Hi all,
I have a browser based app using javascript and a Webspeed backend (11.4).
In the webspeed backend we establish a sessionId which is stored in the DB an reestablished for each client call.
Now I have an additional connection to a REST backend for accessing BusinessEntities through a generic Rest Service Interface using the JSDO in the javascript client.
This works fine, and I have managed to setup form-oerealm security in the backend to use our application security.
To synchronise this session with the webspeed session I want to use the progress.session.clientContextId and pass it to our webspeed broker.
The problem is: The progress.session.clientContextId is always null in the brower, although the connection is made.
In the ABL Session when I access SESSION:CURRENT-REQUEST-INFO:ClientContextId it correctly shows me an Id for each connected client.
I assume that I have to set some additional properties in the spring settings, but have not idea where to start...
any help greatly appreciated!
thanks,
Mike
Hello,
Just to clarify, to access the clientContextId, you would write "session.clientContextId" where session is your variable of type progress.data.Session or progress.data.JSDOSession. (In your post you mentioned progress.data.clientContextId which is not defined.)
Since you mention that the value is null (not undefined), it looks like you are accessing the right property.
The clientContextId property is set from the value in the X-CLIENT-CONTEXT-ID HTTP header (found in the HTTP response).
You can use the steps in the following link to enable SSO for Web applications:
documentation.progress.com/.../index.html
Please notice that the documentation and the .xml file have "headername" value="X-OE-CLIENT-CONTEXT-ID".
Please change it to X-CLIENT-CONTEXT-ID because that is the value that the code for the Session/JSDOSession expects.
Related link:
documentation.progress.com/.../index.html
I hope this helps.
Hi,
thanks for your help.
yes, I am using the clientContextId from my session variable.
Looking into setting the SSO parameters I realised that they are also available for the basic-oerealm authentication.
Does that mean I do not need form authentication in order to establish session context handling?
Mike
ok, tried with basic-oerealm authentication and the authentication through my HybridRealm seems to work.
But then the progress session tries to call "/static/home.html" which fails with a 404.
From reading throgh the documentaton I understand that this is the default value for the login-target parameter, but I do not understand what this is needed for, or how I can (must?) use it / deactivate it.
All I want is to authorize through my HybridRealm and get a sessionId...
Do I have to provide this login-target? And if so, how do I implement it?
Any help greatly appreciated!
Mike
Hi Mike,
It is used to contact the server before a login attempt. You can ignore the 404 error - it does not cause any problem.
If you created the service through a PDSOE project, the file should be there. If it is not you can create a file home.html in the static directory of your webapp. The content could simply be:
<html>
<body>
Home
</body>
</html>
Thanks
-Shelley
Hi Mike,
The Session's login logic is to make a request for a specific, protected, resource from the Web application that will cause the server-side authentication process to authenticate that request. By default, the Session requests <serviceURI>/static/home.html (where serviceURI is the first parameter to login() ). Web applications produced by PDSOE include this file by default. If your Web application doesn't have one, you can just add it. The default file that PDSOE uses is simply:
<html>
<body>
Home
</body>
</html>
You can also specify a different resource by using the 4th parameter of Session.login(). Whatever you use, if you want the login to actually authenticate the user, you need to make sure that the Web application's security XML file (for example, oeablSecurity-basic-oerealm.xml, on the doc page that Edsel sent the link to) specifies that it is a protected resource.
--Wayne
Hi Shelley,
the file is there. The problem is that I get a LOGIN_GENERAL_FAILURE .
I was assuming that this is due to the 404, but if I understand you correct there must be some other reason for this...?
Thanks,
Mike
Can you use an HTTP monitor (the Network tab in a browser debugger, or Fiddler, or something similar) to see what the actual request is?
figured out what the problem was: I did not return a value for the ATTR_ENABLED attribute.
Now the login works without error, BUT: I still get no clientContextId. Also in the backend when I display SESSION:CURRENT-REQUEST-INFO:ClientContextId it is empty.
I set OEPreauthfilter:
<b:bean id="OEPreauthfilter" class="com.progress.rest.security.OERequestHeaderAuthenticationFilter">
<!-- USER-EDIT: To turn on SSO :
1. Set "enabled" property to true
2. For single-domain supply the Domain Access Code as the value for "key" property
3. For multi-domain supply the absolute path of a 'registryFile' generated using OpenEdge's
$DLC/bin/gendomreg.bat utility as "registryFile" property -->
<b:property name="enabled" value="true"/>
<b:property name="key" value="123456"/>
<b:property name="registryFile" value= "" />
<b:property name="encoding" value="OECP"/>
<b:property name="headername" value="X-CLIENT-CONTEXT-ID"/>
<b:property name="authenticationManager" ref="authenticationManager" />
</b:bean>
Anything I am missing here...?
