M
Michael Jacobs
Guest
Allow me to try an simplify ABL application security a bit and see if this helps you. PASOE is a server that supports both Java and ABL applications. Tomcat is the server, and OpenEdge ABL is a layered product for running ABL applications within the Tomcat server environment. Tomcat has its own user authentication & URL authorization system that is based on the Java standard. OpenEdge ABL applications uses Spring Security as its user authentication & URL authorization system, which provides it more security options and functionality. The conf/tomcat-users.xml user account file is used by the Tomcat server's security system for the deployed Java web applications. For example: the Tomcat 'manager' web application, and OpenEdge 'oemanager' web applications used for remote administration and monitoring. When you edit conf/tomcat-users.xml, you are only controlling access to those 'manager' & 'oemanager' web applications. The OpenEdge ABL application will use Spring Security within its ABL web application(s), which is configured using the oeablSecurity.properties (user authentication & SSO) & oeablSecurity.csv (URL access controls). The conf/openedge.properties controls the ABL application's run-time, and has no controls that affect the application's security. ======= Because of the special needs imposed by ABL clients connecting to PASOE's APSV transport, you can choose to employ HTTP BASIC authentication by changing the apsv.security.enable property from none to basic. The 'http.all.authmanager' property will qualify which Authentication Provider (local, ldap, ad, sso, oerealm) the APSV transport will use. If 'none' is used it uses an 'allow all client access' configuration. ( Note: for the same reasons, the SOAP transport also is configured separately) For all of the ABL application's HTTP client type transports (REST, WEB, & file-system) you choose which form of client authentication the client uses use via the 'client.login.model' property. You change it's value from anonymous (allow any client access) to one of the login or SSO model type names. The property 'http.all.authmanager' qualifies which Authentication Provider plugin (local, ldap, ad, oerealm, ...) is used by the configured user-login 'client.login.model' types (basic, form, sso). The SSO 'client.login.model' types (saml & oauth2) ignore the http.all.authmanager property. The common task for all ABL web application transports, is configuring the Authentication Provider used for login & SSO security. The Authentication Provider configuration controls where user accounts are found for that type, how to authenticate the user account, and how to create the Client-Principal delivered to your ABL application code. Those exact settings is another topic. Does that help you understand which files you should focus on for your problem?
Continue reading...
Continue reading...