To configure for multi-domain support begins with the following steps:

  1. Design the OpenEdge domain name space to be used by the ABL application, and assign a domain access code (DAC) to each domain name.
  2. Build a CSV text file with domain names and clear-text DAC pairs, one pair per line. Domain names and DACs are separated by a comma, for example:
    domain-name,clear-text-DAC
  3. Use the GENDOMREG utility to create an encrypted Java keystore file from the CSV file, for example:
    oe-install-dir/bin/gendomreg domreg.csv domreg.keystore
  4. Copy the encrypted Java keystore file to each PAS for OpenEdge instance's .../conf directory.
  5. Configure the OEClientPrincipalFilter in the oeablSecurity.properties file:
    1. Set the value of the OEClientPrincipalFilter.registryFile property to the filename of the Java keystore that you created in Step 3, for example:
      OEClientPrincipalFilter.registryFile=domreg.keystore
    2. Set the OEClientPrincipalFilter.domain property to a default domain that has minimal access rights to your ABL application.
    3. (Optional) Configure authz, accntinfo, roles, and other properties.

The next step is to design the role name pattern that is used to designate an OpenEdge domain. Ideally, the name pattern has a unique prefix that distinguishes it from all other names. The name pattern may also employ a postfix to help establish uniqueness. For more information about designing a role name pattern, see Obtain a domain name from a role name.

Note: Because the OEClientPrincipalFilter bean uses Java regex functionality, create a role name pattern that is easy for Java regex to parse.

After you establish a role name pattern, construct the Java regex pattern that will distinguish the domain name from any other normal user account granted roles, for example, with OED:domain-name as the domain name:

Table 1. Spring users.properties accounts
Role name Spring Security role name Java regex match pattern
ROLE_OED:acme ROLE_OED:acme 
ROLE_OED:(.*)
Table 2. Spring LDAP groupOfUniqueNames object
Role name Spring Security role name Java regex match pattern
cn=OED:acme ROLE_OED:ACME ROLE_OED:(.*)

The Spring LDAP Authentication Provider adds the prefix ROLE_ to any LDAP group name it uses as a user account role, and it converts the LDAP group name to uppercase.

Finally, set the domainRoleFilter property of the OEClientPrincipalFilter bean to the value of the Java regex match pattern.

Note: If your Java regex match pattern contains a back slash ( \ ), you may need to escape it with another backslash ( \\ ).