Try OpenEdge Now
skip to main content
Administration
REST Administration : REST Management Agent and REST Web Application Security Configurations : Using Single Point of Authentication security configurations : Configure an OERealm service on an AppServer
 
Configure an OERealm service on an AppServer
This section helps you create an OERealm service interface that helps you find user account information, obtain user attributes, and validate a user account's password.
To configure an OERealm service on an AppServer:
1. Configure a State-free AppServer that is required to host the OERealm service interface class. If your application is not running on a State-free AppServer, you must define and run a State-free AppServer to support the OERealm service interface.
2. Create a singleton OOABL class that implements the OERealm IHybridRealm interface. If you have the OpenEdge Documentation and Samples installed, you can find a sample interface implementation class, HybridRealm.cls, at $DLC\src\samples\security\OpenEdge\security\Realm.
In the sample HybridRealm.cls file, the following methods are declared and defined:
Table 87. Methods defined in the HybridRealm.cls class
Method
Mandatory?
Description
ValidateUser
Yes
This method searches for the user account, validates whether the account domain is valid and enabled, and returns the account numeric ID.
Note: The OERealm service interface uses a numerical user account ID as an ABL integer instead of the full user account name. If the user account storage of your OERealm service does not support the integer user account IDs, it is recommended that you build a mechanism to permanently assign unique ABL integer values to each user account in the storage.
ValidatePassword
Yes
This method validates the client-supplied password of the user account against the stored password.
Note: You can define both the clear-text and digest form of the ValidatePassword() method.
GetAttribute
Yes
This method retrieves an attribute for the specified user account.
GetAttributeNames
No
This method retrieves the name assigned to the attributes.
GetUserNames
No
This method retrieves all the user names associated with the user account.
GetUserNamesByQuery
No
This method retrieves the user names that match the input query string.
RemoveAttribute
No
This method deletes the value of the given attribute.
SetAttribute
No
This method assigns a new value to the given attribute.
You can implement the GetAttribute() method to return the UNKNOWN or CHARACTER value. If you have configured the REST adapter with an SPA security configuration model, the OERealmUserDetailsImpl module of the OERealm client handles the UNKNOWN value by replacing the value with a static, non-configurable default value. If a CHARACTER value is returned, the OERealm service interface must encode the value in a format that the OERealmUserDetailsImpl module can understand. The known values of the OERealmUserDetailsImpl module are:
Table 88. OERealmUserDetailsImpl module attributes
Attribute
Data type
Character encoding format
ATTR_ROLES
string-extent
"" or "xxxx[,yyyy,zzzz]"
Note: The OERealm service interface must return roles without the ROLE_ prefix. For example, the interface must return PSCUser instead of ROLE_PSCUser.
ATTR_ENABLED
boolean
A character from the {T,t,F,f,Y,y,N,n,0,1} set
ATTR_LOCKED
boolean
A character from the {T,t,F,f,Y,y,N,n,0,1} set
ATTR_EXPIRED
boolean
A character from the {T,t,F,f,Y,y,N,n,0,1} set
3. Build and test your OERealm service interface. You can perform this step using an ABL client by writing an AppServer test harness that calls the OERealm service interface.
4. Install the REST Web application on the Apache Tomcat Java container.
Note: Additional security considerations for the SPA security configuration are discussed in Security considerations for SPA security configurations.
* Security considerations for SPA security configurations