FORBIDDEN as response from PASOE

Posted by OctavioOlguin on 04-Jun-2019 16:16

I've just moved my first rest app from development to production server.  Deployed it and stuff...  according to https://www.progress.com/video/deploying-abl-soap-and-rest-applications-to-a-progress-application-server-for-openedge-instance it worked on development like a charm,  problem came on Production Server.

All response I got is 


An error occurred while executing your request!


Forbidden


On  oeablSecurity.properties, i got

 client.login.model=anonymous
 http.all.realm=OpenEdge
 http.all.authmanager=local

If i query  http://10.101.102.210:8818/ which is my prod server and port of service, I got 

Welcome to Progress Application Server for OpenEdge


Current session: 

RemoteUser: null
Principal: null
RemoteAddr: 10.101.102.151
ServerName: 10.101.102.210
Login: no
Username: anonymousUser

I would like to make it work, and then progressive add security and stuff...

Are there some logs I could address to investigate?

How could I achieve that?

Thanks

Jorge

Posted by OctavioOlguin on 08-Jun-2019 01:58

I struggled for 2 or 3 days with this, and yet the answer is not documented anywhere I looked..

Erased instances (from development and deployment) and starting again, but in dev, it throwed errors: "An attempt was made to authenticate the locked user", so googled it and that drove me to tomcat-users.xml  file.

I commented-out the part 

<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="<must be changed>" roles="tomcat"/>
<user username="both" password="<must be changed>" roles="tomcat,role1"/>
<user username="role1" password="<must be changed>" roles="role1"/>

and put naive passwords, and vôila....  rest you have... so do I...

Something should be done about that,,,

I know that there  should be some explanation, but can't find it yet...

All Replies

Posted by OctavioOlguin on 04-Jun-2019 16:23

AppServer is 11.7 win

Posted by OctavioOlguin on 04-Jun-2019 19:21

Postman makes things more confusing:

"Status: 403 Forbidden

The request was a legal request, but the server is refusing to respond to it. Unlike a 401 unauthorized response, authenticating will make no difference."

Posted by OctavioOlguin on 05-Jun-2019 19:48

Checking all three oeablSecurity.properties  files I could find (C:\home\sch1\ablapps\sch1\conf,  C:\home\sch1\conf,  C:\home\sch1\webapps\ROOT\WEB-INF)  (sch1 is the new name of app, as I deleted previous instance and started again)

all files match on the settings:

http.all.authmanager=local
client.login.model=anonymous
http.all.realm=OpenEdge
http.jee.all.mappableRoles=ROLE_PSCUser
apsv.security.enable=none
soap.security.enable=none

 

Still no answer from PASOE

I tweaked params and it does respond to 

http://server_address:port/rest    with  {"AdapterType":"REST","Connections":[]}

http://server_address:port   with the page with 

Welcome to Progress Application Server for OpenEdge

 

So... Can't find the place to enable anonymous access to rest services...

As the access to APSV transport does work correctly, from across the country....

DEFINE VARIABLE hServer AS HANDLE     NO-UNDO.
DEFINE VARIABLE pProP   AS CHARACTER  NO-UNDO.
DEFINE VARIABLE con1    AS LOGICAL    NO-UNDO.                      

CREATE SERVER hServer.

con1 = hServer:CONNECT("-URL http://200.77.145.150/apsv").

IF NOT con1 THEN
DO:
    MESSAGE "No se logró la conexión al appserver"
        VIEW-AS ALERT-BOX INFORMATION BUTTONS OK.
END.
ELSE
DO:
    RUN GetPropath.p on hServer (output pProP).
    UPDATE pProP VIEW-AS EDITOR SIZE 75 BY 18.
END.


FINALLY: 
IF hServer:CONNECTED() THEN
    hServer:Disconnect().
DELETE OBJECT hServer.

END FINALLY.

 

Help please...

Posted by Peter Judge on 05-Jun-2019 20:10

If you do  a GET http://{server_address}:port/rest/_oepingService/_oeping  do you get the 403/Forbidden?
 
 
 
 

Posted by OctavioOlguin on 05-Jun-2019 22:47

No.

I got   {"response":{"_retVal":""}}   from inside the local network and from outside (wan)

Posted by OctavioOlguin on 05-Jun-2019 23:01
Posted by OctavioOlguin on 05-Jun-2019 23:06

This is oeablSecurity.properties

 ##########################################################################
 ##                                                                      ##
 ## Copyright (c) 2017 by Progress Software Corporation                  ##
 ##                                                                      ##
 ## All rights reserved.  No part of this program or document may be     ##
 ## reproduced in any form or by any means without permission in writing ##
 ## from Progress Software Corporation.                                  ##
 ##                                                                      ##
 ##########################################################################
 #
 # Spring Security bean properties definition file for all oeabl.war based
 # web applications found in a PASOE instance
 #
 # The properties values found in this file constitute the full superset of
 # all Spring Security configuration properties and their values.  Any
 # property value declared in this file may superceded by a declaration found
 # in the oeabl based web application's WEB-INF/oeablSecurity.properties
 # file, which has a basic subset of commonly changed properties.
 #
 # PAS for OE will resolve properties by loading multiple .properties files
 # and using the last declared value it finds.  The minimum requirement
 # is that PAS for OE must find one oeablSecurity.properties file in one
 # of the following locaitons:
 #     1) conf/oeablSecurity.properties
 #     2) conf/<abl-app-name>/oeablSecurity.properties
 #     3) webapps/<web-app-name>/WEB-INF/oeablSecurity.properties
 # 
 # The best practice is to declare the properties and values that span 
 # multiple web applications in the conf/oeablSecurity.properties file.
 # 
 # Then declare the property and value that may differ between multiple
 # oeabl based web applications in either the web application's 
 #  conf/<web-app-name>/oeablSecurity.properties 
 #  
 # Last, declare the property and value that differs between multiple
 # web applications mapped to the same ABL business application in:
 #  WEB-INF/oeablSecurity.properties file.
 # 
 # The web application develop may also choose to include the full superset
 # of Spring Security properties in their web application's 
 #  conf/<web-app-name>/oeablSecurity.properties 
 #      OR
 #  WEB-INF/oeablSecurity.properties file.
 # 
 # -------------------- oeablSecurity.properties ------------------------------
 # Detailed information about the properties found in this property file 
 # may be found in the file:
 #
 #          conf/oeablSecurity.properties.README.
 #
 ##########################################################################
 ##
 ##%% version 0001
 ##%% Mar 02, 2016 2:29:12 PM
 
