REST/PASOE auth: adding properties to client-principal

Posted by bronco on 25-Mar-2015 08:45

So I implemented IHybridRealm and set this in oeablSecurity-basic-oerealm.xml. Works!

I uncommented the CP section, so I get a CP in session:current-request-info:GetClientPrinciple().

Now, before the CP is sealed, I want to set some (custom) properties in the client-principle. I want this to be done via the implementation of IHybridRealm, not in the <b:property name="properties" > element of the OERealmAuthProvider provider. This because the information I want to add comes from the database (and is diferent for every user).

Can anyone point me in the right direction?

All Replies

Posted by Tim Kuehn on 25-Mar-2015 08:56

I have code that does this: 


hCP:INITIALIZE(     chUserDomain,                   /* qualified user@domain        */
                    GUID,                           /* unique session id            */
                    ADD-INTERVAL(NOW, 8, 'hours'),  /* default timeout/expiration   */
hCP:SET-PROPERTY(   {&AuthenticateSiteIdProperty}, 

Posted by bronco on 25-Mar-2015 09:42

That's when you create your own CP. With PASOE you can let the spring security framework create the CP. My question how to add custom properties (f.e. a "functions" property) to the CP in the latter case.

Posted by Michael Jacobs on 25-Mar-2015 10:21

Sorry to report that the 'properties' in the OERealmUserDetails and OEClientPrincipalFilter will only accept static values at this time.

I do see the use case for getting named attribute values from the AppServer and inserting them into the client-principal's properties.   Something many could benefit from.  Would you be agreeable to submitting an idea that adds this type of functionality?

Mike J.

From: bronco <>
Reply-To: "" <>
Date: Wednesday, March 25, 2015 at 10:42 AM
To: "" <>
Subject: RE: [Technical Users - OE Development] REST/PASOE auth: adding properties to client-principal

Reply by bronco

That's when you create your own CP. With PASOE you can let the spring security framework create the CP. My question how to add custom properties (f.e. a "functions" property) to the CP in the latter case.

Stop receiving emails on this subject.

Flag this post as spam/abuse.


Posted by MTBOO on 20-Jun-2017 11:46


Just came across this post. I would like to know if the idea for this was submitted and it's current status. We are also using IHybridRealm and would like to insert some properties (for user context type of stuff from our database) before it is sealed.


Posted by Irfan on 20-Jun-2017 11:58

You can do it right now in 11.6.2+

In your OERealmHybrid Class, add the attribute "Realm_ATTR_PROPERTIES" and return a JSON Object as longchar



                return JObj:getJsontext().


This should load all the custom properties and will be part of your sealing client principal.

Once your CP is sealed and passed to MS-Agent, you can print those properties as below

cList = hCP:list-property-names.

   iListSize = num-entries(cList, ",").

   if ( 0 < iListSize ) then do iListPos = 1 to iListSize:

       define variable cProp       as character no-undo.

       define variable cVal        as character no-undo.

       message "    properties:".

       cProp = entry(iListPos, cList, ",").

       cVal = hCP:get-property(cProp).

       message "          property:" cProp ", value:" cVal.


(hCP is your client-principal handle).

Posted by MTBOO on 21-Jun-2017 05:41


We have a class that implements IHybridRealm using OE 11.6.3 spring security. In the auth flow I can see it calls the following for a successful auth:


GetAttribute: 'ATTR_ROLES'

GetAttribute: 'ATTR_ENABLED'

GetAttribute: 'ATTR_LOCKED'

GetAttribute: 'ATTR_EXPIRED'


How can I get it calling for the PROPERTIES attribute ?

Posted by Lars Neumeier on 21-Jun-2017 06:22


for OpenEdge 11.6.3 you can add/change

<b:bean id="OERealmUserDetails" class="" >


 <!-- PropertyMap -->

 <b:property name="propertiesAttrName" value="ATTR_PROPERTIES" />

In your HybridRealm (Method GetAttributes) you can return a json object, for example:

          cAttributeValue = ' ~{ '
                          + '"key1":"' + value1 + '",'
                          + '"key2":"' + value2 + '",'
                          + '"key3":"' + value3 + '"'
                          + ' ~} '.

and later:


Posted by Peter Judge on 21-Jun-2017 08:10

Just curious why you are hand-building the JSON instead of using the JsonObject. Is it just for this example?

Posted by MTBOO on 21-Jun-2017 10:28

Thanks, I was just missing the property map for ATTR_PROPERTIES. This will be a big help in not having to persist some additional session info elsewhere

Posted by Blake Stanford on 08-Apr-2019 20:18

On the topic of setting properties of the CP, is it possible to set the session-id property from the IHybridRealm implementation, when using OERealmHybrid ?

Posted by Michael Jacobs on 09-Apr-2019 10:46

Not at this time.

The session-id is currently sync'd with the HTTP session that identifies the client login session.  In that way the C-P reflects the same ID as is used to track client login sessions & timeouts to PASOE.  

I assume you are thinking that the OERealmHybrid class is the client's user authentication instead of a source of user account field information.   That being said...  I would appreciate knowing your use-case for the OERealmHybrid class returning a session-id as part of the user account information?   That is, if you will share so we can learn more of how this feature could be useful.

Posted by Blake Stanford on 11-Apr-2019 17:40

For clarification, we are on Classic Appserver not PASOE.

We currently use the OERealmHybrid to authenticate our JSDO based REST services.  In the IHybridRealm implementation class, we set several attributes in the CP (name, email, userid, etc..) from database tables and validate that the user is authorized to use the service (not disabled, locked out in some way and licensed).  We also create a session_context record in the database and use the SESSION-ID in the CP as the key, if the user is authenticated.  For other  parts of our application GUI client non-JSDO based REST services we use application based authentication, the same session_context record is created but we use an internally created key, a GUID prefixed with a value that allows us to further identify from where the context_id was created. This context_id is then passed in to the appserver, either as a parameter from mapped REST based services or on the REQUEST-INFO:ClientContextID for Windows GUI clients and other Appserver clients.  The activation event procedure sets the appropriate context for the user from the session_context records.  So the use case would be to allow us to change the SESSION-ID in the CP to match our prefixed style of context_id key.  

This thread is closed