Hi Rom,
As Donicello said the answers are NO if you use the sample.
I just wanted to add my two cents about the parameters:
If you do not provide the optional parameters in Genspacp utility, the C-P file that is generated is created with default values (user = BPSServer, domain = OESPA, role= SPAClient). I would recommend that you provide some values instead of using the defaults.
The generated C-P file is what needs to be distributed to the OERealm client (like REST webapp). As Donicello has mentioned, the implementation of OERealm class depends on your business needs.
For e.g. in your OERealm AppServer you may write an activate procedure that allows access to the OERealm class methods only if the C-P in the REQUEST-INFO is valid and is sealed by a key that you used while generating C-P file using genspacp (specified by –password parameter).
For e.g. something like this:
====
hCP = SESSION:CURRENT-REQUEST-INFO:GetClientPrincipal().
IF (? <> hCP) THEN
DO:
MESSAGE "Request contained a C-P".
result = hCP:VALIDATE-SEAL (m_passwd). /* m_password must be same as –password of genspacp */
END.
ELSE
UNDO, THROW NEW Progress.Lang.AppError("Unauthorized client", 1).
====
In the example above, does the user BPSServer need to be a valid user in the _User table?
>> It depends on whether you want to use the user stored in the C-P file in your OOABL class or the activate proc. If not, you may choose not to have the user in C-P in the _User table.
(NOTE: The sample code uses _User table just for illustration purpose. It is not required that you use _User table. You can create a customized user-account table in an OE DB and use that instead)
In the example above, does the domain name OESPA need to be a valid domain defined in the _sec-authentication-domain table?
>> This depends on whether in your server start-up proc you load the domains from the Database registry using SECURITY-POLICY:LOAD-DOMAIN("<dbname>"). Only if you do this you need to create this domain in _sec-authentication-domain (and in that case the domain access code will need to be same as –password of genspacp)
In the example above, does the role SPAClient need to be defined in the _sec-role table?
>> This again depends on whether you want to use the role stored in the C-P file in your OOABL class or the activate proc. If not, you may choose not to have the user in C-P in the _sec-role table.
HTH,
Navneet
[collapse]
From: Donicello Lampe [mailto:bounce-dlampe@community.progress.com]
Sent: Thursday, March 12, 2015 8:24 PM
To: TU.OE.Development@community.progress.com
Subject: RE: [Technical Users - OE Development] Questions about parameters for GENSPACP
Reply by Donicello Lampe
If you are trying to use this for REST, please see my previous reply to you in this thread:
community.progress.com/.../59228.aspx
It all depends on your own implementation, but for the sample provided in that KBase article, the answer to all your questions would be NO.
Flag this post as spam/abuse.
-password: (Required) The domain password used to seal the client-principal object.