 
 ################# Authentication Manager Name list #####################
 ## The following names apply to the authmanager properties in the
 ##  various transports:
 ##  http.apsv.authmanager
 ##  http.soap.authmanager
 ##  http.rest.authmanager
 ##  http.web.authmanager
 ##  http.authmanager
 ##
 ##  Authentication Managers will only apply to loginModels that perform 
 ## direct logins using user accounts.  Therefor, this property is used only
 ## for 'basic' and 'form' login models (below)
 ##
 ##  http.all.authmanager will apply the same authentication to all transports.
 ##
 ##      manager name        Description
 ##    ===================================================================
 ##    local                 web application WEB-INF/user.properties 
 ##    extlocal              web application WEB-INF/user.properties w. 
 ##                              encrypted passwords
 ##    ldap                  LDAPv3 Directory Service client (simple)
 ##    ad                    Microsoft Active Directory Directory Service client
 ##    oerealm               ABL class callback to application accounts
 ## 

 http.all.authmanager=local

 ################## The HTTP client Authentication model to use ###############
 ## This property controls which HTTP client authentication model to use.  The
 ## allowed names are:
 ## 
 ##      name                Description
 ##    ===================================================================
 ##     anonymous            No user login - all clients have public access
 ##     basic                Users authenticate using the HTTP BASIC standard
 ##     form                 Users authenticate using a HTTP POST message & 
 ##                          form data
 ##     container            Users authenticate via Tomcat realm services and 
 ##                          authorize URL access via Spring Security
 ##     sso                  OpenEdge Single Sign-on using ClientPrincipal 
 ##                          access tokens 
 ## 

 client.login.model=anonymous

 ################## J2EE Tomcat Realm Role mapping ############################
 ## This property is used by the containerLoginModel.xml configuration.  It
 ## provides a [comma separated - no whitespace] list of Role names supplied
 ## by the Tomcat realm login token that will be passed through to Spring's
 ## URL authorization.
 ##
 ## Each PAS for OE transport and the default URI space has its own settable
 ## list. The property http.jee.all.mappableRoles can be used to set all
 ## transports & default at one time.
 ##
 http.jee.all.mappableRoles=ROLE_PSCUser
 http.jee.apsv.mappableRoles=${http.jee.all.mappableRoles}
 http.jee.soap.mappableRoles=${http.jee.all.mappableRoles}
 http.jee.rest.mappableRoles=${http.jee.all.mappableRoles}
 http.jee.web.mappableRoles=${http.jee.all.mappableRoles}
 http.jee.mappableRoles=${http.jee.all.mappableRoles}


 #################APSV Transport Specific Property #######################
 ## For APSV Transport authentication and authorization is disable by default 
 ## i.e. apsv.security.enable=none. 
 ##
 ## If there is a requirement to enable this in production, then set 
 ## apsv.security.enable property value as "basic".
 ##    Example: apsv.security.enable=basic
 ##
 ## The http.apsv.authprovider property is used to configure the authentication
 ## manager as per production need.
 ##########################################################################
 
 http.apsv.authmanager=${http.all.authmanager}
 http.apsv.realm=${http.all.realm}
 apsv.security.enable=none
 
 
 #################SOAP Transport Specific property ########################
 ## For SOAP Transport authentication and authorization is disable by default 
 ## i.e. apsv.security.enable=none. 
 ##
 ## If there is a requirement to enable this in production, then set 
 ## soap.security.enable property value as "basic".
 ##    Example: soap.security.enable=basic
 ##
 ## The http.soap.authprovider property is used to configure the authentication
 ## manager as per production need.  
 ##########################################################################
 soap.security.enable=none
 http.soap.authmanager=${http.all.authmanager}
 http.soap.realm=${http.all.realm}
 
 #################REST Transport Specific property ########################
 ## The http.rest.authprovider property is used to configure the authentication 
 ## manager as per production need.  
 ##########################################################################
 http.rest.authmanager=${http.all.authmanager}
 http.rest.realm=${http.all.realm}
 
 #################WEB Transport Specific property #########################
 ## The http.web.authprovider property is used to configure the authentication 
 ## manager as per production need.  
 ##########################################################################
 http.web.authmanager=${http.all.authmanager}
 http.web.realm=${http.all.authmanager}

 ###############Authentication provider for public /** URI space #########
 ## <http pattern="/**" .../>
 ## The http.authprovider property is used to configure the authentication 
 ## manager as per production need.  
 ##########################################################################
 http.authmanager=${http.all.authmanager}

 ## Set all individual transports using these properties
 http.all.realm=OpenEdge
 
 #############OEMetaDataSource Configuration ##############################
 ## This common set of properties applies to the OEMetadataSource bean
 ## that loads intercept-url configurations from a .CSV file.  
 #########################################################################
 oemetadatasource.all.requestmatcher=ant
 oemetadatasource.all.csvpath=WEB-INF/oeablSecurity.csv

 #############Default Filter Configuration ################################
 ## This is the common section for all the transports(apsv,soap,rest,web) to 
 ## configure common filter beans like [pre-auth,ClientPrinciple & Cors] 
 ## based upon the selected spring security.
 ##
 ## Bean properties naming should follow the format "<bean-id>.<prop-name>=value"
 #########################################################################
 
 #############Form login Filter bean ######################################
 http.formlogin.loginpage=/static/auth/login.jsp
 http.formlogin.loginurl=/static/auth/j_spring_security_check
 http.formlogin.usedefaulttarget=false
 http.formlogin.defaulturl=/
 http.formlogin.failureurl=/static/auth/loginfail.html
 http.formlogin.usernamefield=j_username
 http.formlogin.userpasswordfield=j_password

 #############login Filter bean ############################################
 http.logout.url=/static/auth/j_spring_security_logout
 http.logout.invalidate=true
 http.logout.deletecookie=JSESSIONID


 ##The Pre-auth security filter for  SSO
 ## PreAuthentication and preauthAuthProvider properties are used for 
 ## Rollbase integration.
 ##
 ## By default this filter is disabled, if any user already authenticated or 
 ## authorized by Rollbase then it skips all the authentication configurations 
 ## and directly access the OpenEdge services after validation
 ##
 ##  To turn on Rollbase SSO :
 ##    1. Set "enabled" property to true 
 ##    2. For single-domain supply the Domain Access Code as the value for 
 ##       "key" property 
 ##	   3. For multi-domain supply the absolute path of a 'registryFile' 
 ##       generated using OpenEdge's $DLC/bin/gendomreg.bat utility as 
 ##       "registryFile" property
 
 OEPreauthfilter.enabled=false
 OEPreauthfilter.key=
 OEPreauthfilter.registryFile=
 
 preauthAuthProvider.rolePrefix=ROLE_
 preauthAuthProvider.enabledAttrName=ATTR_ENABLED
 preauthAuthProvider.lockedAttrName=ATTR_LOCKED
 preauthAuthProvider.expiredAttrName=ATTR_EXPIRED
 

 ## Properties for the OEClientPrincipalFilter bean (see authFilters.xml)
 ## The security filter that turns a Spring token into an OpenEdge 
 ## ClientPrincipal object. The filter is thus responsible for:
 ##  1. Creating a ClientPrincipal if one was not created in a previous 
 ##     authentication process step
 ##  2. If the previous authentication process produced a Spring token - 
 ##     copy that information into the ClientPrincipal
 ##  3. If the ClientPrincipal is not already sealed - seal it using this 
 ##     filter's domain and registry configuration
 ##  4. If enablecp is true, then send the ClientPrincipal to the ABL business 
 ##     logic

