Spring security with OE REST

Posted by Paul Radbone on 22-Oct-2014 02:45

Hi,

I'm looking at how to handle security for a rest service.  Is there a guide for spring security that's specific to OpenEdge?  I am new to spring and any examples I can find on the net are for Java.  For example you can do the following in java:

<%@ taglib prefix='sec' uri='http://www.springframework.org/security/tags' %>

<html>
<body>
<sec:authorize ifAnyGranted='ROLE_ADMIN'>
authorised
</sec:authorize>
REST Adapter
</body>
</html>

How would you do something similar in OE?  

I also need to develop a user admin screen, where users can update their own password and other details.

Is it possible to use one logon for a progress web app and java web app that have been deployed to the same tomcat server, so that the authorisation is carried across both sessions (if that makes sense)?

Any help or pointers to documentation would be much appreciated!

Cheers,

Paul.

All Replies

Posted by Srinivas Munigala on 22-Oct-2014 03:50
Following wiki page will give brief description about Spring Security with OE REST:
 
 
Hope, it helps you.
 
[collapse]
From: paul.radbone@wins.co.uk [mailto:bounce-paulradbonewinscouk@community.progress.com]
Sent: Wednesday, October 22, 2014 1:17 PM
To: TU.OE.Development@community.progress.com
Subject: [Technical Users - OE Development] Spring security with OE REST
 
Thread created by paul.radbone@wins.co.uk

Hi,

I'm looking at how to handle security for a rest service.  Is there a guide for spring security that's specific to OpenEdge?  I am new to spring and any examples I can find on the net are for Java.  For example you can do the following in java:

<%@ taglib prefix='sec' uri='http://www.springframework.org/security/tags' %>

<html>
<body>
<sec:authorize ifAnyGranted='ROLE_ADMIN'>
authorised
</sec:authorize>
REST Adapter
</body>
</html>

How would you do something similar in OE?  

I also need to develop a user admin screen, where users can update their own password and other details.

Is it possible to use one logon for a progress web app and java web app that have been deployed to the same tomcat server, so that the authorisation is carried across both sessions (if that makes sense)?

Any help or pointers to documentation would be much appreciated!

Cheers,

Paul.

Stop receiving emails on this subject.

Flag this post as spam/abuse.

[/collapse]
Posted by Paul Radbone on 22-Oct-2014 03:58

Hi,

The page doesn't exist?

Paul.

Posted by Mike Fechner on 22-Oct-2014 04:00

Im sure it exists... but it's not accessible by us poor customers :-)

Posted by Srinivas Munigala on 22-Oct-2014 04:17
My apologies, the link doesn’t work outside Progress.
 
You can refer to following OpenEdge documentation:
 
OpenEdge Development: Web Services

-        REST Application Security

 
[collapse]
From: paul.radbone@wins.co.uk [mailto:bounce-paulradbonewinscouk@community.progress.com]
Sent: Wednesday, October 22, 2014 2:30 PM
To: TU.OE.Development@community.progress.com
Subject: RE: [Technical Users - OE Development] Spring security with OE REST
 
Reply by paul.radbone@wins.co.uk

Hi,

The page doesn't exist?

Paul.

Stop receiving emails on this subject.

Flag this post as spam/abuse.

[/collapse]
Posted by Paul Radbone on 22-Oct-2014 04:47

Thanks, but I have been through the documentation.  While it describes the configuration setup, but I cant find anything past the simple logon page.

I have it all working, but where do I go from here?

Posted by Michael Jacobs on 22-Oct-2014 04:58

Hello Paul,

This is a good question - I may be able to help with some basic information to get started.

Spring Security is a well known, stable, and very extensible authentication and authorization security stack used by the REST services.   The Spring Security stack runs at the very beginning of every HTTP request delivered to the REST web application by the Tomcat server, where it first authenticates the client, and then authorizes them to access a given resource (URL) and action (GET,PUT,POST,DELETE).

The Spring Security stack is comprised of a configurable sequence of various 'beans', that is controlled by a xml configuration file (appSecurity-xxxxx.xml) found in the web application's WEB-INF directory.   For developers and admins who are not Spring experts, OpenEdge supplies a set of 'template' Spring configuration files to make it easier and provide a variety of internet and user account authentication types.  The configuration is a balance between simplicity and extensibility to fit into a broad range of application and production site requirements.

Inside the templates are 'beans' defined for OpenEdge extensions to standard Spring Security to supply support for things like SSO (using a Client-Principal) to the AppServer, using an ABL application's user account's for authentication, and others.  Some applications can just specify which template to use and are done.  However, the expectation is that many developer may need to customize a template for their particular application/production site use - and this is where the OpenEdge REST documentation comes in.  

The 90%+ of the REST service's Spring Security is standard, and is not documented by OpenEdge.   I have found the Spring Security reference documentation very adequate, but not simple, at the following location:

       docs.spring.io/.../springsecurity.html

That is where you will find the details that describe the xml configuration file's elements and attributes described for things such as controlling http client sessions, URL access controls, user account sources, and much more.

