Hi All,
I need to develop SSO in progress application. Can you please suggest me the proper documents that i can go through for implementing SSO in Progress OE? Can i implement Spring Security or is it possible with Authentication Gateway? Any suggestions to find the proper documents or the workshop for implementing Authentication Gateway in my web application?
Hello,
If you are interested, here is a workshop script we gave on Spring Security. It should have steps on how to perform HTTP SSO.
[View:/cfs-file/__key/communityserver-discussions-components-files/26/PASOE_5F00_Spring_5F00_Workshop_5F00_Slide_5F00_Book_5F00_Revised.pdf:320:240]
Hello Irfan,
Thank you for your response.
I have gone through the document. Configured my application to use STS service but when i login to my application i find an error "500 - Server Error: the server could not produce a response entity due to an internal error - POST /testNew/static/auth/j_spring_security_check".
HTTP status: 500
Error detail: java.lang.NoClassDefFoundError ; Could not initialize class com.progress.common.util.LibStsKey
Do you have any idea how to overcome this?
Regards,
Umanga
noclassdeffounderror usually indicates you are missing something the class depends on. LibStsKey needs a .dll so may be that failed to load? Sharing the root cause rather than the final problem error message would help.
Hi Umanga,
I thought you wanted to use a HTTP SSO instead of STS. Isn't that your use-case ?
HI Irfan,
I saw the materials for STS and in the mean time i tried to use STS in my application.
Do you have any white paper on how to configure LDAP and use it with HTTP SSO?
Regards,
Umanga
In the attached document, from slide no-43 we talk about HTTP SSO.
Maybe, the attachment is missing?
-bernhard
It is attached in this post, but here is the direct link - community.progress.com/.../PASOE_5F00_Spring_5F00_Workshop_5F00_Slide_5F00_Book_5F00_Revised.pdf
Irfan,
I've run through the example for using PASOE as a token producer from the referenced document. I have not been successful! :(
I'm running on 11.7.5 with a windows 10 PASOE instance. I'm using local for the authmanager using Postman i issue the following request:
--method POST \
--timeout=0 \
--header 'Accept: application/json' \
--header 'Content-Type: multipart/form-data; boundary=--------------------------402823437541950243094182' \
--body-data 'j_username=bstan&j_password=bstan&submit=Login' \
'localhost:8170/.../j_spring_security_check
I get the following response back:
"error": "sso.token.unauthorized_client",
"error_description": "Internal token error"
I've turned up logging and find the following in the logs which leads me to believe that my post is incorrect, the username doesn't appear to be getting in:
12:50:38.288/22257 [thd-2] DEBUG c.p.a.services.security.OEMdcFilter - Update request user-id source is: nullUser
12:50:38.288/22257 [thd-2] DEBUG c.p.a.services.security.OEMdcFilter - MDC UID policy IFREQUIRED is not changing request user-id from unknown token type
12:50:38.288/22257 [thd-2] DEBUG o.s.security.web.FilterChainProxy - /static/auth/j_spring_security_check at position 5 of 18 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
12:50:38.288/22257 [thd-2] DEBUG o.s.security.web.FilterChainProxy - /static/auth/j_spring_security_check at position 6 of 18 in additional filter chain; firing Filter: 'HeaderWriterFilter'
12:50:38.288/22257 [thd-2] DEBUG o.s.security.web.FilterChainProxy - /static/auth/j_spring_security_check at position 7 of 18 in additional filter chain; firing Filter: 'LogoutFilter'
12:50:38.288/22257 [thd-2] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/static/auth/j_spring_security_check'; against '/static/auth/j_spring_security_logout'
12:50:38.288/22257 [thd-2] DEBUG o.s.security.web.FilterChainProxy - /static/auth/j_spring_security_check at position 8 of 18 in additional filter chain; firing Filter: 'OECPRefreshFilter'
12:50:38.288/22257 [thd-2] TRACE c.p.a.s.security.OECPRefreshFilter - Refresh URI /idp/static/auth/j_spring_security_check match to required URI /idp/static/auth/token status: false
12:50:38.289/22258 [thd-2] DEBUG o.s.security.web.FilterChainProxy - /static/auth/j_spring_security_check at position 9 of 18 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
12:50:38.289/22258 [thd-2] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/static/auth/j_spring_security_check'; against '/static/auth/j_spring_security_check'
12:50:38.289/22258 [thd-2] DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Request is to process authentication
12:50:38.290/22259 [thd-2] DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
12:50:38.292/22261 [thd-2] DEBUG o.s.s.a.d.DaoAuthenticationProvider - User '' not found
12:50:38.293/22262 [thd-2] TRACE o.s.w.c.s.XmlWebApplicationContext - Publishing event in Root WebApplicationContext: org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1f: Principal: ; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 96E709E58456367F93D9D0B99394677D17AB5DE9405A.oeidp; Not granted any authorities]
12:50:38.293/22262 [thd-2] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'authenticationLoggerSink'
12:50:38.295/22264 [thd-2] DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
org.springframework.security.authentication.BadCredentialsException: Bad credentials
at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:151) ~[spring-security-core-4.1.3.RELEASE.jar:4.1.3.RELEASE]
Any help would be appreciated.