 OEClientPrincipalFilter.enabled=true
 OEClientPrincipalFilter.key=
 OEClientPrincipalFilter.registryFile=
 OEClientPrincipalFilter.domain=
 OEClientPrincipalFilter.roles=
 OEClientPrincipalFilter.authz=true
 OEClientPrincipalFilter.expires=0
 OEClientPrincipalFilter.accntinfo=false
 OEClientPrincipalFilter.ccid=false
 OEClientPrincipalFilter.anonymous=false
 OEClientPrincipalFilter.sealAnonymous=false
 OEClientPrincipalFilter.appName=OE
 OEClientPrincipalFilter.passthru=false
 OEClientPrincipalFilter.domainRoleFilter=

## DO NOT USE
 OEClientPrincipalFilter.properties.prop-1=
 OEClientPrincipalFilter.properties.prop-2=
 
# Declare placeholders for up to 10 OEClientPrincipalFilter
# properties.  Any number of properties larger than 10 
# requires customization of authFilters.xml.
#
# Any property 'key' value whose first character is a
# comment (#) is ignored when creating a Client-Principal
# token
 OEClientPrincipalFilter.properties.1.key=#doNotAdd
 OEClientPrincipalFilter.properties.1.value=

 OEClientPrincipalFilter.properties.2.key=#doNotAdd
 OEClientPrincipalFilter.properties.2.value=
 
 OEClientPrincipalFilter.properties.3.key=#doNotAdd
 OEClientPrincipalFilter.properties.3.value=
 
 OEClientPrincipalFilter.properties.4.key=#doNotAdd
 OEClientPrincipalFilter.properties.4.value=
 
 OEClientPrincipalFilter.properties.5.key=#doNotAdd
 OEClientPrincipalFilter.properties.5.value=
 
 OEClientPrincipalFilter.properties.6.key=#doNotAdd
 OEClientPrincipalFilter.properties.6.value=
 
 OEClientPrincipalFilter.properties.7.key=#doNotAdd
 OEClientPrincipalFilter.properties.7.value=
 
 OEClientPrincipalFilter.properties.8.key=#doNotAdd
 OEClientPrincipalFilter.properties.8.value=
 
 OEClientPrincipalFilter.properties.9.key=#doNotAdd
 OEClientPrincipalFilter.properties.9.value=
 
 OEClientPrincipalFilter.properties.10.key=#doNotAdd
 OEClientPrincipalFilter.properties.10.value=
 
 ## Properties for the OECORSFilter Filter bean (see authFilters.xml)
 ## The security filter that implements the CORS standard for controlling
 ## cross site resource access by http clients.

 OECORSFilter.responseHeaders=Cache-Control,Content-Language,Content-Type,Expires,Last-Modified,Pragma,X-CLIENT-CONTEXT-ID
 OECORSFilter.allowAll=true
 OECORSFilter.allowDomains=
 OECORSFilter.allowSubdomains=false
 OECORSFilter.allowMethods=GET,POST,PUT,DELETE,OPTIONS,PATCH
 OECORSFilter.messageHeaders=Accept,Accept-Language,Content-Language,Content-Type,X-CLIENT-CONTEXT-ID,Origin,Access-Control-Request-Headers,Access-Control-Request-Method,Pragma,Cache-control,Authorization
 OECORSFilter.supportCredentials=true
 OECORSFilter.maxAge=-1

 ## Common OpenEdge SSO Producer and Consumer properties
 ## (see properties for OESSOTokenManager, OESSOFilter, OESSORefreshFilter )
 OESSO.error.detail=0
 OESSO.require.https=true
 
 ## Properties for the OEAuthnSuccessHandler bean (see authFilters.xml)
 ## The OEAuthnSuccessHandler bean interfaces with the OE ClientPrincipal SSO 
 ## token producer OESSOTokenManager after a successfull user login.  The 
 ## OESSOTokenManager produces a sealed OECP token that is returned to the
 ## client in the body of the HTTP response.
 ##
 ## The OEAuthnSuccessHandler bean has two properties to control:
 ##   a) The requirement for the client to use HTTPS and protect the returned
 ##      OECP token from theft. 
 ##   b) The amount of error detail that may be returned to the client in the
 ##      event an error occurs while generating the OECP token.
 OEAuthnSuccessHandler.tokenErrorDetail=${OESSO.error.detail}
 OEAuthnSuccessHandler.tokenSecure=${OESSO.require.https}

 ## Properties for the OEAuthnFailureHandler (see authFilters.xml)
 ## The OEAuthnFailureHandler is called when a user account validation fails
 ## and in this case it will return a SSO failure to the caller if SSO  is
 ## enabled. 
 OEAuthnFailureHandler.tokenErrorDetail=${OESSO.error.detail}

 ## Properties for the OEFormEntryPoint bean (see authFilters.xml)
 ## The OEFormEntryPoint bean is invoked when a HTTP request requires user login
 ## services.  It interfaces with the OESSOTokenManager bean to determine if an
 ## SSO, JSON, or HTML  type of reponse message is returned.
 ##
 ## The OEFormEntryPoint bean has one properties to control:
 ##   a) The amount of error detail that may be returned to the client in the
 ##      event an error occurs while generating the OECP token.
 OEFormEntryPoint.tokenErrorDetail=${OESSO.error.detail}

 ## Properties for the OESSOTokenManager bean (see authFilters.xml)
 ## The OESSOTokenManager bean is the primary component for the verification 
 ## and generation of OECP SSO tokens.  The OESSOTokenManager works a
 ## supporting role for other Spring filter beans that are actively involved
 ## in the HTTP request authentication process.
 ##
 OESSOTokenManager.tokenPolicy=disabled
 OESSOTokenManager.ssoTokenURLOption=OECP
 OESSOTokenManager.ssoTokenExpires=3600
 OESSOTokenManager.ssoAllowScope=
 OESSOTokenManager.ssoGrantScope=
 OESSOTokenManager.ssoTokenRefresh=true
 OESSOTokenManager.ssoRefreshDeltaTime=3600
 OESSOTokenManager.springRolePrefix=

 ## Properties for the OESSOFilter bean (see authFilters.xml)
 ## The OESSOFilter bean is injected into the HTTP authentication process
 ## to look for HTTP [Authorization] header that contains an OECP SSO token.
 ## If no header and token is found, it passes control to the next step
 ## in the authentication process.  If a header and token is found it will
 ## use the OESSOTokenManager to extract, verify, and convert the OECP
 ## SSO token into a native OE ClientPrincipal token that is passed to the
 ## ABL session.
 ##
 ## The OESSOFilter bean has properties thtat control what header to look
 ## for in the HTTP request, what the header's authentication-scheme name
 ## is, and whether OECP SSO is enabled.
 OESSOFilter.authPolicy=disabled
 OESSOFilter.authmanager=${http.all.authmanager}
 OESSOFilter.authScheme=OECP
 OESSOFilter.authClientType=*
 OESSOFilter.authErrorDetail=${OESSO.error.detail}
 OESSOFilter.authSecurity=${OESSO.require.https}

