The OEClientPrincipalFilter contains the logic that processes an OpenEdge ID to yield a user-id and domain name. The user-id and domain are used in creating a client-principal object that is subsequently passed to the ABL application code.
The OEClientPrincipalFilter logic follows these general steps after an authentication provider has successfully authenticated the user:
1. If the input OpenEdge ID is fully qualified (user-id plus domain name), proceed to Step 3.
2. Try to resolve the domain name by doing the following:
a. First, look for a user role in the OEClientPrincipalFilter.domainRoleFilter property, which is recognized as holding a domain name. If the domain name is found, proceed to Step 3.
All OEClientPrincipalFilter properties are set in the oeablSecurity.properties file.
b. Next, try using the OEClientPrincipalFilter.domain property value. If the domain name is found, proceed to Step 3.
c. If the domain name remains unresolved after Steps 2a and 2b, raise an error condition.
3. Create a client-principal object and populate its data fields.
4. If the OEClientPrincipalFilter.key property is configured, use its value as the Domain Access Code (DAC) for all domain names.
Note: The OEClientPrincipalFilter.key and theOEClientPrincipalFilter.registryFile properties are mutually exclusive. Both cannot be configured at the same time.
5. If the OEClientPrincipalFilter.registryFile property is configured, use the domain name (either input directly in Step 1 or resolved by one of the methods in Step 2) to look up the domain's DAC.
6. If the DAC cannot be resolved, raise an error condition.
7. Seal the client-principal with the DAC and store it in the user's HTTP login session context for use in subsequent client requests.
