REST/PASOE auth: adding properties to client-principal - Forum - OpenEdge Development - Progress Community

REST/PASOE auth: adding properties to client-principal


REST/PASOE auth: adding properties to client-principal

This question is not answered

So I implemented IHybridRealm and set this in oeablSecurity-basic-oerealm.xml. Works!

I uncommented the CP section, so I get a CP in session:current-request-info:GetClientPrinciple().

Now, before the CP is sealed, I want to set some (custom) properties in the client-principle. I want this to be done via the implementation of IHybridRealm, not in the <b:property name="properties" > element of the OERealmAuthProvider provider. This because the information I want to add comes from the database (and is diferent for every user).

Can anyone point me in the right direction?

All Replies
  • I have code that does this: 

    hCP:INITIALIZE(     chUserDomain,                   /* qualified user@domain        */
                        GUID,                           /* unique session id            */
                        ADD-INTERVAL(NOW, 8, 'hours'),  /* default timeout/expiration   */
    hCP:SET-PROPERTY(   {&AuthenticateSiteIdProperty}, 

  • That's when you create your own CP. With PASOE you can let the spring security framework create the CP. My question how to add custom properties (f.e. a "functions" property) to the CP in the latter case.

  • Bronco,
    Sorry to report that the 'properties' in the OERealmUserDetails and OEClientPrincipalFilter will only accept static values at this time.

    I do see the use case for getting named attribute values from the AppServer and inserting them into the client-principal's properties.   Something many could benefit from.  Would you be agreeable to submitting an idea that adds this type of functionality?

    Mike J.

    From: bronco <>
    Reply-To: "" <>
    Date: Wednesday, March 25, 2015 at 10:42 AM
    To: "" <>
    Subject: RE: [Technical Users - OE Development] REST/PASOE auth: adding properties to client-principal

    Reply by bronco

    That's when you create your own CP. With PASOE you can let the spring security framework create the CP. My question how to add custom properties (f.e. a "functions" property) to the CP in the latter case.

    Stop receiving emails on this subject.

    Flag this post as spam/abuse.

  • Hello,

    Just came across this post. I would like to know if the idea for this was submitted and it's current status. We are also using IHybridRealm and would like to insert some properties (for user context type of stuff from our database) before it is sealed.


  • You can do it right now in 11.6.2+

    In your OERealmHybrid Class, add the attribute "Realm_ATTR_PROPERTIES" and return a JSON Object as longchar

    when OERealmDefs:REALM_ATTR_PROPERTIES then


                    return JObj:getJsontext().


    This should load all the custom properties and will be part of your sealing client principal.

    Once your CP is sealed and passed to MS-Agent, you can print those properties as below

    cList = hCP:list-property-names.

       iListSize = num-entries(cList, ",").

       if ( 0 < iListSize ) then do iListPos = 1 to iListSize:

           define variable cProp       as character no-undo.

           define variable cVal        as character no-undo.

           message "    properties:".

           cProp = entry(iListPos, cList, ",").

           cVal = hCP:get-property(cProp).

           message "          property:" cProp ", value:" cVal.


    (hCP is your client-principal handle).



  • Hi,

    We have a class that implements IHybridRealm using OE 11.6.3 spring security. In the auth flow I can see it calls the following for a successful auth:


    GetAttribute: 'ATTR_ROLES'

    GetAttribute: 'ATTR_ENABLED'

    GetAttribute: 'ATTR_LOCKED'

    GetAttribute: 'ATTR_EXPIRED'


    How can I get it calling for the PROPERTIES attribute ?

  • Hello,

    for OpenEdge 11.6.3 you can add/change

    <b:bean id="OERealmUserDetails" class="" >


     <!-- PropertyMap -->

     <b:property name="propertiesAttrName" value="ATTR_PROPERTIES" />

    In your HybridRealm (Method GetAttributes) you can return a json object, for example:

              cAttributeValue = ' ~{ '
                              + '"key1":"' + value1 + '",'
                              + '"key2":"' + value2 + '",'
                              + '"key3":"' + value3 + '"'
                              + ' ~} '.
    and later:
  • Lars,
    Just curious why you are hand-building the JSON instead of using the JsonObject. Is it just for this example?
  • Thanks, I was just missing the property map for ATTR_PROPERTIES. This will be a big help in not having to persist some additional session info elsewhere

  • On the topic of setting properties of the CP, is it possible to set the session-id property from the IHybridRealm implementation, when using OERealmHybrid ?

  • Not at this time.

    The session-id is currently sync'd with the HTTP session that identifies the client login session.  In that way the C-P reflects the same ID as is used to track client login sessions & timeouts to PASOE.  

    I assume you are thinking that the OERealmHybrid class is the client's user authentication instead of a source of user account field information.   That being said...  I would appreciate knowing your use-case for the OERealmHybrid class returning a session-id as part of the user account information?   That is, if you will share so we can learn more of how this feature could be useful.

  • For clarification, we are on Classic Appserver not PASOE.

    We currently use the OERealmHybrid to authenticate our JSDO based REST services.  In the IHybridRealm implementation class, we set several attributes in the CP (name, email, userid, etc..) from database tables and validate that the user is authorized to use the service (not disabled, locked out in some way and licensed).  We also create a session_context record in the database and use the SESSION-ID in the CP as the key, if the user is authenticated.  For other  parts of our application GUI client non-JSDO based REST services we use application based authentication, the same session_context record is created but we use an internally created key, a GUID prefixed with a value that allows us to further identify from where the context_id was created. This context_id is then passed in to the appserver, either as a parameter from mapped REST based services or on the REQUEST-INFO:ClientContextID for Windows GUI clients and other Appserver clients.  The activation event procedure sets the appropriate context for the user from the session_context records.  So the use case would be to allow us to change the SESSION-ID in the CP to match our prefixed style of context_id key.