 ## Properties for the OESSORefreshFilter bean (see authFilters.xml)
 ## The OESSORefreshFilter bean is injected into the authentication process
 ## and intercepts client requests to refresh an expired OECS SSO token.
 ## If no request is found, the bean passes the request to the next step
 ## in the authentication process.  When a request if found, it interfaces
 ## with the OESSOTokenManager to validate the refresh request and issue 
 ## an updated OECP SSO token that has a new expiration date.
 ## 
 ## The OESSORefreshFilter has properties that allow it to recognize when
 ## a HTTP request is asking to refresh a SSO token.
 OESSORefreshFilter.refreshURL=/static/auth/token
 OESSORefreshFilter.refreshURLOption=refresh
 OESSORefreshFilter.refreshClientType=*
 OESSORefreshFilter.refreshErrorDetail=${OESSO.error.detail}
 OESSORefreshFilter.refreshSecure=${OESSO.require.https}

 ## Propertied for the customAuthorizationFilter bean (see customAuthHeaderFilter.xml)
 ## The custom HTTP Authorization header filter provides a hook into the
 ## Spring Security process for securely handling Authorizaiton headers
 ## that have a custom 'scheme'.  
 ## NOTE: The default class for this filter bean is a NOOP placeholder.
 ## The developer is required to configure the correct Java class
 ## NOTE: customAuthorizationFilter is only enabled in BASIC security
 ## configurations that do not depend upon HTTP session contexts
 customAuthorizationFilter.authPolicy=disabled
 customAuthorizationFilter.authScheme=CHANGEME
 customAuthorizationFilter.authClientType=*
 customAuthorizationFilter.authHeader=Authorization
 customAuthorizationFilter.authErrorDetail=${OESSO.error.detail}
 customAuthorizationFilter.authSecurity=true
 customAuthorizationFilter.ignoreFailure=false

 ##########Authentication Provider Bean configuration######################
 ## Default configuration of authentication bean properties. This needs to be 
 ## change with other values as per the production configuration. It has 
 ## separate section for authentication manager beans like local, ldap, 
 ## oerealm.
 ##########################################################################

 ##-------------local & extlocal authmanager configuration ----------------
 local.userservice.properties=/WEB-INF/users.properties

 ## Properties for the 'ldap' Authentication Manager (see authManagers.xml)
 ##   . URL of the Directory Service (http | https)
 ##   . The X-509 Distinguished Name (DN) of a user account to perform seaches 
 ##       with
 ##       (NOT the user being authenticated)
 ##   . The password for the X-509 Distinguished Name used to do searches
 ##   . The group object attribute used as a ROLE name granted to the user
 ##         being authenticated
 ##   . The LDAP filter used to find the DN of the groups (aka ROLE) the 
 ##         authenticated user is a member of (note min of 1 group required)
 ##   . The LDAP oject where the sub-tree group search is initiated
 ##   . The LDAP oject where the sub-tree user account search is initiated
 ##   . The LDAP filter used to find the DN of the user being authenticated
 ##   
 ##
 ## <authentication-manager id="ldap" >
 ##

 ldap.url=ldap://localhost:389

 ldap.manager-dn=uid=admin,ou=system
 ldap.manager-password=secret

 ldap.root.dn=

 ldap.grouprole.attribute=cn
 ldap.groupsearch.filter=(member={0})
 ldap.groupsearch.base=dc=example,dc=com

 ldap.usersearch.base=dc=example,dc=com
 ldap.usersearch.filter=(uid={0})

 ## Properties for the 'ldap' Authentication Manager (see authManager.xml)
 ##	The LDAP authentication provider plug-in, with its references to the beans 
 ## that implement binding to the service, populating roles, and how to make a 
 ## connection.
 ##
 ## Authprovider peoperties
 ##  1. 'ldap.authprovider.useAuthenticationRequestCredentials' Determines 
 ##       whether the supplied password will be used as the credentials in the 
 ##       successful authentication token. Default value is false.
 ldap.authprovider.useAuthenticationRequestCredentials=false
 
 ## Properties for the 'ldap' Authentication Manager (see authManager.xml)
 ## The extended LDAP authentication manager configuration is an advanced
 ## version of the simple ldap authentication manager above.  It has many more
 ## properties to control its operations at a much finer granularity.
 ## 
 ## <b:bean id="ldapAuthenticationProvider"
 ## 
 ldap.contxtSrc.url=${ldap.url}
 ldap.contxtSrc.base=${ldap.root.dn}
 ldap.contxtSrc.userDn=${ldap.manager-dn}
 ldap.contxtSrc.password=${ldap.manager-password}
 ldap.contxtSrc.referral=ignore
 ldap.contxtSrc.timeout=5000

 ## The LDAP user account search operation's parameters used by the above ldap 
 ## context source that starts at a base DN, searches the entire subtree, 
 ## and tries to find a user object who's attribute matches the search filter
 ##
 ## LDAP User Search Properties
 ##  1. 'ldap.search.base' user search base for finding user account DN for 
 ##      authentication
 ##  2. 'ldap.search.subtree' Search the search base's object and all sub 
 ##     trees
 ##  3. 'ldap.serach.attribute' LDAP search query to match the authenticated 
 ##     user-ID input with a LDAP user account object's attribute value
 ldap.search.base=${ldap.usersearch.base}
 ldap.search.subtree=true
 ldap.serach.attribute=${ldap.usersearch.filter}

 ## Properties to describes which LDAP  user account role memberships (aks. 
 ## Spring authoriteis) to return into the security token to be used by the 
 ## application's authorization processes.  The authorities are found by 
 ## searching the LDAP directory for objects whose attributes contain the 
 ## user accounts fully qualified DN as a member
 ##
 ## LDAP Authorities Populator properties
 ##    1. 'ldap.authpopulator.searchBase' search base
 ##    2. 'ldap.authpopulator.groupSearchFilter' Where to begin searching 
 ##       for user group memberships in the directory service
 ##    3. 'ldap.authpopulator.groupRoleAttribute' Map the LDAP group object 
 ##       attribute name to a Spring ROLE name
 ##    4. 'ldap.authpopulator.searchSubtree'  How deep in the directory tree 
 ##       to search to user group memberships
 ##    5. 'ldap.authpopulator.ignorePartialResultException' Ignore Active 
 ##       Directory mapping objects
 ##    6. 'ldap.authpopulator.convertToUpperCase' Convert LDAP [group] ROLE 
 ##       names to upper case ; default is true
 ##    7. 'ldap.authpopulator.rolePrefix' Assign a Spring Role name prefix ; 
 ##       default is ROLE_
 ##
 ## WARNING: The ldap authentication provider upper cases all role names found 
 ## for the authenticated user in the directory service. This affects setting 
 ## the role names in the above <intercept-url> elements.  
 ##    Example: ldap name "OEUsers"  Spring role name "ROLE_OEUSERS"

 
 ldap.authpopulator.rolePrefix=ROLE_
 ldap.authpopulator.searchBase=${ldap.groupsearch.base}
 ldap.authpopulator.groupSearchFilter=${ldap.groupsearch.filter}
 ldap.authpopulator.groupRoleAttribute=${ldap.grouprole.attribute}
 ldap.authpopulator.searchSubtree=true
 ldap.authpopulator.ignorePartialResultException=true
 ldap.authpopulator.convertToUpperCase=true
 