The log entry with: "DaoAuthenticationProvider - User '' not found" is the key indicator. That is not a double quote in the log entry, but single quotes around a blank user-id. It indicates the server's authentication provider did not find a html form field of j_username. Apparently when spring asks Tomcat for a form field that Tomcat cannot find, it substitutes a blank string - silently. Has to have something to do with how the request body is formatted.
Blake,
As Mike pointed out, it looks there is a problem with your client program and it could not send the values correctly to the PASOE Server. You might already seen the javascript example in the attachment. In-case you want to do something in ABL then I am attching an ABL HTTP Client example also for your reference.
/*------------------------------------------------------------------------ File : HTTPSSOClient.p Purpose : Syntax : Description : SSO Client to get the OE CP token and pass it in the header while invoking other OE Services. Author(s) : Created : Tue Feb 14 06:57:01 EST 2017 Notes : ----------------------------------------------------------------------*/ /* *************************** Definitions ************************** */ BLOCK-LEVEL ON ERROR UNDO, THROW. /* ******************** Preprocessor Definitions ******************** */ /* *************************** Main Block *************************** */ USING Progress.Lang.*. using OpenEdge.Core.Collections.IStringStringMap. using OpenEdge.Core.Collections.StringStringMap. using OpenEdge.Net.HTTP.ClientBuilder. using OpenEdge.Net.HTTP.Cookie. using OpenEdge.Net.HTTP.CookieJarBuilder. using OpenEdge.Net.HTTP.ICookieJar. using OpenEdge.Net.HTTP.IHttpClient. using OpenEdge.Net.HTTP.IHttpRequest. using OpenEdge.Net.HTTP.IHttpResponse. using OpenEdge.Net.HTTP.RequestBuilder. using Progress.Json.ObjectModel.JsonObject. using Progress.Lang.Object. using OpenEdge.Core.String. USING OpenEdge.Net.HTTP.Credentials FROM PROPATH. USING OpenEdge.Net.HTTP.IHttpClientLibrary. USING OpenEdge.Net.HTTP.Lib.ClientLibraryBuilder. USING OpenEdge.Net.HTTP.ClientBuilder. def var oClient as IHttpClient. def var oReq as IHttpRequest. def var oReq1 as IHttpRequest. ef var oResp as IHttpResponse. def var oResp1 as IHttpResponse. def var oForm as IStringStringMap. def var oCookies as Cookie extent. def var iLoop as int. DEFINE VARIABLE oLib AS IHttpClientLibrary NO-UNDO. DEFINE variable ssoURL as char no-undo. def var JObj as JsonObject. def var access_token as char. def var serviceURL as char. OUTPUT to "SSOClient.out". // Perform a successful authentication and get a valid access_token serviceURL = "localhost:8810/.../j_spring_security_check". oForm = new StringStringMap(). oForm:Put('j_username', "restuser"). oForm:Put('j_password', "password"). oClient = ClientBuilder:Build() :Client. oReq = RequestBuilder:Post(serviceURL, oForm) :ContentType('application/x-www-form-urlencoded') :AcceptJson() :Request. do iLoop = extent(oCookies) to 1 by -1: oReq:SetCookie(oCookies[iLoop]). end. oResp = oClient:Execute(oReq). oResp:GetCookies(output oCookies). // Get access_token JObj = cast(oResp:Entity,JSONObject). access_token = JObj:GetCharacter("access_token"). oLib = ClientLibraryBuilder:Build() :Library. Client = ClientBuilder:Build() :Client. // Perform SSO using the token recieved earlier serviceURL = "localhost:8810/.../_oeping". oReq1 = RequestBuilder :Get(serviceURL) :AddHeader('Authorization','oecp ' + access_token) :AcceptJson() :Request. oResp1 = oClient:Execute(oReq1). // Print the SSO Output for the authorized OE Service if type-of(oResp1:Entity, JsonObject) then do: message String(cast(oResp1:Entity, JsonObject):GETJSONTEXT ()) VIEW-AS ALERT-BOX. end. OUTPUT CLOSE.
Getting Postman to work was a bit of a challenge.
I turned off all of the auto generated headers.
I made sure it was not doing any authentication.
No URL parameters were defined.
I turned off all of the automatic redirects.
I selected the body style: x-www-form-urlencoded
I sent the html form fields j_username & j_password ( 'keys' in the UI)
I configured the headers:
accept:text/html,application/json
Try this in your Postman and check that you do not get the "User '' not found" log entry.