Hybrid Realm and multiple Domains

Hi Mike,

Is your goal to login to a form-oerealm security based application with username@domain ? If it is the case then we have written a white-paper on using OERealm with multi-tenant database for WEB transport. It might be of some use to you.

community.progress.com/.../3038

Let me know if I understood your question correctly.

Thanks. Will check that out.

Outlook for Android herunterladen

when implementing this according to the whitepaper, how exactly is the oeRealm expected to work? to validate the password, the realm needs to access the correct tenant. does this mean it needs to act as a Super-Tenant? Or am I missing something here?

Is there some sample code available for a OERealm with multi-tenancy?

Thanks,

Mike

The purpose of super-tenant is to act as an administrator who has rights to access the OERealm and validate logged in  multi-tenant users account. After validation of users account, the Client-Principal will be created for the authenticated user and the records will be generated for that specific user.

I should have example for it. Will look for it and share it with you.

[View:/cfs-file/__key/communityserver-discussions-components-files/19/IdmActivate.p:320:240][View:/cfs-file/__key/communityserver-discussions-components-files/19/IdmStartup.p:320:240][View:/cfs-file/__key/communityserver-discussions-components-files/19/Webspeed_5F00_MTDBHandler.cls:320:240]

Attached the code I used to test OERealm with a Multi-tenant database as per the Whitepaper.

Hi Irfan,

thanks for sharing that code.

Do you also have a sample for the actual HybrydRealm.cls which?

We have setup multitenancy so that the user table in our application database is not shared between the tenants. That means, that e.g. in validateUser in our hybridRealm class, we already need to set the correct tenant before we can read data from the user table. So I think something like this would be neccesary:

       IF NOT IS-DB-MULTI-TENANT("db":U) THEN

           RETURN.

       IF NUM-ENTRIES(pcDomain, "@":U) > 1 THEN

           ASSIGN pcDomain = ENTRY(2, pcDomain, "@":U).

       IF SETUSERID("superUser", "pw", "db") THEN

       DO:

           SET-EFFECTIVE-TENANT (pcDomain, "db").

       END.

and after that we can access the application user table.

Am I on the right track here? An alternative would be to have a user table that is shared by all tenants, but that is something the I would want wo avoid...

Mike,

The reason for having super-user/admin is to have someone who can be trusted to access and execute the HybridRealm Class. We are not sharing the information across all the tenants, we are only allowing super-user to get access across all the user tables. In the code I forwarded you earlier and the HybridRealm class that I am sending you now(which is generic) does not have any usernames and passwords in clear-text or encrypted format. The users identity in the ABL is done only by the sealed Client-Principal that is created by the Spring Security, this way no one can read any account details by scanning through your ABL code.

Attached the HybridRealm Class. [View:/cfs-file/__key/communityserver-discussions-components-files/19/HybridRealm.cls:320:240]

Hello,

when using not the _User table with a multitenant database but using an individual AppUsers table which is a multitenant table, the only way to find the user, is to have a superuser which can query the table with tenant-where option in the HybridRealm, right?

So when using only the superuser, it's necessary to add this superuser to the _User table which is assigned to the super domain / tenant.

To set the tenant of the incoming client-principal user for every request to the PASOE/AppServer,  it's necessary to use a setuserid("super","super") before the set-effective-tenant(client-principal:domain-name) method switches to the required tenant. At least it's necessary to run the setuserid only once at the startup of the agent, because the set-effective-tenant doesn't change the userid.

The problem in the client principal of the Spring class is, that I didn't find how to set the domain-name with the getAttribute Method in the Hybridrealm. I wonder when this line of code is used:

               WHEN OERealmDefs:REALM_ATTR_DOMAIN THEN

                   retVal = _User._Domain-Name.

So to assign the domain-name attribute of the client principal in the Spring, it's necessary to use the user@domain notation.

Is this the correct approach?

Regards

Peter

Peter,

The super-user that access the HybridRealm class can be set using "realmUserToken" in the OERealm Spring Security.

It can be created using "genspacp" utility as below

genspacp -password pscsaas.admin -user mywebapp -role OERealmClient

-domain OERealmClients -file wrk/superuser.cp

The "realmUserToken" attribute is available in OERealmUserDetails bean

<b:property name="realmTokenFile" value="superuser.cp" />

So, whenever you make a call to HybridRealm class, the user defined in the client-principal file(superuser.cp) will be picked and sent to the appserver.

Regarding your second question, if you want to run multi-tenant(passing a user with domain) then you have to set "multiTenant" property to "true" so that the domain is parsed and passed as an attribute for "REALM_ATTR_DOMAIN". This property is available in "OERealmAuthProvider" bean.

<b:bean id="OERealmAuthProvider"

           <b:property name="multiTenant" value="true" />

Hello again,

the SPAClient.cp file works fine for the HybridRealm class. Now the final WebHandler or the startup.p on the PASOE session startup needs to switch to the correct tenant. The incoming client principal is now the final user client principal.

How would you switch to the tenant of the user?

Currently I succesfully used the superuser in the _user table, who is assigned to the super tenant.

I set set userid to the superuser and switch to the effective tenant of the incoming client principal.

Have in mind, that we don't have users in the _User table except the super user.

Is this the only preferred solution?

Regards

Peter