The OEClientPrincipalFilter.domainRoleFilter property of the Spring Security OEClientPrincipalFilter bean obtains an OpenEdge domain name from a user-granted role. The domainRoleFilter property is a Java regular expression (regex) pattern that identifies role names produced by Spring Security and extracts the domain name from them. The basic requirement is to adopt a role-naming convention that distinguishes role names that represent domains from other role names.

The Java regex can be any valid pattern with a single extraction group (a Java regex pattern enclosed with parentheses). The full pattern is used to match a role name. Anything that matches the pattern enclosed with parentheses is extracted and becomes a domain name.

The following are examples of user role-naming conventions that define domains:

OED:(.*) The domain name is everything after OED:
Domain-(.*)-name

The domain name is all characters between Domain- and -name

Spring Security authentication providers (the beans that authenticate user accounts) prefix ROLE_ to all role names provided for authenticated users. Because the role names presented to the OEClientPrincipalFilter bean are in the form ROLE_user-role-name, this is what is matched by the domainRoleFilter property:

  • ROLE_OED:(.*)
  • ROLE_Domain-(.*)-name

When the domainRoleFilter property is not defined or is a blank string, looking for a domain name in the user’s list of granted roles is disabled.