Spring Security Configuration for PASOE instance - Forum - OpenEdge Development - Progress Community

Spring Security Configuration for PASOE instance

 Forum

Spring Security Configuration for PASOE instance

This question is answered

Is it possible to configure a  single PASOE instance using the j_spring_security configuration to generate a security token based against multiple points of authentication?  For example, based on user credentials (j_username && j_password) the instance will produce a security token against Active Directory or against  a flat file, etc. 

Verified Answer
  • You have two custom configuration options:

    a)  You can use a different Authentication Managers per ABL web application transport.  The option Ram mentioned above.

    b)  You can create your own custom Authentication Manager that has multiple entries, where each entry is configured to obtain user account information from a different source.   The list is order dependent so you choose which type is tried first, second, etc.   While this is technically possible, it usually brings up a discussion about how trustworthy the resulting token is when you mix low-trust and high-trust sources of user accounts.   (For example ldap/ad versus text file)

    If b) is really going to solve some problems for your application - we should take that technical discussion offline and connect you with someone who can provide you some pointers that will make it safer and easier.   (The details will be very specific to your use)

  • Hi,

    Following is a sample configuration for multiple auth providers.

    <security:authentication-manager>

         <security:authentication-provider ref="ldapAuthenticationProvider " />

         <security:authentication-provider ref="dbAuthenticationProvider" />

    </security:authentication-manager>

    Here  ldapAuthenticationProvider  and dbAuthenticationProvider  are the beans defined in the configuration file which represents the custom authentication provider implementations.

    Please also have a look into the following link. This has few details about configuring multiple auth providers.

            "www.baeldung.com/spring-security-multiple-auth-providers".  

    Thanks and Regards,

    Ram Krushna

  • It has to be java.
     
    The only ABL callsbacks (that I know of ) are
    - the OERealm implementation as an auth provider
    - event and policy callbacks in the OEAG
     
     
All Replies
  • Hi,

    Do you mean that for the same user you want configure different authentication managers ( LDAP, local, extlocal, etc) in PASOE instance ?

    Then PASOE instance can be configured with multiple authentication managers for different transports but not based on users.

    For example: you can find following properties in oeablSecurity.properties file.

    ##  http.apsv.authmanager

    ##  http.soap.authmanager

    ##  http.rest.authmanager

    ##  http.web.authmanager

    ##  http.authmanager

    They can individually be set to preferred auth managers ( such as extlocal, ldap). By default they all are set to the value provided in http.all.authmanager.

    So, you can configure different authetication managers for different transports to access PASOE instance.

    Thanks and Regards,

    Ram Krushna

  • You have two custom configuration options:

    a)  You can use a different Authentication Managers per ABL web application transport.  The option Ram mentioned above.

    b)  You can create your own custom Authentication Manager that has multiple entries, where each entry is configured to obtain user account information from a different source.   The list is order dependent so you choose which type is tried first, second, etc.   While this is technically possible, it usually brings up a discussion about how trustworthy the resulting token is when you mix low-trust and high-trust sources of user accounts.   (For example ldap/ad versus text file)

    If b) is really going to solve some problems for your application - we should take that technical discussion offline and connect you with someone who can provide you some pointers that will make it safer and easier.   (The details will be very specific to your use)

  • Yes, that's essentially what I was getting at. The users fall into separate categories and as a result they need to use two different properties for the authmanger.  

  • Yes, that's essentially what I was getting at. The users fall into separate categories and as a result they need to use two different properties for the authmanger.  

  • So, option b is what I'll be looking to implement. The low-trust source (text file) that I listed was purely for example. I'll actual be using values from a database.

    At a quick glance around the web I didn't come across any guides/recommendations for setting up a custom authentication manager. However, according to the oeablSecuirty.properties the authMangers.xml file is where I'll want to start? Any concrete resources?

  • Hi,

    Following is a sample configuration for multiple auth providers.

    <security:authentication-manager>

         <security:authentication-provider ref="ldapAuthenticationProvider " />

         <security:authentication-provider ref="dbAuthenticationProvider" />

    </security:authentication-manager>

    Here  ldapAuthenticationProvider  and dbAuthenticationProvider  are the beans defined in the configuration file which represents the custom authentication provider implementations.

    Please also have a look into the following link. This has few details about configuring multiple auth providers.

            "www.baeldung.com/spring-security-multiple-auth-providers".  

    Thanks and Regards,

    Ram Krushna

  • Hi,

    I would like to add the following to my earlier response.

    My previous reply was correct, but I realize that I may have mislead you into thinking it was complete and was that simple.   There are a few issues to consider and additional configuration work needed to make that simple change work.   Such as: which file(s) to change,  what to add/change in those files, property definitions for configuration/maintenance, and how to migrate your changes into newer PASOE releases.

    None of those topics are hard.  A lot of it is just knowing what to copy and rename , what to add, and understanding which providers cannot be combined into one client authentication process.   Knowing this information before you start will save you time and avoid frustration.  

    I’ll support Mike’s reply to contact us to have a technical discussion and pass along information specific to your requirements.

    Thanks and Regards,

    Ram Krushna

  • Can you run a ABL class in the the authManagers.xml file or does it have to be a java class?

  • It has to be java.
     
    The only ABL callsbacks (that I know of ) are
    - the OERealm implementation as an auth provider
    - event and policy callbacks in the OEAG