Hybrid Realm and multiple Domains

Posted by Mike Fechner on 19-Aug-2016 05:07

Hi there,

when setting up the hybrid realm for PASOE rest/web authentication the domain that will be part of the client-principals full user name is part of the Tomcat config (e.g. in the oeablSecurity-form-oerealm.xml file).

When we need to support multiple domains (multi-tenancy) we could setup multiple tomcat apps, each with it's own security config file (oeablSecurity-form-oerealm.xml). The login page would then be reachable as



But how can we achieve a setup where the user in the browser, could login using 

username@domain1 or username@domain2 

or we have a combo-box with all available login domains?

Goal is that a single website allows the user to login 

All Replies

Posted by Irfan on 19-Aug-2016 09:29

Hi Mike,

Is your goal to login to a form-oerealm security based application with username@domain ? If it is the case then we have written a white-paper on using OERealm with multi-tenant database for WEB transport. It might be of some use to you.


Let me know if I understood your question correctly.

Posted by Mike Fechner on 19-Aug-2016 09:54

Thanks. Will check that out.

Outlook for Android herunterladen

Posted by Akioma on 09-Jan-2017 12:29

when implementing this according to the whitepaper, how exactly is the oeRealm expected to work? to validate the password, the realm needs to access the correct tenant. does this mean it needs to act as a Super-Tenant? Or am I missing something here?

Is there some sample code available for a OERealm with multi-tenancy?



Posted by Irfan on 09-Jan-2017 13:19

The purpose of super-tenant is to act as an administrator who has rights to access the OERealm and validate logged in  multi-tenant users account. After validation of users account, the Client-Principal will be created for the authenticated user and the records will be generated for that specific user.

I should have example for it. Will look for it and share it with you.

Posted by Irfan on 10-Jan-2017 10:40


Attached the code I used to test OERealm with a Multi-tenant database as per the Whitepaper.

Posted by Akioma on 23-Jan-2017 10:47

Hi Irfan,

thanks for sharing that code.

Do you also have a sample for the actual HybrydRealm.cls which?

We have setup multitenancy so that the user table in our application database is not shared between the tenants. That means, that e.g. in validateUser in our hybridRealm class, we already need to set the correct tenant before we can read data from the user table. So I think something like this would be neccesary:



       IF NUM-ENTRIES(pcDomain, "@":U) > 1 THEN

           ASSIGN pcDomain = ENTRY(2, pcDomain, "@":U).

       IF SETUSERID("superUser", "pw", "db") THEN


           SET-EFFECTIVE-TENANT (pcDomain, "db").


and after that we can access the application user table.

Am I on the right track here? An alternative would be to have a user table that is shared by all tenants, but that is something the I would want wo avoid...

Posted by Irfan on 23-Jan-2017 18:09


The reason for having super-user/admin is to have someone who can be trusted to access and execute the HybridRealm Class. We are not sharing the information across all the tenants, we are only allowing super-user to get access across all the user tables. In the code I forwarded you earlier and the HybridRealm class that I am sending you now(which is generic) does not have any usernames and passwords in clear-text or encrypted format. The users identity in the ABL is done only by the sealed Client-Principal that is created by the Spring Security, this way no one can read any account details by scanning through your ABL code.

Attached the HybridRealm Class. [View:/cfs-file/__key/communityserver-discussions-components-files/19/HybridRealm.cls:320:240]

Posted by Peter Willer on 27-Jan-2017 08:18


when using not the _User table with a multitenant database but using an individual AppUsers table which is a multitenant table, the only way to find the user, is to have a superuser which can query the table with tenant-where option in the HybridRealm, right?

So when using only the superuser, it's necessary to add this superuser to the _User table which is assigned to the super domain / tenant.

To set the tenant of the incoming client-principal user for every request to the PASOE/AppServer,  it's necessary to use a setuserid("super","super") before the set-effective-tenant(client-principal:domain-name) method switches to the required tenant. At least it's necessary to run the setuserid only once at the startup of the agent, because the set-effective-tenant doesn't change the userid.

The problem in the client principal of the Spring class is, that I didn't find how to set the domain-name with the getAttribute Method in the Hybridrealm. I wonder when this line of code is used:

               WHEN OERealmDefs:REALM_ATTR_DOMAIN THEN

                   retVal = _User._Domain-Name.

So to assign the domain-name attribute of the client principal in the Spring, it's necessary to use the user@domain notation.

Is this the correct approach?



Posted by Irfan on 27-Jan-2017 09:11


The super-user that access the HybridRealm class can be set using "realmUserToken" in the OERealm Spring Security.

It can be created using "genspacp" utility as below

genspacp -password pscsaas.admin -user mywebapp -role OERealmClient

-domain OERealmClients -file wrk/superuser.cp

The "realmUserToken" attribute is available in OERealmUserDetails bean

<b:property name="realmTokenFile" value="superuser.cp" />

So, whenever you make a call to HybridRealm class, the user defined in the client-principal file(superuser.cp) will be picked and sent to the appserver.

Regarding your second question, if you want to run multi-tenant(passing a user with domain) then you have to set "multiTenant" property to "true" so that the domain is parsed and passed as an attribute for "REALM_ATTR_DOMAIN". This property is available in "OERealmAuthProvider" bean.

<b:bean id="OERealmAuthProvider"

           <b:property name="multiTenant" value="true" />

Posted by Peter Judge on 27-Jan-2017 10:02

In addition to Irfan’s reply

>when using not the _User table with a multitenant database but using an individual AppUsers table which is a multitenant table, the only way to find the user, is to have a superuser which can
>query the table with tenant-where option in the HybridRealm, right?

This is sort-of what LDAP does too: there’s a user-to-access-the-user-accounts (“query user”) which is not the same as the user in the business application.

> So when using only the superuser, it's necessary to add this superuser to the _User table which is assigned to the super domain / tenant.

The tenancy is keyed off the domain , so you don’t need a user. If you create a  client-principal the way that Irfan suggests you can map that domain to a super-tenant. Make the domain’s authentication system _EXTSSO and you should be all set.
I can’t remember if the OERealm calls assert the realm user.  You’ll need to assert the ‘lookup user” using SET-DB-CLIENT(<client-principal>) or SECURITY-POLICY:SET-CLIENT(<client-principal>) . The SET-EFFECTIVE-TENANT() call will be based on the value that is passed into ValidateUser() .

Posted by Peter Willer on 03-Feb-2017 10:59

Hello again,

the SPAClient.cp file works fine for the HybridRealm class. Now the final WebHandler or the startup.p on the PASOE session startup needs to switch to the correct tenant. The incoming client principal is now the final user client principal.

How would you switch to the tenant of the user?

Currently I succesfully used the superuser in the _user table, who is assigned to the super tenant.

I set set userid to the superuser and switch to the effective tenant of the incoming client principal.

Have in mind, that we don't have users in the _User table except the super user.

Is this the only preferred solution?



This thread is closed