain via ABL, for example:
 
CREATE _sec-authentication-domain.
ASSIGN
_sec-authentication-domain._domain-name = "RESTDomain"
_sec-authentication-domain._domain-type = "_oeusertable"
_sec-authentication-domain._domain-access-code = audit-policy:encrypt-audit-mac-key("Password")
_sec-authentication-domain._domain-enabled = YES.

In this example a new Security Domain called RESTDomain will be created to authenticate the REST clients. This is also the Security Domain which will be used in the rest of this article. The Domain Access Code used in this example is Password. When a Client-Principal is created for a user belonging to a certain Domain, it must be sealed and validated using the Domain Access Code of that domain. Thus in all places where you need to configure the Domain Access Code (or Key), you must ensure that you provide the same Access code.

Note: The OpenEdge database contains a built-in blank Domain with a blank Domain Access Code. It is recommended that you modify the Domain Access Code of the blank domain for your production environment.
 
•    Create users in the _Users table for the corresponding Security Domain (e.g. RESTDomain). You can do this via the Data Administration tool through the Admin menu -> Security -> Edit User List... . A similar option exists in OpenEdge Explorer/Management. Alternatively you can also create the users via ABL, for example:
 
/* For the built-in blank Domain */
CREATE _User.
assign _User._Userid = "user1"
_User._Password = ENCODE("pass1")
_User._User-Name = "user1"
_User._User_number = 1001
_User._Domain-Name = ""
_User._Disabled = NO.

/* For the RESTDomain domain */
CREATE _User.
assign _User._Userid = "restuser1"
_User._Password = ENCODE("pass1")
_User._User-Name = "restuser1"
_User._User_number = 2001
_User._Domain-Name = "RESTDomain"
_User._Disabled = NO.

•    Create security roles and grant these to the user accounts. This allows the PASOE to return the corresponding security role for a user. The OpenEdge REST applications specify roles within their security templates (e.g. the <Developer Studio Project>/ PASOEContent/WEB-INF/oeablSecurity-*.xml configured within <Developer Studio Project>/ PASOEContent/WEB-INF/web.xml). The access rights for the URLs that belong to a REST application are specified via these roles. By default, the OpenEdge REST security templates are configured to use the ROLE_PSCUser role to allow users access to a REST application. When the PASOE returns the security role of a user, the REST application (via Spring security) will prefix the security role name with ROLE_ when using one of the default security templates. So create the security role and grant them to the users as follows:
 
CREATE _Sec-role.
ASSIGN _Role-name = "PSCUser"
_Role-description = "User level role".
_Role-creator = "". /* Name of the user or Role that created this role */

CREATE _sec-granted-role.
ASSIGN _sec-granted-role._grantee = "restuser1@RESTDomain".
_sec-granted-role._role-name = "PSCUser".
_sec-granted-role._grantor = "". /* the user or role that granted use of this role */
_sec-granted-role._grant-rights = YES.
_sec-granted-role._granted-role-guid = substring(base64-encode(generate-uuid), 1, 22).

PASOE instance configuration


•    For this example use the default oepas1 instance that already exists and configure it to connect to the desired databases.

•    In the file <DLCWORK>\oepas1\conf\jvm.properties modify the value for the line below from true to false:

-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=false

•    Add the PSAOE server to developer studio and configure the resources (REST app) from your project to run on the PASOE instance.
 
For this example, within the OpenEdge Developer Studio please copy the attached HybridRealm.cls to <Developer Studio Project>/AppServer/auth and Properties.cls to <Developer Studio Project>/AppServer/auth or the whole folder structure can be copied to developer studio <Developer Studio Project>/AppServer/ from the supplied sample zip. These classes are provided as an example, so custom made classes can be used if prefered.

•    Secure the HybridRealm class to prevent it from being called by any other PASOE client. You can do this by generating a Client-Principal file using the genspacp.bat utility by running the following in a Proenv window:
 
genspacp -password RESTSPAPassword -role RESTSpaClient

genspacp 1.0
Generated sealed Client Principal...
    User: BPSServer@OESPA
    Id: SmjnCQ1kTm2fY5r8pxQg5A
    Role: RESTSpaClient
    Encoded Password: oech1::02171c130115120331213c303d3737
    File: oespaclient.cp
    State: SSO from external authentication system
    Seal is valid

The serialized Client-Principal file (oespaclient.cp) can then be used by the REST web application to authenticate itself against the PSAOE auth.HybridRealm class (a sample oespaclient.cp file is attached). Please note that the values provided for the password and role in the genspacp command are independent to the ones used earlier for the Security Domain password and the REST client role. The sample auth.HybridRealm class reads these two values from a spaservice.properties file and compares them with the values that are sent by the REST web application.

•    Place the oespaclient.cp file at <DLCWORK>/oepas1/common/lib/ .
•    Place the spaservice.properties file at <DLCWORK>/oepas1/openedge.
 