 
 ## Properties for the oerealm Authentication Manager (see authManageres.xml)
 ## Properties that connects to an AppServer Realm service and uses it as a 
 ## source of user account information during the authentication step managed 
 ## by the OERealmAuthProvider bean.The sample in this template requires 
 ## changing the properties "realmURL" and "realmClass" to contain the run-time 
 ## AppServer used for authentication and the developer supplied OOABL class name. 
 ##
 ## The location of where the OERealm server's OOABL class will be executed may 
 ## be within this PAS for OE server, or in a remote OpenEdge application server.
 ##	Thus following are the values that "realmURL" can take:
 ##		(1) "internal://nxgas" for local PAS for OE Server
 ##		(2) "http[s]://<host>[:<port>]/[oeabl-app-name/]apsv" for remote PAS for 
 ##         OE server  
 ##		(3) "http[s]://<host>[:<port>]/<aia-app-nam>/aia" for remote classic 
 ##          AppServer via AIA
 ##		(4) "AppServer[s]://<name-server-host>:<name-server-port>/<service-name>" 
 ##         for remote classic AppServer using NameServer
 ##		(5) "AppServerDC[s]://<AppServer-host>:<AppServer-port>/<service-name>" 
 ##         for remote classic AppServer using Direct Connect

 OERealm.AuthProvider.multiTenant=true
 OERealm.AuthProvider.userDomain=
 OERealm.AuthProvider.accntinfo=true
 OERealm.AuthProvider.authz=true
 OERealm.AuthProvider.expires=0
   # Declare placeholders for up to 10 OEClientPrincipalFilter
   # properties.  Any number of properties larger than 10 
   # requires customization of authFilters.xml.
   #
   # Any property 'key' value whose first character is a
   # comment (#) is ignored when creating a Client-Principal
   # token
 OERealm.AuthProvider.properties.1.key=#doNotAdd
 OERealm.AuthProvider.properties.1.value=

 OERealm.AuthProvider.properties.2.key=#doNotAdd
 OERealm.AuthProvider.properties.2.value=
 
 OERealm.AuthProvider.properties.3.key=#doNotAdd
 OERealm.AuthProvider.properties.3.value=
 
 OERealm.AuthProvider.properties.4.key=#doNotAdd
 OERealm.AuthProvider.properties.4.value=
 
 OERealm.AuthProvider.properties.5.key=#doNotAdd
 OERealm.AuthProvider.properties.5.value=
 
 OERealm.AuthProvider.properties.6.key=#doNotAdd
 OERealm.AuthProvider.properties.6.value=
 
 OERealm.AuthProvider.properties.7.key=#doNotAdd
 OERealm.AuthProvider.properties.7.value=
 
 OERealm.AuthProvider.properties.8.key=#doNotAdd
 OERealm.AuthProvider.properties.8.value=
 
 OERealm.AuthProvider.properties.9.key=#doNotAdd
 OERealm.AuthProvider.properties.9.value=
 
 OERealm.AuthProvider.properties.10.key=#doNotAdd
 OERealm.AuthProvider.properties.10.value=
 

 ## Properties for the 'oerealm' Authentication Manager (see authManagers.xml)
 ##
 ## <b:bean id="OERealmUserDetails"
 ##

 OERealm.UserDetails.realmURL=internal://nxgas
 OERealm.UserDetails.realmClass=OpenEdge.Security.Realm.HybridRealm
 OERealm.UserDetails.grantedAuthorities=ROLE_PSCUser
 OERealm.UserDetails.rolePrefix=ROLE_
 OERealm.UserDetails.roleAttrName=ATTR_ROLES
 OERealm.UserDetails.enabledAttrName=ATTR_ENABLED
 OERealm.UserDetails.lockedAttrName=ATTR_LOCKED
 OERealm.UserDetails.expiredAttrName=ATTR_EXPIRED
 OERealm.UserDetails.propertiesAttrName=
 OERealm.UserDetails.userIdAttrName=
 OERealm.UserDetails.realmPwdAlg=0
 OERealm.UserDetails.certLocation=
 OERealm.UserDetails.appendRealmError=false
 OERealm.UserDetails.realmTokenFile=
 
 ## Properties for the 'ad' (ActiveDirectory) Authentication Manager (see authManagers.xml)
 ad.user.domain=changeme.com
 ad.ldap.url=ldap://adhost:389
 ad.ldap.rootdn=dc=changeme,dc=com
 ad.AuthoritiesMapper.prefix=ROLE_
 ad.AuthoritiesMapper.convertToUpperCase=true

 ## OAuth2 authorization handling for 'Resource Servers' web data service access 
 ## and 'Authorization Servers' for obtaining access & refresh tokens to access a
 ## Resource server's data.
 ## 
 ## 

 ## Enable/disable the OAuth2 Resource and/or Authorization server support.
 ## The allowable values are {disable|enable}
 oauth2.ResourceServer.enable=enable
 oauth2.AuthorizationServer.enable=disable

 ## JWT token handler properties for jwtAuthFilter, oauth2.authSvc..., & oauth2.resSvc...
 jwtToken.signatureAlg=mac
 jwtToken.macKey=oeph3::B8E894037D0A296A0908F2FAFB0A0148
 jwtToken.macAlg=HMACSHA256
 jwtToken.jksKeystore.path=
 jwtToken.jksKeystore.pwd=oeph3::B8E894037D0A296A0908F2FAFB0A0148
 jwtToken.jksKeystore.alias=sample
 jwtToken.defaultRoles=
 jwtToken.usernameField=sub
 jwtToken.mapScopeToRole=true
 jwtToken.scopeToRolePrefix=scope.
 jwtToken.includeAllClaims=true

