Creating an OERealm service interface

2. Create a singleton OOABL class that implements the OERealm HybridRealm interface. If you have the OpenEdge Documentation and Samples installed, you can find a sample interface implementation class, HybridRealm.cls, at $DLC\src\samples\security\OpenEdge\security\Realm.

Table 10. Methods defined in the HybridRealm.cls class
Method	Mandatory?	Description
GetAttribute	Yes	This method retrieves an attribute for the specified user account.
GetAttributeNames	No	This method retrieves the name assigned to the attributes.
GetUserNames	No	This method retrieves all the user names associated with the user account.
GetUserNamesByQuery	No	This method retrieves the user names that match the input query string.
RemoveAttribute	No	This method deletes the value of the given attribute.
SetAttribute	No	This method assigns a new value to the given attribute.
ValidatePassword	Yes	This method validates the client-supplied password of the user account against the stored password. Note: You can define both the clear-text and digest form of the ValidatePassword() method.
ValidateUser	Yes	This method searches for the user account, validates whether the account domain is valid and enabled, and returns the account numeric ID. Note: The OERealm service interface uses a numerical user account ID as an ABL integer instead of the full user account name. If the user account storage of your OERealm service does not support the integer user account IDs, it is recommended that you build a mechanism to permanently assign unique ABL integer values to each user account in the storage.

You can implement the GetAttribute() method to return the UNKNOWN or CHARACTER value. If you have configured the Web application with an SPA security configuration model, the OERealmUserDetailsImpl module of the OERealm client handles the UNKNOWN value by replacing the value with a static, non-configurable default value. If a CHARACTER value is returned, the OERealm service interface must encode the value in a format that the OERealmUserDetailsImpl module can understand.

Table 11. OERealmUserDetailsImpl module attributes
Attribute	Data type	Character encoding format
ATTR_ROLES	string-extent	"" or "xxxx[,yyyy,zzzz]" Note: The OERealm service interface must return roles without the ROLE_ prefix. For example, the interface must return PSCUser instead of ROLE_PSCUser. These roles are used in oeablSecurity-xxxxx-oerealm.xml grant/deny access to URL/method combinations and will be used by the external security as part of its authorization functions.
ATTR_ENABLED	boolean	A character from the {T,t,F,f,Y,y,N,n,0,1} set. T,t,Y,y,1 denotes that the user is enabled. F,f,N,n,0 denotes that the user is disabled.
ATTR_LOCKED	boolean	A character from the {T,t,F,f,Y,y,N,n,0,1} set. T,t,Y,y,1 denotes that the user is locked. F,f,N,n,0 denotes that the user is not locked.
ATTR_EXPIRED	boolean	A character from the {T,t,F,f,Y,y,N,n,0,1} set. T,t,Y,y,1 denotes that the user is expired. F,f,N,n,0 denotes that the user is not expired. Spring Security does not allow expired users.