Spring Security Configuration
 

OpenEdge Developer Studio for OpenEdge 11.5-11.6x


•    Open <Project>/PASOEContent/WEB-INF/web.xml .
•    Configure the use of the "/WEB-INF/oeablSecurity-form-oerealm.xml" security template as follows:
   
<context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
<!-- USER EDIT: Select which application security model to employ
           /WEB-INF/oeablSecurity-basic-local.xml
            /WEB-INF/oeablSecurity-anonymous.xml
            /WEB-INF/oeablSecurity-form-local.xml
            /WEB-INF/oeablSecurity-container.xml
            /WEB-INF/oeablSecurity-basic-ldap.xml
            /WEB-INF/oeablSecurity-form-ldap.xml
            /WEB-INF/oeablSecurity-basic-oerealm.xml
            /WEB-INF/oeablSecurity-form-oerealm.xml
            /WEB-INF/oeablSecurity-form-saml.xml
            /WEB-INF/oeablSecurity-basic-saml.xml
-->
            /WEB-INF/oeablSecurity-form-oerealm.xml
        </param-value>
    </context-param>
•    Open  <Developer  Studio Project>/PASOEContent//WEB-INF/oeablSecurity-form-oerealm.xml.
•    Configure the OERealmAuthProvider properties as follows:
<b:bean id="OERealmAuthProvider"
            class="com.progress.rest.security.OERealmAuthProvider" >
            <b:property name="userDetailsService">
                        <b:ref bean="OERealmUserDetails"/>
            </b:property>
            
            <b:property name="createCPAuthn" value="true" />
            <b:property name="multiTenant" value="false" />
            <b:property name="userDomain" value="RESTDomain" />
            <b:property name="key" value="oech1::00333c34252a2137​" /> <!-- _domain-access-code -->
            <b:property name="authz" value="true" />
            <!--
            <b:property name="properties" >
                <b:map>
                     <b:entry key="prop-1" value="string1"/>
                     <b:entry key="prop-2" value="string2"/>
                </b:map>
            </b:property>
            <b:property name="expires" value="600" />
            -->
    </b:bean>

•   Configure the OERealmUserDetails properties as follows:
    
<b:bean id="OERealmUserDetails"
            class="com.progress.rest.security.OERealmUserDetailsImpl" >
            <b:property name="realmURL" value="http://localhost:8810/<rest project name>/apsv" />
            <b:property name="realmClass" value="auth.HybridRealm" />
            <b:property name="grantedAuthorities" value="ROLE_PSCUser" />
            <b:property name="rolePrefix" value="ROLE_" />
            <b:property name="roleAttrName" value="ATTR_ROLES" />
            <b:property name="enabledAttrName" value="ATTR_ENABLED" />
            <b:property name="lockedAttrName" value="ATTR_LOCKED" />
            <b:property name="expiredAttrName" value="ATTR_EXPIRED" />
            <b:property name="realmPwdAlg" value="0" />
            <b:property name="realmTokenFile" value="oespaclient.cp" />

            <!-- For SSL connection to the oeRealm appserver provide the complete
                 path of psccerts.jar as the value of 'certLocation' property
             -->
            <b:property name="certLocation" value="" />
    </b:bean>

 

OpenEdge Developer Studio for OpenEdge 11.7.x

  • Open <Project>/RESTContent/WEB-INF/oeablSecurity.properties
  • Configure the use of the "/WEB-INF/oeablSecurity.properties security updating the properties as follows:
http.all.authmanager=oerealm

client.login.model=form

OEClientPrincipalFilter.key=Password
OEClientPrincipalFilter.domain=RESTDomain
OEClientPrincipalFilter.roles=PSCUser
OEClientPrincipalFilter.domainRoleFilter=ROLE_

OERealm.AuthProvider.multiTenant=false
OERealm.AuthProvider.userDomain=RESTDomain

OERealm.UserDetails.realmClass=auth.HybridRealm
OERealm.UserDetails.grantedAuthorities=ROLE_PSCUser
OERealm.UserDetails.realmTokenFile=oespaclient.cp

 

REST Service Test


•    For example using a web browser (you can use any other REST client that you prefer), login to the REST application by going to http://localhost:8810/<REST web application name>/static/auth/login.html . If the login was successful an HTTP response is returned from the REST Service which contains a JSESSIONID cookie. The JSESSIONID cookie then needs to be used in subsequent requests to the REST Service by including an HTTP header property as follows:

Cookie: JSESSIONID=11EDA108E2CFD30E142BECDC69D494AA

•    The REST client can invalidate the JSESSIONID cookie (and thus the client session) by logging out of the REST Service. To do this go to http://localhost:8810/<REST web application name>/static/auth/logout.html.

Workaround
Notes
References to Other Documentation:

Progress Article(s):
000058538, What are the basic steps to authenticate REST clients against the OpenEdge database _User table ?
000088613, How to configure multi-domain for OERealm in PASOE

EMEA PUG Challenge presentation at : http://www.pugchallenge.eu/
Event -> Presentations - 2015 -> OpenEdge REST Security 
Last Modified Date4/17/2018 10:16 PM