PASOE 11.7 Basic OERealm Authentication

Posted by Darren Parr on 02-May-2017 12:02


We’ve just started playing with PAS in 11.7. I can see the security stuff has been migrated into from web.xml. I’ve gone through the steps I had for configuring basic oerealm authentication to the same pas server. We’re making a rest call at the moment but the intention is to turn on authentication for apsv and soap also.

For whatever reason we can’t get this to work and there doesn’t seem to be any KB. We've configured or changed the following.



OERealm.AuthProvider.userDomain=Domain (values hidden)





In addition I’ve copied the oespaclient.cp file into common/lib.


When running this we get a strange error in the instance log file.

16:36:05.623/265866 [catalina-exec-56] ERROR c.p.a.s.s.OERealmUserDetailsImpl - Username load error for biuser@STYLEsso re: Realm o4gl error: com.progress.open4gl.dynamicapi.SessionPool$NoAvailableSessionsException: SessionPool : NoAvailableSessions[The http protocol connection failed: HTTP client error (403): Forbidden (9990)]

This doesn't make sense. The same apsv transport url is taking connections fine. There is no sign whatsoever that a conection even reaches the appserver. Ive put debug in the HybrdiRealm class and there's nothing in the log file.

Any ideas?


All Replies

Posted by Matt Baker on 02-May-2017 12:06 (values hidden)

You have a typo.  Should be “oech1::” not “ech1::”. (values hidden)


Posted by Darren Parr on 03-May-2017 04:18

Sorry. My mistake when dropping this into the forum.. The password begins "oech1::" correctly in my file.



Posted by Irfan on 03-May-2017 04:38


Is your HybrdiRealm class in the same PASOE instance or a different one.If it is the same and if you are using APSV protocol, then you will go into an endless loop based on your realmURL. If you are using just one PASOE Instance then please change the URL to use the defaults(internal://nxgas).

In-case you are using two different PASOE instance(1 running the WebApplication and the other one having the HybridRealm class) make sure that "APSV" adapter is enabled in If not you will be seeing a 403 error.

Posted by Darren Parr on 03-May-2017 06:04

Yes it is. I've only done what I did in a previous version. I've tried it as you suggest but changing the realm back and it doesn't work at all. I don't get an available session error. I just get a user not found message.



Posted by Irfan on 03-May-2017 06:42


I believe the "User not found" message is from the ABL, so you can debug the ABL code and see why it says user not found. Does MSAgent logs point the method in which the HybridRealm is failing ?

Posted by Darren Parr on 03-May-2017 08:08

Hi. This is not the case. My hybrid realm doesnt have text of that nature. I can confirm it never gets to the appserver. No connection at all.

This is a rest call. My property file now points at internal://nxgas and it looks like its using some kind of internal user list. It never makes a call to the appserver. With the realm pointing to the same instance (ie http://localhost:17500/apsv), it falls over with the errors in my first post.

This all worked fine previously.


Posted by Irfan on 03-May-2017 08:37

I would have to debug it. Can you try to disable "OERealm.UserDetails.realmTokenFile" property, restart the instance and try again ?

If that doesn't show much information then you can send the repro to me, I can debug it and let you know what might be wrong.

OERealm on 11.7 seems to be working fine for me, so was wondering what might be wrong.

Posted by Michael Jacobs on 04-May-2017 04:30

When things don't make sense during the authentication process I first enable (i.e. uncomment) the OpenEdge logging in 'WEB-INF/logging,.xml'.   When logging for the entire Java package path it will print lots of information, but I scan for something with 'error' in it to see if it will give me a clue.   Pay particular attention to logging entries with the name 'OERealm' in them.

<logger name="" level="DEBUG"/>

If the log files show errors we can help interpret their meaning if they are not clear.

Mike J.

This thread is closed