In the example you supplied the author was illustrating how to call through to the Spring Security stack from a web UI page.   You would do the equivalent authorization in the Spring Security configuration file for REST services.

I hope that this brief background will help get you started.

Mike Jacobs

Posted by Paul Radbone on 22-Oct-2014 05:43

Thanks Mike,

some useful pointers there.  i have to admit, I'm a bit overwhelmed by the spring Security side of things as I am purely a Progress programmer.

could you just clarify this bit:

"You would do the equivalent authorization in the Spring Security configuration file for REST services."

Do you mean that I would need extra configuration to perform spring operations in my html code?

Paul.

Posted by Michael Jacobs on 22-Oct-2014 06:10

You are welcome Paul.

You would not do anything in your html code.   All the security is localized in the server where it cannot by hacked.

For the most part the Spring Security templates we provide you will have the REST URL access controls setup.   The possible changes would be to change which Roles (Spring is a pure Roll Based Authorization) can access the URL.   The Role names will be specific to the types of user accounts used for authentication (login).

For example - to authorize all the users in the ROLE_PSCUser Role to access the entire REST relative uri space (for GET,PUT,POST,DELETE)

      <!-- HTTP REST/Mobile AppServer service -->

       <intercept-url pattern="/rest/**"

                   access="hasAnyRole('ROLE_PSCUser')"/>

If the user accounts you use use another user Role named "Users", then you would adjust the Role clause to be 'ROLE_Users'.   (Note: for reasons I will not address here, Spring prefixes Role names with 'ROLE_')   Specific to your example:  the equivalent would be:

      <!-- HTTP REST/Mobile AppServer service -->

       <intercept-url pattern="/rest/**"

                   access="hasAnyRole('ROLE_ADMIN')"/>

OK?

Mike J.

Posted by Paul Radbone on 22-Oct-2014 08:53

I understand, but in the example I gave you would be able to, for example, enable or disable a field in a form based on the user's role.  In your example you are setting a role to access a whole url?

Paul.

Posted by Michael Jacobs on 22-Oct-2014 13:32

The example I showed you applied to the URL access control used by the server's REST data services called by some device/browser.   It would not be used to control UI functionality.

If you were a writing JSP UI then the code fragment you supplied would contain the Spring Security tags to do direct control over the UI's operation.   It would not be used to control access to the application data.

Two different uses supported by a common Spring Security framework.

Mike J.

Posted by Paul Radbone on 23-Oct-2014 01:58

OK, i think it finally clicked :)

The example I gave is from a client REST Application.  Am I right in saying that OE does not have a REST client, where this kind of example would come into play?

Any idea if this is possible:

"Is it possible to use one logon for a progress web app and java web app that have been deployed to the same tomcat server, so that the authorisation is carried across both sessions (if that makes sense)?"

I'll have a trawl through the docs.

Thanks,

Paul.

Posted by Michael Jacobs on 23-Oct-2014 05:32

Good, we are making headway.

Just so we do not get caught up and confused in terminology and technology, allow me to expand on the example you and I showed.   ( If you know this already just skip it )

The way that I interpret your example was from a client UI [browser] application where the actual dynamic page generation is being performed in the server side's Java web application.   One example of this technology is Java Server Pages.   In this scenario the client logs into the Java web application using its Spring Security stack (same as what we use in our REST services).   The Spring Security framework supports tags that can be used during the generation of the dynamic [JSP] html page returned to the browser.   Those Spring Security tags can be used to control the html page's content based on what is authorized by the Spring Security's client login.

In contrast, the backend REST data services ( i.e. the OE REST service ) would be only be serving data content for the html pages running in the client browser [ or device ].  That REST service is also using Spring Security to ensure that even an authenticated UI page has access to the data.   (The conventional server rule of never trusting a client until they prove who they are.)

So now to your question (at last)

The closest OE supports for a REST client would be OpenEdge Mobile ( an excellent choice, if I may say so ) and some low level REST client support that was scheduled for 11.5.   Neither of which would use the Spring Security tag support as shown in your html page example.

It is possible, in theory, that when using standard Spring Security you can authenticate to one web application ( as in the JSP UI ) and SSO onto other web applications in the same server.   We have not physically proven, or disproven, that the theory works with our OE REST services.   So far we've taken the keep-it-simple route and recommend that you distribute the UI and REST service(s) it uses in the same web application.   In that way you can choose to login once and the authorizations apply equally to the UI pages (in the case where you are writing JSP dynamic html pages) and the REST services that provide the AppServer data source.

Trawling the doc would be a good exercise to get started and more familiar with working in this environment, but this conversation has gone beyond what would be found in the OE docs.   Feel free to continue asking questions and we'll help clarify as best we can.

Please let me know if this is too much information or not in the direction you wish to follow.

Mike J.

This thread is closed