The OEClientPrincipalFilter.domainRoleFilter property of the Spring Security OEClientPrincipalFilter bean obtains an OpenEdge domain name from a user-granted role. The domainRoleFilter property is a Java RegEx (regular expression) pattern that is used to identify role names produced by Spring Security and to extract the domain name from them. The basic requirement is to adopt a role-naming convention that distinguishes role names that represent domains from other role names.

The Java RegEx expression can be any valid pattern with a single extraction group (a Java RegEx pattern enclosed in parentheses). The full pattern is used to match a role name. Anything that matches the pattern enclosed in parentheses is extracted and becomes a domain name.

The following are examples of user role-naming conventions that define domains:

OED:(.*) The domain name is everything after OED:
Domain-(.*)-name

The domain name is all characters between Domain- and -name

Spring Security authentication providers (the beans that authenticate user accounts) prefix ROLE_ to all role names provided for authenticated users. Since the role names presented to the OEClientPrincipalFilter bean are in the form ROLE_user-role-name, this is what would be matched by the domainRoleFilter property:

  • ROLE_OED:(.*)
  • ROLE_Domain-(.*)-name

When the domainRoleFilter property is not defined or is a blank string, looking for a domain name in the user’s list of granted roles is disabled.