Web applications hosted on PAS for OpenEdge automatically use the Spring Security framework to receive all incoming requests and to perform authentication and authorization operations for those web applications. Spring Security is a mature, commercial-grade, Java-based, highly-customizable, and always-on access-control security framework that:

  • Is automatically started when you start a PAS for OpenEdge instance
  • Is always on to receive all incoming requests
  • Applies industry-standard filters to ensure each request is compliant
  • Blocks a request if authentication fails
  • Generates a security token if authentication succeeds
  • Provides an easy-to-configure plug-in framework for multiple authentication provider types

When a client issues a request on a web application that is hosted on a PAS for OpenEdge instance, the request must go through the Spring Security framework. Spring invokes the configured Authentication Manager plug-into authenticate the client's credentials against an identity store, such as Microsoft Active Directory. If the authentiation operation is successful, the Spring Security framework generates a Spring token, as shown in the following figure.



Spring Security is implemented in the /common/lib directory of PAS for OpenEdge. For more information about Spring Security see https://spring.io/