When the Spring Security framework successfully authenticates a client, Spring creates a security token that contains the user's credentials and other information about the user's roles and capabilities that is extracted from the user account information stored in Active Directory.

Security tokens:

  • Are sealed, meaning that they have been digitally signed so that they cannot be tampered with or transferred to another user
  • Have an expiration date, which limits the opportunity for another to use that credential
  • Can be passed to other systems and resources in OpenEdge on behalf of the client request, avoiding the need to re-authenticate the user

When PAS for OpenEdge receives a security token from Spring, OpenEdge generates a sealed CLIENT-PRINCIPAL object from that token so that it can be used in an ABL application. A CLIENT-PRINCIPAL object is a transformation of the Spring security token that include ABL-specific details, which are primarily the OpenEdge domains and domain access keys.

For more information about CLIENT-PRINCIPAL objects, see Learn about CLIENT-PRINCIPAL Objects.