Again I'm struggling with validating a token received from a Single Sign On server.
I changed the configuration in oeablSecurity.properties and tested this using the /web/_oepingService.
The result is correct. I get a valid handle using GetClientPrincipal and I can access all information contained in the token.
BUT! When I try to access my REST service, suddenly the GetClientPrincipal returns the unknown value and I ḿ stuck.
It's the same PASOE server instance (11.7.4) and I use the idmactivate.p procedure to check the contents of the token.
WHY is calling /web/_oepingService different than calling /wilko/rest/wilkoService/debug? In both cases it will first start the idmactivate procedure.
function debug2logg returns logical (cMelding as char):
output to c:\temp\debugg.log append.
put unformatted string(now) " " cMelding skip.
output close.
end function.
define variable hCP as handle no-undo.
define variable cReqName as char no-undo.
def var lok as logical init true no-undo.
cReqName = session:current-request-info:procedureName.
hCP = session:current-request-info:GetClientPrincipal().
if valid-handle(hCP) then
debug2logg(hCP:qualified-user-id).
Thank you Irfan,
I solved the problem by deploying the service to the root of the pasoe webapp.
Using /rest/wilkoService/debug everything works fine.
It probably has something to do with the oeablSecurityJWT.csv file.
Regards,
Wilko
I solved it!
In my logging I found an error in my program that probably caused the handle to be removed/deleted/corrupted.
After fixing the error the problem was gone!
Hi Wilko,
Can you please provide your oeablSecurity.properties file set to both of the webapps. Are REST and WEB running on two different webapps or same ?
Thank you Irfan,
I solved the problem by deploying the service to the root of the pasoe webapp.
Using /rest/wilkoService/debug everything works fine.
It probably has something to do with the oeablSecurityJWT.csv file.
Regards,
Wilko
It's a little different now.
At the first call to the REST service I get a valid handle and can read all properties from the token.
With every subsequent call, the handle assigned with
hCP = session:current-request-info:GetClientPrincipal().
is unknown. Only after restarting the PASOE I get a one-time correct result.
So it seems that somehow the client-principal is lost. For every call to my rest server I send the same Bearer token.
Maybe there is a "global" variable somehwere that still contains the correct handle?
Here's the contents of my oeablsecurity.properties file.
## login model
client.login.model=oauth2
## The clear-text key value is 'JWTkey'. The encrypted value is generated using 'genpassword'
OEClientPrincipalFilter.domain=flusso.nl
OEClientPrincipalFilter.registryFile=oauth2reg.bin
##OEClientPrincipalFilter.key=oech1::1a051b0c373c
## JWT token handler properties for jwtAuthFilter & oauth2.resSvc..
jwtToken.signatureAlg=RS256
jwtToken.keystore.type=pem
jwtToken.keystore.path=${catalina.base}/conf/jwtkeys
jwtToken.keystore.alias=publiccert
## OAuth2 Resource server configuration
#oauth2.resSvc.audience=WAPPartnerID001
oauth2.resSvc.audience=itkracht
oauth2.resSvc.tokenServices=oauth2
## Debugging
OESSO.error.detail=2
I tried the same on 11.7 for HMAC and RSA and it works fine for me. Once the token is generated, I can run it as many times I want on my REST Service and the CP created by it is validated correctly.
Would you like to increase the logging and see what you get ?
my (simplified) code:
Maybe somebody can point me to an error concerning the way I try to use authorization.
The restDispatcher class handles all calls from the REST interface. So I also have dispatchPost, dispatchPut and dispatchDelete.
They all do checklogin(picService) for authorization before executing the rest of the code.
routine-level on error undo, throw.
@openapi.openedge.export FILE(type="REST", executionMode="singleton", useReturnValue="false", writeDataSetBeforeImage="false").
using Progress.Lang.*.
class restDispatcher:
@openapi.openedge.export(type="REST", useReturnValue="false", writeDataSetBeforeImage="false").
method public void dispatchGet(picService as character,
picHeaders as character,
picRequest as character,
output poiHttpStatus as integer,
output pocResponse as longchar):
if checklogin(picService) then
do:
/* rest of code */
end.
end method.
method private logical checklogin(picService):
def var hCP as handle no-undo.
hCP = session:current-request-info:GetClientPrincipal().
if valid-handle(hCP) then
do:
username = entry(1,hCP:qualified-user-id,"@").
/* check user authorization in application database */
return userIsAuthorized(picService,username).
end.
return false.
end method.
method privat logical userIsAuthorized(cFunction as char,cUser as char):
return true.
end method.
end class.
I solved it!
In my logging I found an error in my program that probably caused the handle to be removed/deleted/corrupted.
After fixing the error the problem was gone!