The OEClientPrincipalFilter contains the logic that processes an OpenEdge ID to yield a user ID and domain name. The user ID and domain are used in creating a CLIENT-PRINCIPAL object that is subsequently passed to the ABL application code.

The OEClientPrincipalFilter logic follows these general steps after an authentication provider has successfully authenticated the user:

  1. If the input OpenEdge ID is fully qualified (user ID and domain name), then go to Step 3.
  2. Resolve the domain name by doing the following:
    1. Look for a user role in the OEClientPrincipalFilter.domainRoleFilter property, which is recognized as holding a domain name. If the domain name is found, then go to Step 3.
      Note: All OEClientPrincipalFilter properties are set in the oeablSecurity.properties file.
    2. Use the OEClientPrincipalFilter.domain property value. If the domain name is found, then go to Step 3.
    3. If the domain name remains unresolved after Steps 2a and 2b, then raise an error.
  3. Create a CLIENT-PRINCIPAL object and populate its data fields.
  4. If the OEClientPrincipalFilter.registryFile property is configured, then use its value as the domain access code (DAC) for all domain names.
    Note: The OEClientPrincipalFilter.key is no longer supported.
  5. If the OEClientPrincipalFilter.registryFile property is configured, use the domain name (either input directly in Step 1 or resolved by one of the methods in Step 2) to look up the domain's DAC.
  6. If the DAC cannot be resolved, then raise an error.
  7. Seal the CLIENT-PRINCIPAL with the DAC, and store it in the user's HTTP login session context to be used in later client requests.