 ## OAuth2 Authorization server configuration 
 ## The OAuth2 Authorization server's responsibility is to manage interactions with an OAuth2 client
 ## appication and authenticate the client application, or end-user, identity and then send them
 ## and "access token", and optionally a "refresh token".  The "access token" can be used to access
 ## OAuth2 Resource servers (see configuration below), and the "refresh token" can be used with this
 ## OAuth2 Authorization server to get a new "access token" after the current one expires.
 ## 
 oauth2.authSvc.clientCfg=oauth2AuthSvcClients.cfg
 oauth2.authSvc.grantType.authorizationCode.disable=false
 oauth2.authSvc.grantType.implicit.disable=false
 oauth2.authSvc.grantType.refresh.disable=false
 oauth2.authSvc.grantType.clientCredentials.disable=false
 oauth2.authSvc.grantType.password.disable=false
 oauth2.authSvc.refreshToken.enable=true
 oauth2.authSvc.refreshToken.reuse=true
 oauth2.authSvc.accessToken.expiresSeconds=300000
 oauth2.authSvc.refreshToken.expiresSeconds=2592000
 oauth2.authSvc.realmName=oeoauth

 ## OAuth2 Resource server configuration
 ## An OAuth2 Resource server provides data-services for client applications. The client application
 ## sends an "access token" obtained from an OAuth2 Authorization server, which the Resource server
 ## must validate before it is accepted.  Validation involves obtaining a JWT token that can be
 ## validated by the Resource server and its "claims" used to perform URL access control to the
 ## Resource service's data-services.  The JWT may be obtained as a "self-contained" access token
 ## or by using the access token as an indirect reference to a JWT stored in the issuing Authorizaiton
 ## server.
 ## 
 oauth2.resSvc.audience=oeablapp
 oauth2.resSvc.stateless=true
 oauth2.resSvc.clientCfg=oauth2ResSvcClients.cfg
 oauth2.resSvc.requestmatcher=ant
 oauth2.resSvc.csvpath=WEB-INF/oeablSecurityJWT.csv
 oauth2.resSvc.tokenServices=oauth2
 oauth2.resSvc.realmName=oeoauth
 oauth2.resSvc.remoteTokenService.url=localhost:443/.../check_token
 oauth2.resSvc.remoteTokenService.loginId=changeme
 oauth2.resSvc.remoteTokenService.loginPwd=changme
 oauth2.resSvc.remoteTokenService.tokenName=token
 oauth2.resSvc.jdbcTokenService.driver=com.mysql.jdbc.Driver
 oauth2.resSvc.jdbcTokenService.url=jdbc:mysql://localhost:3306/spring_security_db 
 oauth2.resSvc.jdbcTokenService.loginId=changeme
 oauth2.resSvc.jdbcTokenService.loginPwd=changeme


 
 

Posted by OctavioOlguin on 05-Jun-2019 23:13

Also noted that I can use:

10.101.102.210:8818/.../Sucursales

10.101.102.210:8818/.../Sucursales

10.101.102.210:8818/.../Sucursales

So it makes me doubt about if I am using the correct address...

I'm using the first example... but now wonder if I'm wrong

Posted by OctavioOlguin on 05-Jun-2019 23:16

but... this is  openedge.properties, and give me clues where is my app

%% Update from oeprop
%% 5/06/2019 12:07:24 PM

##########################################################################
 ##                                                                      ##
 ##        Copyright (c) 1998-2014 by Progress Software Corporation      ##
 ##                                                                      ##
 ## All rights reserved.  No part of this program or document may be     ##
 ## reproduced in any form or by any means without permission in writing ##
 ## from Progress Software Corporation.                                  ##
 ##                                                                      ##
 ##########################################################################
 #
 # -------------------- openedge.properties ------------------------------
 #
 # Property File for the Pacific Application Server for OpenEdge
 #
 #
 # This definition file includes the properties that you can define in
 # a Pacific AppServer for OpenEdge.
 #
 # All information about the properties in this property file may be found
 # in the file:
 #
 #          openedge.properties.README.
 #
 ##########################################################################
 ##
 #
 # AppServer specific properties
 #
[AppServer]
    allowRuntimeUpdates=0
    applications=sch1
    collectMetrics=1
    statusEnabled=1

 #
 #  Default properties for Session Manager
 #
[AppServer.SessMgr]
    agentExecFile=${psc.as.oe.dlc}/bin/_mproapsv
    agentListenerTimeout=300000
    agentLogEntryTypes=
    agentLogFile=
    agentLoggingLevel=2
    agentLogThreshold=0
    agentNumLogFiles=3
    agentStartLimit=0
    agentStartupParam=-T c:\t -db TAP -H sucahersa3 -S 2500 -U schAS1 -P schAppS1 -db SCH -S 2499 -H sucahersa3 -db DWH -H sucahersa3 -S 2999 -U schAS1 -P schAppS1
    connectionWaitTimeout=3000
    idleAgentTimeout=300000
    idleConnectionTimeout=300000
    idleResourceTimeout=0
    idleSessionTimeout=300000
    ipver=IPv4
    maxABLSessionsPerAgent=200
    maxAgents=10
    maxConnectionsPerAgent=16
    numInitialAgents=1
    publishDir=${catalina.base}/openedge
    requestWaitTimeout=15000
    socketTimeout=3000

[AppServer.Agent]
    agentMaxPort=62202
    agentMinPort=62002
    agentShutdownProc=
    agentStartupProc=
    agentStartupProcParam=
    agentTableParam=-n 200
    collectStatsData=0
    flushStatsData=0
    infoVersion=9010
    keyAlias=
    keyAliasPasswd=
    # keyStorePasswd=
    keyStorePath=.\keys\
    lockAllExtLib=
    lockAllNonThreadSafeExtLib=
    noSessionCache=0
    numInitialSessions=5
    PROPATH=${CATALINA_BASE}/openedge,${DLC}/tty,${DLC}/tty/netlib/OpenEdge.Net.pl
    sessionActivateProc=
    sessionConnectProc=
    sessionDeactivateProc=
    sessionDisconnProc=
    sessionShutdownProc=
    sessionStartupProc=
    sessionStartupProcParam=
    sessionTimeout=180
    sslAlgorithms=
    sslEnable=0
    usingThreadSafeExtLib=
    uuid=
    workDir=${CATALINA_BASE}/work

[sch1]
    webApps=ROOT

[sch1.ROOT]
    allowRuntimeUpdates=0
    collectMetrics=1
    statusEnabled=1

[sch1.ROOT.APSV]
    adapterEnabled=1
    enableRequestChunking=1
    useHTTPSessions=1

[sch1.ROOT.SOAP]
    adapterEnabled=0
    adminEnabled=1
    adminSoapAction=urn:services-progress-com:wsa-admin:01
    debugClients=
    wsaUrl=http://${psc.as.host.name}:${psc.as.http.port}/soap
    wsdlEnabled=1

[sch1.ROOT.REST]
    adapterEnabled=1

[sch1.ROOT.WEB]
    adapterEnabled=0
    defaultCookieDomain=
    defaultCookiePath=
    defaultHandler=OpenEdge.Web.DefaultWebHandler
    srvrAppMode=production
    srvrDebug=0
    wsRoot=/static/webspeed

[AppServer.SessMgr.sch1]
    agentLogEntryTypes=ASPlumbing,DB.Connects
    agentLogFile=${catalina.base}/logs/sch1.agent.log

