In Tomcat, a Realm acts as a link between a web application and its user database. The OpenEdge Realm (OERealm) authentication manager provides a hybrid solution that enables Tomcat’s Java server process to run object-oriented ABL code. This setup allows an OpenEdge application server to serve as the source of user account information during authentication.

An OERealm implementation consists of the following components:

  • OpenEdge Realm (OERealm) Client—This component includes the Spring Security authentication provider and user account service objects. These objects communicate with the application server to retrieve user account details, which are then passed to the Spring Security authentication process.

    The OERealm client performs the following steps:

    1. Connects to the application server's OERealm ABL Service Interface.
    2. Sends a request to locate the user account and obtain its unique numeric ID.
    3. Retrieves user account details in this order:
      1. Granted roles
      2. Account enabled state
      3. Account locked state
      4. Account expiration status
      Note: If the account does not exist or is disabled, locked, or expired, the client stops and makes no further requests to the application server.
  • OERealm AppServer ABL Service Interface—This is an ABL class running on the Progress Application Server (PAS) for OpenEdge instance. It handles requests from the OERealm client and implements the IHybridRealm interface to return the expected account details.

    The class performs the following actions in order:

    1. Searches for the user account by name (userid[@domain]).
    2. Returns the user account attributes.
    3. Validates the user account password. Optionally, it authorizes the OERealm client and enables it to receive user account information.
Note: For more information about OERealm, see OERealm security considerations.

Implementation Process

To implement the OERealm security model, complete these steps:

  1. Create the OERealm ABL Service Interface along with all required classes.
  2. Update the Spring Security configuration for each web application that will use OERealm security.
  3. Add one or more domains to the databases connected to your application.

If you do not have a PAS for OpenEdge instance available, you can create a simple one using PASMAN:

  1. Open a PROENV session which will place you into the standard WRKDIR location.
  2. Run pasman create -v -f -p 8890 -P 8891 -s 8894 RealmExample to create a PAS for OpenEdge instance.
  3. Run prodb UserDB empty to create an empty database for user accounts.
  4. Run proserve UserDB to serve the database for mufti-user access.
  5. Open the RealmExample/conf/openedge.properties file with a text editor.
    Add the following line to the [AppServer.SessMgr.RealmExample] section:
     agentStartupParam=-T "${catalina.base}/temp" -db "${catalina.base}/../UserDB"
  6. Start the PAS for OpenEdge instance with pasman oeserver -start -I RealmExample

You can now access the RealmExample PAS for OpenEdge instance at http://localhost:8890 and use the UserDB database for the remaining OERealm setup steps. Before proceeding, verify that the server link works and displays the expected status page.