A domain policy is an ABL-based implementation that enforces sign on and authentication policies. A domain policy configuration is stored in the domains.json configuration file.

Each domain configuration can reference a single domain policy configuration. The policy configuration requires the fully qualified name of an ABL class that implements OpenEdge.Security.STS.IPolicyProvider. (Optionally, a Base64-encoded value, taken from r-codeinfo:signature-value, can be included to enforce checksum requirements for the policy implementation class.)

The policy class (or rcode) needs to be found in the PROPATH. The recommended location is under instance/webapps/ROOT/WEB-INF/openedge, which is in the PROPATH by default.

For example:

    
    "version": "1.0.0",
    "domains": [
        {
        "name" : "local",
        "enabled" : true,
        "description" : "O/S Authentication",
        "actions" : {
            "authenticate" : {
                "enabled" : true,
                "options" : ""
. . .
        },
        "options" : "-processid",
        "authProvider" : "_oslocal",
        "policyProvider" : "login",                                      
        "events" : {
            "provider" : "",
            "groups" : {}
        }
    },
. . .

"policyProviders" : {
    "login" : {
        "type" : "com.progress.sts.SampleLoginPolicy",
        "hash" : ""
    }
},

You need to then define the policy name under the domain configuration. For the example above, it is the bold line, "policyProvider" : "login".

The following is a sample login policy class. It prints some messages to the log and adds a property to the client-principal object that is returned to the client.

SampleLoginPolicy.cls

using Progress.Lang.*.
using OpenEdge.Security.STS.IPolicyProvider.
using OpenEdge.Security.Principal.
using Progress.Json.ObjectModel.JsonObject.
using OpenEdge.Security.PAMStatusEnum.block-level on error undo, throw.
class com.progress.sts.SampleLoginPolicy implements IPolicyProvider:
    method public PAMStatusEnum ApplyPolicy( input pcSender as character,
                                             input pcPolicy as character,
                                             input phClientPrincipal as Principal,
                                             input pcDomainCtx as JsonObject,
                                             output pcStatusDetail as character ):
        message "sender:" pcSender skip
                "policy:" pcPolicy skip
                "C-P Token" phClientPrincipal:Token skip
                "context:" pcDomainCtx.
        pcStatusDetail = "OK".
        return PAMStatusEnum:Success.
    end method.
end class.
Note: A practical example of adding a policy is described in Add policies to the OpenEdge Authentication Gateway server.