[AppServer.Agent.sch1]
    PROPATH=C:\home\sch1\openedge,${DLC}/tty,${DLC}/tty/netlib/OpenEdge.Net.pl,C:\home\sch1\webapps\ROOT\WEB-INF\openedge\tap,C:\home\sch1\webapps\ROOT\WEB-INF\openedge\sch,${CATALINA_BASE}/webapps\ROOT\WEB-INF\openedge\dwh,${CATALINA_BASE}/webapps\ROOT\WEB-INF\openedge\appserver,${CATALINA_BASE}/webapps\ROOT\WEB-INF\openedge\ciateq
    uuid=http://APPSERVER10:8817/sch1

Posted by OctavioOlguin on 05-Jun-2019 23:34

And yet.. restarting the instance, I get this log (as sch1.2019-06-05.log)

18:28:21.211/2079 [localhost-startStop-1] WARN  o.s.b.f.c.PropertyPlaceholderConfigurer - Could not load properties from URL [file:C:/home/sch1/ablapps/${oeabl.ablapp.name}/conf/oeablSecurity.properties]: C:\home\sch1\ablapps\${oeabl.ablapp.name}\conf\oeablSecurity.properties (El sistema no puede encontrar la ruta especificada)

18:28:22.398/3266 [localhost-startStop-1] WARN  c.p.a.s.security.OEMetadataSource - restOEMetadataSource: Resolving intercept-url source file using a CATALINA_BASE/webapps file path

18:28:22.414/3282 [localhost-startStop-1] WARN  c.p.a.s.security.OEMetadataSource - webOEMetadataSource: Resolving intercept-url source file using a CATALINA_BASE/webapps file path

18:28:22.429/3297 [localhost-startStop-1] WARN  c.p.a.s.security.OEMetadataSource - apsvOEMetadataSource: Resolving intercept-url source file using a CATALINA_BASE/webapps file path

18:28:22.429/3297 [localhost-startStop-1] WARN  c.p.a.s.security.OEMetadataSource - soapOEMetadataSource: Resolving intercept-url source file using a CATALINA_BASE/webapps file path

18:28:22.445/3313 [localhost-startStop-1] WARN  c.p.a.s.security.OEMetadataSource - defaultOEMetadataSource: Resolving intercept-url source file using a CATALINA_BASE/webapps file path

18:28:23.789/4657 [localhost-startStop-1] WARN  c.p.appserv.adapters.rest.Management - Property file C:\home\sch1\webapps\ROOT/WEB-INF/adapters/rest/_oepingService/runtime.props not found - Using default properties

18:28:23.820/4688 [localhost-startStop-1] WARN  com.progress.caf.logging.CafLogging - Unable to create InputStream for resource "caflogging.properties".

18:28:27.742/8610 [localhost-startStop-1] WARN  c.p.appserv.adapters.rest.Management - Property file C:\home\sch1\webapps\ROOT/WEB-INF/adapters/rest/CtqSrvc/runtime.props not found - Using default properties

18:28:27.757/8625 [localhost-startStop-1] WARN  com.progress.caf.logging.CafLogging - Unable to create InputStream for resource "caflogging.properties".

18:28:28.195/9063 [localhost-startStop-1] WARN  o.a.c.m.DefaultManagementLifecycleStrategy - This CamelContext(camel) will be registered using the name: camel-1 due to clash with an existing name already registered in MBeanServer.

18:28:31.101/11969 [localhost-startStop-1] WARN  c.p.appserv.IdleResourceWatchdog - Idle resource watchdog disabled

 

CtqSrvc is the name of the "Defined Service"in PDSOE, which was exported and deployed...

Posted by Peter Judge on 06-Jun-2019 13:58

The clue is in the properties file
[sch1]
   webApps=ROOT
The ABL application only has the ROOT webapp deployed - you can see that in the filesystem too (I would expect that the webapps/ directory only has ROOT.war and ROOT/ directory in additoin to oemanager and manager).
That property snippet tells me that the "sch1" webapp was not deployed to the instance and so any request you make with /sch1/rest will fail with a 403 .
CtqSrvc is  an ABL service (which is contained in w webapp - the ROOT webapp from your log snippet
18:28:27.742/8610 [localhost-startStop-1] WARN  c.p.appserv.adapters.rest.Management - Property file C:\home\sch1\webapps\ROOT/WEB-INF/adapters/rest/CtqSrvc/runtime.props not found - Using default propertie
 
The sch1 name in the properties file is the name of the ABL application and is not visible from the URL.
 
Hth,
-- peter
 

Posted by OctavioOlguin on 06-Jun-2019 15:48

Thanks [mention:9e4ee96fac634b8f91b580e1fb4f7e71:e9ed411860ed4f2ba0265705b8793d05] ... as far I can see, what I am missing is some insight on the whole process... I guess that I've read handbooks on the first part of the process and final part.. I'm missing info on the relationship of services and projects and instances...   I'll look forward for that info.

As I've just founded this:

http://10.101.102.210:8818/server/rest/services    throws:

