appSecurity-form-openid.xml

Posted by Peter Willer on 02-May-2017 03:34

Hello,

did someone a job and implemented openid with OpenEdge Spring security and would like to share it? Or is OpenEdge Spring security limited to these types? (ldap, oerealm, local, saml, container). The idea is to have a client principal to the pasoe calls, even the authentication was done through openid.

Thank you

Regards

Peter

OpenEdge Development - Forum

All Replies

Posted by Michael Jacobs on 03-May-2017 06:30

Hello Peter,

One of the reasons OpenEdge chose Spring Security was for its extensibility by both OpenEdge and customers.   OpenEdge does redistribute and update certain Spring Security libraries and configurations for convenience to our customers who don't have to become experts.   We do distribute some Spring Security libraries for other projects OpenEdge does not supply configurations for, but not all of them.   But we don't limit enterprising individuals, like yourself, who create their own configurations or use any of the OpenEdge distributed libraries, so adding in the Spring Security OpenID project fits well.   

OpenEdge itself extends the core Spring Security by integrating it with the ABL application ( via a Client-Principal ) and in handling pure RESTful APIs.  We'll maintain and support those extensions and you may freely use them in your own Spring Security configurations.  

I  personally think redistributing your work would be great idea.   Perhaps you can add in an Apache 2 open source license and post it on GitHub?  We can also have an off-line conversation if you like and talk about redistributing your configuration with OpenEdge.   

One last note:  starting in 11.7.0 the Spring Security configurations have been refactored for better maintainability and ease of use.   I would expect someone who can configure their own OpenID support would have no problems doing an update.

Please add a note to this forum with what you decide to do next.

Mike Jacobs

Posted by kevin hermans on 04-May-2017 09:51

I am also very interested in a project like this because we have also to implement the OpenId in the spring framework in a couple of months.

I can see that there are some files with OAuth 2.0 references and OpenID is built on top of this great you think.

But then I opened the file "oauth2LoginModel.xml " in 11.7 and there is a small note......

   <!-- NOTE: the OAuth2 authorization service is explicitly disabled and

        does not respond to the oauth2.AuthorizationServer.enable property.

        The property and this import is put into place for inclusion in

        a future, unspecified, release -->

Posted by Michael Jacobs on 07-May-2017 06:16


Just to clarify, in Spring's OAuth2 project the roles of the "authorization server" and "service provider" are configured separately so they can exist on separate servers and web applications.    However support for both are combined in the same physical libraries, 

The oauth2LoginModel.xml is only configured to operate as a "service provider", with the capability for OE to add "authorization server" sometime later.   Hence the comment to not enable the "authorization server" support.

The oauth2LoginModel.xml configuration for the "service provider" is 99% pure Spring Security ( with the remainder being REST & OE Client-Principal integration).    You'll see that the type of OAuth2 Access Token support is defaulted to "self-contained" (aka ID tokens in some documents) and has support for validating the Access Tokens using HMAC shared keys, or PKI digital certificates.  The type of OAuth2 "identifier" Access Tokens has shown to be specific to the "authorization server" implementation and can be problematic.

Does that help clarify?

Mike J.

Posted by kevin hermans on 07-Jun-2017 07:24

Michael may I ask a question, because I have the feeling you understand  this very well.

So in the "Spring security process" there is a block "j_spring_security_check" followed by authenticate.
Then "OERealmAuthProvider" is called and at the end Progress create the client-principal and it ads it to the Session memory and done. This is for the regular authentication provided by Progress nice and easy.

But what if we want to make a custom for example "j_custom_security_check".
And replace the "OERealmUserDetailsImpl" with our custom ABL procedure we all can write by our own :)
Then we can add extra parameters and catch all different logon providers here. Because I don't understand much of the spring architecture.

It looks for me a "simple" copy and past and adjusting some variables. But I don't now where to start.
Can you give me a hint please?
Else I will read the spring security docs and adopt it into my knowledgebase :).

Thank you

[View:/cfs-file/__key/communityserver-discussions-components-files/19/OERealmSecurityOverview.pdf:320:43]

Posted by Peter Judge on 08-Jun-2017 10:16

Hi Kevin,
 
Attached are some slides from a past PUG which (hopefully) shows the flow of the spring stuff.
 
You should think of your OERealm implementation as a SPA (single point of authentication) which is separate from the JSP or whatever login page you choose.
 
 

This thread is closed