Integrate OERealm with Spring Security for PAS for OpenEdge

In the Progress Application Server instance, update the following settings in the web application that requires OERealm authentication. These changes apply the security model to all OpenEdge ABL transports (APSV, SOAP, REST, WEB, and Static file). For details on the file contents and available properties, refer to oeablSecurity.properties.README.

To secure the OEUserRealm class and prevent access from other PAS for OpenEdge clients, use the realmTokenFile feature. This feature passes a serialized Client-Principal token from the OERealm client to the OERealm ABL service interface. For more information, see OERealm security considerations.

1. Generate a sealed Client-Principal token file using the genspacp utility by running the following command in a proenv window:

   genspacp -user oeRealmUser -password oeR34lmP4ssw0rd -role SpaClient -file realm.cp genspacp 1.1 Generated sealed Client Principal... User: oeRealmUser@OESPA Id: qbUU3PDFQFmvaqAAmxDBig Role: SpaClient File: realm.cp State: SSO from external authentication system Seal is valid

2. Place the generated realm.cp file in the CATALINA_BASE/common/lib/ directory.

   This serialized Client-Principal file (realm.cp) allows the web application to authenticate against the OpenEdge.Security.Realm.HybridRealm class. Note that the password and role values specified in the genspacp command are separate from those used for the Security Domain password and client role. The sample OpenEdge.Security.Realm.HybridRealm class reads these values from the spaservice.properties file and compares them with the values sent by the web application.

3. Create a file named spaservice.properties in the PROPATH location CATALINA_BASE/openedge with the following contents:

   Password=oeR34lmP4ssw0rd Role=SpaClient ValidateCP=true DebugMsg=true EOL=true

   Verify that the Role value (spaClient) and Password (oeR34lmP4ssw0rd) match those used with the genspacp utility. The DebugMsg option enables the HybridRealm class to output helpful debugging messages; set this to false in non-development environments.

4. Create a domain registry file for the web application. On your local file system, create a plain text file named domreg.csv. Use the format domain_name,access_code for each domain you need to include, with one pairing per line:

   MyAppDomain,s3cretp4ssword

5. Run the gendomreg utility to generate the ABLDomainRegistry.keystore file using the domreg.csv file you created earlier:

   gendomreg domreg.csv ABLDomainRegistry.keystore OEDomainRegistryUtil v1.5.5 (11/06/2023) [Generate domain registry from inputFile] input file : domreg.csv [CSV] output file : ABLDomainRegistry.keystore [binary]

6. Place the generated ABLDomainRegistry.keystore file in the CATALINA_BASE/conf directory. Back up any existing file before replacing it. You can delete domreg.csv or keep it for reference if you need to add more domains later.
7. Open the application server’s oeablSecurity.properties file in a text editor and configure the property values as shown below. Some settings may already be correct, but verify that they match the expected values.

   For example, using the CATALINA_BASE/webapps/ROOT/WEB-INF/oeablSecurity.properties file:

   http.all.authmanager=oerealm client.login.model=form OEClientPrincipalFilter.enabled=true OEClientPrincipalFilter.registryFile=ABLDomainRegistry.keystore OEClientPrincipalFilter.domain=MyAppDomain OERealm.AuthProvider.multiTenant=true OERealm.AuthProvider.userDomain=MyAppDomain OERealm.AuthProvider.registryFile=ABLDomainRegistry.keystore OERealm.UserDetails.realmClass=OpenEdge.Security.Realm.HybridRealm OERealm.UserDetails.grantedAuthorities=ROLE_NoAccess OERealm.UserDetails.appendRealmError=true OERealm.UserDetails.realmTokenFile=realm.cp

Next, continue to Manage OERealm security domains and roles in the database.