GetClientPrincipal return unkown value for REST

Posted by wvdgraaf on 24-Jan-2019 09:37

Again I'm struggling with validating a token received from a Single Sign On server.

I changed the configuration in oeablSecurity.properties and tested this using the /web/_oepingService.

The result is correct. I get a valid handle using GetClientPrincipal and I can access all information contained in the token.

BUT! When I try to access my REST service, suddenly the GetClientPrincipal returns the unknown value and I ḿ stuck.

It's the same PASOE server instance (11.7.4) and I use the idmactivate.p procedure to check the contents of the token.

WHY is calling /web/_oepingService different than calling /wilko/rest/wilkoService/debug? In both cases it will first start the idmactivate procedure.

function debug2logg returns logical (cMelding as char):
output to c:\temp\debugg.log append.
put unformatted string(now) " " cMelding skip.
output close.
end function.

define variable hCP as handle no-undo.
define variable cReqName as char no-undo.
def var lok as logical init true no-undo.

cReqName = session:current-request-info:procedureName.
hCP = session:current-request-info:GetClientPrincipal().
if valid-handle(hCP) then
debug2logg(hCP:qualified-user-id).

Posted by wvdgraaf on 24-Jan-2019 14:08

Thank you Irfan,

I solved the problem by deploying the service to the root of the pasoe webapp.

Using /rest/wilkoService/debug everything works fine.

It probably has something to do with the oeablSecurityJWT.csv file.

Regards,

Wilko

Posted by wvdgraaf on 29-Jan-2019 07:21

I solved it!

In my logging I found an error in my program that probably caused the handle to be removed/deleted/corrupted.

After fixing the error the problem was gone!

All Replies

Posted by Irfan on 24-Jan-2019 14:03

Hi Wilko,

Can you please provide your oeablSecurity.properties file set to both of the webapps. Are REST and WEB running on two different webapps or same ?

Posted by wvdgraaf on 24-Jan-2019 14:08

Thank you Irfan,

I solved the problem by deploying the service to the root of the pasoe webapp.

Using /rest/wilkoService/debug everything works fine.

It probably has something to do with the oeablSecurityJWT.csv file.

Regards,

Wilko

Posted by wvdgraaf on 28-Jan-2019 13:18

It's a little different now.

At the first call to the REST service I get a valid handle and can read all properties from the token.

With every subsequent call, the handle assigned with

hCP = session:current-request-info:GetClientPrincipal().

is unknown. Only after restarting the PASOE I get a one-time correct result.

So it seems that somehow the client-principal is lost. For every call to my rest server I send the same Bearer token.

Maybe there is a "global" variable somehwere that still contains the correct handle?

Here's the contents of my oeablsecurity.properties file.

## login model

client.login.model=oauth2

## The clear-text key value is 'JWTkey'. The encrypted value is generated using 'genpassword'

OEClientPrincipalFilter.domain=flusso.nl

OEClientPrincipalFilter.registryFile=oauth2reg.bin

##OEClientPrincipalFilter.key=oech1::1a051b0c373c

## JWT token handler properties for jwtAuthFilter & oauth2.resSvc..

jwtToken.signatureAlg=RS256

jwtToken.keystore.type=pem

jwtToken.keystore.path=${catalina.base}/conf/jwtkeys

jwtToken.keystore.alias=publiccert

## OAuth2 Resource server configuration

#oauth2.resSvc.audience=WAPPartnerID001

oauth2.resSvc.audience=itkracht

oauth2.resSvc.tokenServices=oauth2

## Debugging

OESSO.error.detail=2

Posted by Irfan on 28-Jan-2019 13:58

I tried the same on 11.7 for HMAC and RSA and it works fine for me. Once the token is generated, I can run it as many times I want on my REST Service and the CP created by it is validated correctly.

Posted by Irfan on 28-Jan-2019 13:58

Would you like to increase the logging and see what you get ?

Posted by wvdgraaf on 28-Jan-2019 14:26

my (simplified) code:

Maybe somebody can point me to an error concerning the way I try to use authorization.

The restDispatcher class handles all calls from the REST interface. So I also have dispatchPost, dispatchPut and dispatchDelete.

They all do checklogin(picService) for authorization before executing the rest of the code.

routine-level on error undo, throw.

@openapi.openedge.export FILE(type="REST", executionMode="singleton", useReturnValue="false", writeDataSetBeforeImage="false").

using Progress.Lang.*.

class restDispatcher:

 @openapi.openedge.export(type="REST", useReturnValue="false", writeDataSetBeforeImage="false").

 method public void dispatchGet(picService as character,

                                picHeaders as character,

                                picRequest as character,

                                output poiHttpStatus as integer,

                                output pocResponse as longchar):

   if checklogin(picService) then

   do:

     /* rest of code */

   end.

 end method.

 method private logical checklogin(picService):

   def var hCP as handle no-undo.

   hCP = session:current-request-info:GetClientPrincipal().

   if valid-handle(hCP) then

   do:

     username = entry(1,hCP:qualified-user-id,"@").

     /* check user authorization in application database */

    return userIsAuthorized(picService,username).

   end.

   return false.

 end method.

 method privat logical userIsAuthorized(cFunction as char,cUser as char):

   return true.

 end method.

end class.

Posted by wvdgraaf on 29-Jan-2019 07:21

I solved it!

In my logging I found an error in my program that probably caused the handle to be removed/deleted/corrupted.

After fixing the error the problem was gone!

This thread is closed