Hi there,
when setting up the hybrid realm for PASOE rest/web authentication the domain that will be part of the client-principals full user name is part of the Tomcat config (e.g. in the oeablSecurity-form-oerealm.xml file).
When we need to support multiple domains (multi-tenancy) we could setup multiple tomcat apps, each with it's own security config file (oeablSecurity-form-oerealm.xml). The login page would then be reachable as
https://server/domain1/web/login.html
https://server/domain2/web/login.html
But how can we achieve a setup where the user in the browser, could login using
username@domain1 or username@domain2
or we have a combo-box with all available login domains?
Goal is that a single website allows the user to login
Hi Mike,
Is your goal to login to a form-oerealm security based application with username@domain ? If it is the case then we have written a white-paper on using OERealm with multi-tenant database for WEB transport. It might be of some use to you.
community.progress.com/.../3038
Let me know if I understood your question correctly.
when implementing this according to the whitepaper, how exactly is the oeRealm expected to work? to validate the password, the realm needs to access the correct tenant. does this mean it needs to act as a Super-Tenant? Or am I missing something here?
Is there some sample code available for a OERealm with multi-tenancy?
Thanks,
Mike
The purpose of super-tenant is to act as an administrator who has rights to access the OERealm and validate logged in multi-tenant users account. After validation of users account, the Client-Principal will be created for the authenticated user and the records will be generated for that specific user.
I should have example for it. Will look for it and share it with you.
[View:/cfs-file/__key/communityserver-discussions-components-files/19/IdmActivate.p:320:240][View:/cfs-file/__key/communityserver-discussions-components-files/19/IdmStartup.p:320:240][View:/cfs-file/__key/communityserver-discussions-components-files/19/Webspeed_5F00_MTDBHandler.cls:320:240]
Attached the code I used to test OERealm with a Multi-tenant database as per the Whitepaper.
Hi Irfan,
thanks for sharing that code.
Do you also have a sample for the actual HybrydRealm.cls which?
We have setup multitenancy so that the user table in our application database is not shared between the tenants. That means, that e.g. in validateUser in our hybridRealm class, we already need to set the correct tenant before we can read data from the user table. So I think something like this would be neccesary:
IF NOT IS-DB-MULTI-TENANT("db":U) THEN
RETURN.
IF NUM-ENTRIES(pcDomain, "@":U) > 1 THEN
ASSIGN pcDomain = ENTRY(2, pcDomain, "@":U).
IF SETUSERID("superUser", "pw", "db") THEN
DO:
SET-EFFECTIVE-TENANT (pcDomain, "db").
END.
and after that we can access the application user table.
Am I on the right track here? An alternative would be to have a user table that is shared by all tenants, but that is something the I would want wo avoid...
Mike,
The reason for having super-user/admin is to have someone who can be trusted to access and execute the HybridRealm Class. We are not sharing the information across all the tenants, we are only allowing super-user to get access across all the user tables. In the code I forwarded you earlier and the HybridRealm class that I am sending you now(which is generic) does not have any usernames and passwords in clear-text or encrypted format. The users identity in the ABL is done only by the sealed Client-Principal that is created by the Spring Security, this way no one can read any account details by scanning through your ABL code.
Attached the HybridRealm Class. [View:/cfs-file/__key/communityserver-discussions-components-files/19/HybridRealm.cls:320:240]
Hello,
when using not the _User table with a multitenant database but using an individual AppUsers table which is a multitenant table, the only way to find the user, is to have a superuser which can query the table with tenant-where option in the HybridRealm, right?
So when using only the superuser, it's necessary to add this superuser to the _User table which is assigned to the super domain / tenant.
To set the tenant of the incoming client-principal user for every request to the PASOE/AppServer, it's necessary to use a setuserid("super","super") before the set-effective-tenant(client-principal:domain-name) method switches to the required tenant. At least it's necessary to run the setuserid only once at the startup of the agent, because the set-effective-tenant doesn't change the userid.
The problem in the client principal of the Spring class is, that I didn't find how to set the domain-name with the getAttribute Method in the Hybridrealm. I wonder when this line of code is used:
WHEN OERealmDefs:REALM_ATTR_DOMAIN THEN
retVal = _User._Domain-Name.
So to assign the domain-name attribute of the client principal in the Spring, it's necessary to use the user@domain notation.
Is this the correct approach?
Regards
Peter
Peter,
The super-user that access the HybridRealm class can be set using "realmUserToken" in the OERealm Spring Security.
It can be created using "genspacp" utility as below
genspacp -password pscsaas.admin -user mywebapp -role OERealmClient
-domain OERealmClients -file wrk/superuser.cp
The "realmUserToken" attribute is available in OERealmUserDetails bean
<b:property name="realmTokenFile" value="superuser.cp" />
So, whenever you make a call to HybridRealm class, the user defined in the client-principal file(superuser.cp) will be picked and sent to the appserver.
Regarding your second question, if you want to run multi-tenant(passing a user with domain) then you have to set "multiTenant" property to "true" so that the domain is parsed and passed as an attribute for "REALM_ATTR_DOMAIN". This property is available in "OERealmAuthProvider" bean.
<b:bean id="OERealmAuthProvider"
<b:property name="multiTenant" value="true" />
>when using not the _User table with a multitenant database but using an individual AppUsers table which is a multitenant table, the only way to find the user, is to have a superuser which can
>query the table with tenant-where option in the HybridRealm, right?
> So when using only the superuser, it's necessary to add this superuser to the _User table which is assigned to the super domain / tenant.
Hello again,
the SPAClient.cp file works fine for the HybridRealm class. Now the final WebHandler or the startup.p on the PASOE session startup needs to switch to the correct tenant. The incoming client principal is now the final user client principal.
How would you switch to the tenant of the user?
Currently I succesfully used the superuser in the _user table, who is assigned to the super tenant.
I set set userid to the superuser and switch to the effective tenant of the incoming client principal.
Have in mind, that we don't have users in the _User table except the super user.
Is this the only preferred solution?
Regards
Peter