Questions about parameters for GENSPACP

Posted by Rom Elwell on 12-Mar-2015 09:27

We are implementing SPA utilizing the Form OERealm plugin.

Referencing the document found here:

genspacp -password <text> [-user <text> -domain <text> -role <text> -file <text>]
Where:
*-password: (Required) The domain password used to seal the client-principal object.
*-user: (Optional) The user name set in the client-principal. The default name is BPSServer.
*-domain: (Optional) The domain name set in the client-principal. The default domain name is OESPA.
*-role: (Optional) The role set in the client-principal. The default role is SPAClient.
*-file: (Optional) The name of the file to which the client-principal object is saved. The default file name is oespaclient.cp.

In the example above, does the user BPSServer need to be a valid user in the _User table?
In the example above, does the domain name OESPA need to be a valid domain defined in the _sec-authentication-domain table?
In the example above, does the role SPAClient need to be defined in the _sec-role table?

All Replies

Posted by Donicello Lampe on 12-Mar-2015 09:53

If you are trying to use this for REST, please see my previous reply to you in this thread:

community.progress.com/.../59228.aspx

It all depends on your own implementation, but for the sample provided in that KBase article, the answer to all your questions would be NO.

Posted by knavneet on 12-Mar-2015 12:25
Hi Rom,
 
As Donicello said the answers are NO if you use the sample.
 
I just wanted to add my two cents about the parameters:
 
If you do not provide the optional parameters in Genspacp utility, the C-P file that is generated is created with default values (user = BPSServer, domain = OESPA, role= SPAClient). I would recommend that you provide some values instead of using the defaults.
 
The generated C-P file is what needs to be distributed to the OERealm client (like REST webapp).  As Donicello has mentioned, the implementation of OERealm class depends on your business needs.
 
For e.g. in your OERealm AppServer you may write an activate procedure that allows access to the OERealm class methods only if the C-P in the REQUEST-INFO is valid and is sealed by a key that you used while generating C-P file using genspacp (specified by –password parameter).
 
For e.g. something like this:
====
       hCP = SESSION:CURRENT-REQUEST-INFO:GetClientPrincipal().
        IF (? <> hCP) THEN
        DO:
            MESSAGE "Request contained a C-P".
            result = hCP:VALIDATE-SEAL (m_passwd). /* m_password must be same as –password of genspacp */
        END.
       ELSE
         UNDO, THROW NEW Progress.Lang.AppError("Unauthorized client", 1).
====
 
In the example above, does the user BPSServer need to be a valid user in the _User table?
>> It depends on whether you want to use the user stored in the C-P file in your OOABL class or the activate proc. If not, you may choose not to have the user in C-P in the _User table.
(NOTE: The sample code uses _User table just for illustration purpose. It is not required that you use _User table. You can create a customized user-account table in an OE DB and use that instead)
 
In the example above, does the domain name OESPA need to be a valid domain defined in the _sec-authentication-domain table?
>>  This depends on whether in your server start-up proc you load the domains from the Database registry using SECURITY-POLICY:LOAD-DOMAIN("<dbname>"). Only if you do this you need to create this domain in _sec-authentication-domain (and in that case the domain access code will need to be same as –password of genspacp)
 
In the example above, does the role SPAClient need to be defined in the _sec-role table?
>> This again depends on whether you want to use the role stored in the C-P file in your OOABL class or the activate proc. If not, you may choose not to have the user in C-P in the _sec-role table.
 
HTH,
Navneet
 
[collapse]
From: Donicello Lampe [mailto:bounce-dlampe@community.progress.com]
Sent: Thursday, March 12, 2015 8:24 PM
To: TU.OE.Development@community.progress.com
Subject: RE: [Technical Users - OE Development] Questions about parameters for GENSPACP
 
Reply by Donicello Lampe

If you are trying to use this for REST, please see my previous reply to you in this thread:

community.progress.com/.../59228.aspx

It all depends on your own implementation, but for the sample provided in that KBase article, the answer to all your questions would be NO.

Stop receiving emails on this subject.

Flag this post as spam/abuse.

[/collapse]
This thread is closed