{"RESTServices":[{"http:\/\/10.101.102.210:8818\/rest\/_oepingService":{"__oeping":{"OpenEdge.Rest.Admin.AppServerStatus..ServerStatus":{"Method":" GET","Resource-Path":"\/_oeping","Http-Request-Type":"application\/json","Http-Response-Type":"application\/json","ABL-Resource-Name":"OpenEdge.Rest.Admin.AppServerStatus.cls","ABL-Resource-path":"WRKDIR\\","Procedure-Type":"Internal Function","Input":[],"Output":[{"HTTP-Target":"http.body[json.object['response'].string['_retVal']]","ABL-Source":"retVal","ABL-Type":"CHARACTER"}]}}}},{"http:\/\/10.101.102.210:8818\/rest\/CtqSrvc":{"_Precios":{"clsPrecios..GetPrecios":{"Method":" GET","Resource-Path":"\/Precios","Http-Request-Type":"application\/json","Http-Response-Type":"application\/json","ABL-Resource-Name":"clsPrecios.cls","ABL-Resource-path":"WRKDIR\\","Procedure-Type":"Internal Procedure","Input":[],"Output":[{"HTTP-Target":"http.body[json.object['response'].object['ttPrecios']]","ABL-Source":"ttPrecios","ABL-Type":"TEMPTABLE","Type-MetaData":{"ttPrecios":{"Articulo":"CHARACTER","Nombre":"CHARACTER","Menudeo":"DECIMAL","Mayoreo":"DECIMAL","SoloMayoreo":"INTEGER"}}}]}},"_Precios_pArt":{"clsPrecios..precioArt":{"Method":" GET","Resource-Path":"\/Precios\/{pArt}","Http-Request-Type":"application\/json","Http-Response-Type":"application\/json","ABL-Resource-Name":"clsPrecios.cls","ABL-Resource-path":"WRKDIR\\","Procedure-Type":"Internal Procedure","Input":[{"HTTP-Source":"http.path[pArt]","ABL-Target":"pArt","ABL-Type":"CHARACTER"}],"Output":[{"HTTP-Target":"http.body[json.object['response'].decimalvalue['Menudeo']]","ABL-Source":"Menudeo","ABL-Type":"DECIMAL"},{"HTTP-Target":"http.body[json.object['response'].decimalvalue['Mayoreo']]","ABL-Source":"Mayoreo","ABL-Type":"DECIMAL"}]}},"_Sucursales":{"suc.clsSucursales..GetSucursales":{"Method":" GET","Resource-Path":"\/Sucursales","Http-Request-Type":"application\/json","Http-Response-Type":"application\/json","ABL-Resource-Name":"suc.clsSucursales.cls","ABL-Resource-path":"WRKDIR\\","Procedure-Type":"Internal Procedure","Input":[],"Output":[{"HTTP-Target":"http.body[json.object['response'].object['ttSucursal']]","ABL-Source":"ttSucursal","ABL-Type":"TEMPTABLE","Type-MetaData":{"ttSucursal":{"Sucursal":"INTEGER","Nombre":"CHARACTER","NombreCorto":"CHARACTER","Direccion":"CHARACTER","Colonia":"CHARACTER","Ciudad":"CHARACTER","Telefono":"CHARACTER","Fax":"CHARACTER","CP":"INTEGER","Estado":"CHARACTER","Pais":"CHARACTER","EnLinea":"LOGICAL","Tipo":"CHARACTER","Deudor":"CHARACTER","noExterior":"CHARACTER","noInterior":"CHARACTER"}}}]}},"_Sucursales_Suc":{"suc.clsSucursales..Get1Suc":{"Method":" GET","Resource-Path":"\/Sucursales\/{Suc}","Http-Request-Type":"application\/json","Http-Response-Type":"application\/json","ABL-Resource-Name":"suc.clsSucursales.cls","ABL-Resource-path":"WRKDIR\\","Procedure-Type":"Internal Procedure","Input":[{"HTTP-Source":"http.path['\/Sucursales\/{Suc}]","ABL-Target":"pSuc","ABL-Type":"INTEGER"}],"Output":[{"HTTP-Target":"http.body[json.object['response'].string['Direccion']]","ABL-Source":"Direccion","ABL-Type":"CHARACTER"},{"HTTP-Target":"http.body[json.object['response'].string['Ciudad']]","ABL-Source":"Ciudad","ABL-Type":"CHARACTER"},{"HTTP-Target":"http.body[json.object['response'].string['Telefono']]","ABL-Source":"Telefono","ABL-Type":"CHARACTER"}]}}}}]}

It's extremely related to  the info you shared.

Posted by OctavioOlguin on 06-Jun-2019 16:17

Found it!

Page 60  OpenEdge Development: Web Services. pdf

and docs.progress.com/.../Guidelines-for-REST-URI-naming-conventions.html

Hope this adventure, helps someone in the future.

Posted by Peter Judge on 06-Jun-2019 17:19

There's a learning path at docs.progress.com/.../service-developer  that should cover a bunch of topics , all related to what you're working through.  The Concepts  "branch" should give an overview of what the pieces all are and how they work together.

Posted by OctavioOlguin on 08-Jun-2019 01:58

I struggled for 2 or 3 days with this, and yet the answer is not documented anywhere I looked..

Erased instances (from development and deployment) and starting again, but in dev, it throwed errors: "An attempt was made to authenticate the locked user", so googled it and that drove me to tomcat-users.xml  file.

I commented-out the part 

<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="<must be changed>" roles="tomcat"/>
<user username="both" password="<must be changed>" roles="tomcat,role1"/>
<user username="role1" password="<must be changed>" roles="role1"/>

and put naive passwords, and vôila....  rest you have... so do I...

Something should be done about that,,,

I know that there  should be some explanation, but can't find it yet...

Posted by Michael Jacobs on 08-Jun-2019 11:36

Allow me to try an simplify ABL application security a bit and see if this helps you.

PASOE is a server that supports both Java and ABL applications.   Tomcat is the server, and OpenEdge ABL is a layered product for running ABL applications within the Tomcat server environment.   Tomcat has its own user authentication & URL authorization system that is based on the Java standard.   OpenEdge ABL applications uses Spring Security as its user authentication & URL authorization system, which provides it more security options and functionality.

The conf/tomcat-users.xml user account file is used by the Tomcat server's security system for the deployed Java web applications.  For example: the  Tomcat 'manager' web application, and OpenEdge 'oemanager' web applications used for remote administration and monitoring.  When you edit conf/tomcat-users.xml, you are only controlling access to those 'manager' & 'oemanager' web applications.

The OpenEdge ABL application will use Spring Security within its ABL web application(s), which is configured using the oeablSecurity.properties (user authentication & SSO) & oeablSecurity.csv (URL access controls).

The conf/openedge.properties controls the ABL application's run-time, and has no controls that affect the application's security.

=======

Because of the special needs imposed by ABL clients connecting to PASOE's APSV transport, you can choose to employ HTTP BASIC authentication by changing the apsv.security.enable property from none to basic.    The 'http.all.authmanager' property will qualify which Authentication Provider (local, ldap, ad, sso, oerealm) the APSV transport will use.  If 'none' is used it uses an 'allow all client access' configuration.  ( Note: for the same reasons, the SOAP transport also is configured separately)

For all of the ABL application's HTTP client type transports (REST, WEB, & file-system) you choose which form of client authentication the client uses use via the 'client.login.model' property.   You change it's value from anonymous (allow any client access) to one of the login or SSO model type names.   The property 'http.all.authmanager' qualifies which Authentication Provider plugin (local, ldap, ad, oerealm, ...) is used by the configured user-login 'client.login.model' types (basic, form, sso).   The SSO 'client.login.model' types (saml & oauth2) ignore the http.all.authmanager property.

The common task for all ABL web application transports, is configuring the Authentication Provider used for login & SSO security.   The Authentication Provider configuration controls where user accounts are found for that type, how to authenticate the user account, and how to create the Client-Principal delivered to your ABL application code.   Those exact settings is another topic.

Does that help you understand which files you should focus on for your problem?

Posted by OctavioOlguin on 08-Jun-2019 13:28

Thanks [mention:96ac66c56cc24edba29a9cf865c9c3f5:e9ed411860ed4f2ba0265705b8793d05] for such a detailed explanation....

Sure it lays some solid foundation, and guides my further study on the subject...  

As a mater of fact, I came to office really early on (today saturday) to keep digging on the subject...

One thing that annoys me is this:  There is some the info about my problem here https://docs.progress.com/bundle/pas-for-openedge-admin/page/Enable-ABL-application-authentication.html, and there is states about the initial state of anonymous on client.login.model (on oeabl.properties), but in a certain moment, I installed an instance on dev and another in prod, and none of them allowed anonymous acces for REST... for APSV, I have nothing to say, as it worked right on...

So I guess that this will be a fine reading for weekend...   

Thanks!!!! you went the extra mile

This thread is closed