The PAS for OpenEdge extends OpenEdge SSO functionality into the Spring Security framework authentication/authorization process. (Prior to the full PAS for OpenEdge SSO implementation, OpenEdge used and extended the Spring Security framework’s security process to support RESTful requests in the classic AppServer’s REST adapter.)
OpenEdge SSO support continues to authenticate user-id/passwords and to produce Client-Principal tokens for ABL application use.. That basic OpenEdge functionality is extended with the capability to issue a simple type of SSO token to a client that can pass it to other PAS for OpenEdge web services that have SSO enabled. However, the token may not be refreshed (i.e. its expiration extended) if the originating user login session has terminated. If the SSO token is issued without the ability to be refreshed, forcing a user to re-authenticate, the login session expiration limitation is moot.
The PAS for OpenEdge SSO support extends the original RESTful request support and adds a Spring Security Filter to handle an upgraded client-server protocol. The PAS for OpenEdge SSO extensions provide both SSO token Producer and Consumer features for generating and consuming SSO tokens, respectively. Any one PAS for OpenEdge web service may be configured to produce, consume, or both. Additionally, a Spring Security configuration template (oeablSecurity-oesso.xml) allows a PAS for OpenEdge web service to only be accessed via a PAS for OpenEdge SSO token.
Because of the Spring Security framework’s plug-in Authentication Provider architecture, PAS for OpenEdge SSO token generation can be configured to use any user-account provider supported by Spring or by an OpenEdge: properties file, such as LDAP; Active Directory; OERealm; SAML; OpenID; or CAS.