Hi Wayne,
Hier exactly Do I Specify that a resource is protected?
Thanks,
Mike
If you are using one of the Spring Security templates (for example, oeablSecurity-basic-oerealm.xml), it is already set up for /static/home.html and you can use it as a model (search on "/static/home.html" -- be aware there's another home.html in there that is not the same one, it has a different path). You mentioned that your login is working now -- try it with invalid credentials and if the login fails, /static/home.html is protected. I will try to find some more specific information that may be able to help you.
|
Property Name
|
Description
|
Datatype
|
Default
|
Range
|
|
"ccid"
|
Enable/disable CCID
|
Boolean
|
"true"
|
{"true"|"false"}
|
figured out what the problem was: I did not return a value for the ATTR_ENABLED attribute.
Now the login works without error, BUT: I still get no clientContextId. Also in the backend when I display SESSION:CURRENT-REQUEST-INFO:ClientContextId it is empty.
I set OEPreauthfilter:
<b:bean id="OEPreauthfilter" class="com.progress.rest.security.OERequestHeaderAuthenticationFilter">
<!-- USER-EDIT: To turn on SSO :
1. Set "enabled" property to true
2. For single-domain supply the Domain Access Code as the value for "key" property
3. For multi-domain supply the absolute path of a 'registryFile' generated using OpenEdge's
$DLC/bin/gendomreg.bat utility as "registryFile" property -->
<b:property name="enabled" value="true"/>
<b:property name="key" value="123456"/>
<b:property name="registryFile" value= "" />
<b:property name="encoding" value="OECP"/>
<b:property name="headername" value="X-CLIENT-CONTEXT-ID"/>
<b:property name="authenticationManager" ref="authenticationManager" />
</b:bean>
Anything I am missing here...?
Flag this post as spam/abuse.
Hi Mike,
Going back to your original question : how do I synchronize 'sessions' between your Mobile REST services and your WebSpeed application? I have some additional information that may help.
The Mobile REST services sets the OpenEdge Client Context ID with the value of the HTTP session the Tomcat server assigns when you do a form-login model authentication. Since this is not configurable - your WebSpeed sessions will have to synchronize with the REST sessions, using the REST service's session-id. The REST service's are configured to not generate HTTP sessions when you use one of the BASIC authentication models.
When you see a non-zero client context id in the SESSION:CURRENT-REQUEST-INFO:ClientContextID of a request originating in a REST service - it will be the HTTP session-id of the authenticated client as issued by the web server via the Spring Security modules. The value will be "0" if the REST service's Spring Security is executing one of the basic authentication models.
When you configure the OEClientPrincipalFilter bean's <property name="CCID" value="true"> in the appSecurity-oerealm-form.xml configuration (assuming that is what you configure to obtain actual client sessions), the filter will insert the X-CLIENT-CONTEXT-ID header in a REST request's response - IF an HTTP session was created by the server. If Spring Security configuration you set in web.xml does not create sessions, no session-id is created, and the header will not be returned. For example - when you use a basic form model, no HTTP session is create. You should be able to see this header using a HTTP debug proxy between your browser and the server.
The built-in CORS filter in OpenEdge REST services are configured to allow your java-script client to see the X-CLIENT-CONTEXT-ID header in the response message ( or should be ). As Edsel and Wayne have indicated, this is also available in the JSDO services, so you can choose the source. Once your code has the value of the X-CLIENT-CONTEXT-ID header it can send that to WebSpeed so it can record the session and use it.
As Navneet says, do no use the OEPreauthFilter as its purpose lies in another area of REST client support.
Mike J.
ok, disabled OEPreAuthFilter and enabled ccid.
But I do not get a clientSessionId. But I am using oerealm-basic-authentication- do I understand correct hat using basic authentication I never get a sessionId? Do I have to use oerealm-form-authentication?
Correct. Session ids exist for the case where a client performs a form login (authentication) who's lifetime spans multiple HTTP client requests and have a defined logout action - the sesison id is what binds the individual HTTP requests into a single login session. The HTTP BASIC model of user login (authentication) spans only the lifetime of a single HTTP request and has no defined logout action - therefore no session id is needed or created.