Help with OERealm Authenication

Posted by RWEBSTER on 28-Apr-2015 11:36

I'm really struggling to get our REST adapter apps make use of _User authentication.

I've followed the instructions set out in the KB article 000058538 - What are the basic steps to authenticate REST clients against the OpenEdge database _User table ? almost exactly (I omitted the step of signing the OERealm object against a specific appserver - I assume this step is optional in a development scenario).

When visint ...login.html and providing user credetials the page returns "Not available" and the JSessionID and OESessionID cookies do not appear to change.

I believe I've misconfigured the Appserver mapping as the standalone appserver that's acting as a token service is showing no activity at all; as though the Spring request is not calling the appserver.

Any help greatly appreciated!

Posted by Michael Jacobs on 29-Apr-2015 10:39

Hi Ross,

The sample OERealm server class implements an authenticated and authorized client check named ValidateClient().  In this case the 'client' is the OERealm client that runs inside of the REST service.  You don't want any random ABL client to connect and use the API to discover user accounts and their passwords.  So the sample is setup so that the OERealm client can pass a sealed Client-Principal to the OERealm server class - who can validate it and determine whether to surrender account information or not.  (The Client-Principal file to put into your REST service  is created using $DLC/bin/genspacp utility)

You configure the OERealm client side to send, or not, the Client-Principal file (i.e. TokenFile) via the property:

<b:property name="realmTokenFile" value="" />

As you are just getting started alter the ValidateClient() to return TRUE until you are ready to integrate OERealmClient security?

All Replies

Posted by Michael Jacobs on 28-Apr-2015 13:09

May be that you have already done these things, but it sounds like basic connection configuration.

The "OERealmUserDetails" bean describes the connection to the AppServer and the Singleton OOABL class it uses.

What is the value of <b:bean id="OERealmUserDetails"

<b:property name="realmURL" value="???" />

<b:property name="realmClass" value="???" />

Are you connecting to an AppServer using 'direct connect' or 'NameServer'?

When you start the AppServer can you verify that the realmClass is in PROPATH?

Posted by RWEBSTER on 29-Apr-2015 09:09

Thanks Mike, Your response prompted me to re-examine things, and I've since resolved a propath issue.

I'm now seeing:

[15/04/29@15:03:34.762+0100] P-019664 T-001044 1 AS -- (Procedure: 'ValidateUser OpenEdge.Security.Realm.HybridRealm' Line:102) userName:  user1@RESTDomain

[15/04/29@15:03:34.762+0100] P-019664 T-001044 1 AS -- Unauthorized client

In my appserver logs - does that mean my user (user1) is not being authenticated; or is this because I didn't sign the code for use on the specified appserver?

Posted by Michael Jacobs on 29-Apr-2015 10:39

Hi Ross,

The sample OERealm server class implements an authenticated and authorized client check named ValidateClient().  In this case the 'client' is the OERealm client that runs inside of the REST service.  You don't want any random ABL client to connect and use the API to discover user accounts and their passwords.  So the sample is setup so that the OERealm client can pass a sealed Client-Principal to the OERealm server class - who can validate it and determine whether to surrender account information or not.  (The Client-Principal file to put into your REST service  is created using $DLC/bin/genspacp utility)

You configure the OERealm client side to send, or not, the Client-Principal file (i.e. TokenFile) via the property:

<b:property name="realmTokenFile" value="" />

As you are just getting started alter the ValidateClient() to return TRUE until you are ready to integrate OERealmClient security?

Posted by RWEBSTER on 30-Apr-2015 02:40

Hi Mike,

That did the trick. I agree in deployment we need to protect Auth service; but as you say short term my primary concern was getting up and running in terms of the concept, we'll lock down later.

Thanks for the assist.

Posted by Michael Jacobs on 30-Apr-2015 04:44

Come back on-line when you are ready to reengage the validateClient() and secure your OERealm server.  We can assist you should you run into problems again.

Mike J.

[collapse]
From: RWEBSTER <bounce-stigdarkstar@community.progress.com>
Reply-To: "TU.OE.Development@community.progress.com" <TU.OE.Development@community.progress.com>
Date: Thursday, April 30, 2015 at 3:41 AM
To: "TU.OE.Development@community.progress.com" <TU.OE.Development@community.progress.com>
Subject: RE: [Technical Users - OE Development] Help with OERealm Authenication

Reply by RWEBSTER

Hi Mike,

That did the trick. I agree in deployment we need to protect Auth service; but as you say short term my primary concern was getting up and running in terms of the concept, we'll lock down later.

Thanks for the assist.

Stop receiving emails on this subject.

Flag this post as spam/abuse.

[/collapse]

This thread is closed