I have a little PAS app that I'm using to generate an SSO token that I use to log the user in to another PAS service.
In the originating oeablSecurity.properties, I have this:
...
OESSOTokenManager.tokenPolicy=always
OESSOTokenManager.ssoTokenURLOption=OECP
OESSOTokenManager.ssoTokenExpires=28800
OESSOTokenManager.ssoAllowScope=
OESSOTokenManager.ssoGrantScope=
OESSOTokenManager.ssoTokenRefresh=true
OESSOTokenManager.ssoRefreshDeltaTime=28800
OESSOTokenManager.springRolePrefix=
---
OEClientPrincipalFilter.enabled=true
OEClientPrincipalFilter.registryFile=ABLDomainRegistry.keystore
OEClientPrincipalFilter.domain=mycompany.com
OEClientPrincipalFilter.roles=
OEClientPrincipalFilter.authz=true
OEClientPrincipalFilter.expires=28800
OEClientPrincipalFilter.accntinfo=true
OEClientPrincipalFilter.ccid=false
OEClientPrincipalFilter.anonymous=false
OEClientPrincipalFilter.sealAnonymous=false
OEClientPrincipalFilter.appName=OE
OEClientPrincipalFilter.forwardToken=false
OEClientPrincipalFilter.passthru=false
OEClientPrincipalFilter.domainRoleFilter=
OEClientPrincipalFilter.loadAccntAttrList=*
# Declare placeholders for up to 10 OEClientPrincipalFilter
# properties. Any number of properties larger than 10
# requires customization of authFilters.xml.
#
# Any property 'key' value whose first character is a
# comment (#) is ignored when creating a Client-Principal
# token
OEClientPrincipalFilter.properties.1.key=FirstName
OEClientPrincipalFilter.properties.1.value=Jack
OEClientPrincipalFilter.properties.2.key=LastName
OEClientPrincipalFilter.properties.2.value=TestGuy
OEClientPrincipalFilter.properties.3.key=Organization
OEClientPrincipalFilter.properties.3.value=TestCompany
I would expect that the 3 properties I have set here would come through in the client principal, but when I get the CP's property list, it is completely empty.
What should I be doing to get properties set in the SSO token?
Sorry I don't have an answer, but I do have a question. I'm trying the same thing minus the extra key information, and have been unsuccessful at actually getting a token back. Do you mind sharing your config and your post request?
Steve,
Are you using OERealm as the authManager by any chance?
I have a running test configuration and I'll try your configuration using the local text file accounts. Then maybe we can find you a definitive answer.
Michael, on this particular one, I'm just using the little oeablSecurity.csv file. It's a service only used by developers.
## Southwell's setup for a basic SSO producer for testing purposes http.all.authmanager=local client.login.model=form http.all.realm=OpenEdge
Blake, the relevant parts of the config are in the original post, and the extra part I sent Michael.
As far as how you would get ahold of the token, here's a snippet of JavaScript (I use it with jQuery. I'd send you the whole thing, but it's full of other client stuff.:
<script> var authurl = "localhost:8820/.../j_spring_security_check"; var refreshurl = "localhost:8820/.../token var myCPO; var CPODateTime; var expireseconds; var ExpiresDateTime; var refreshtoken var resturl = "localhost:8820/.../test"; $( document ).ready(function(){ $("#login").click(function(){ // Do a REST call to get a session going var data = { j_username: $("#username").val(), j_password: $("#password").val() }; var request = { url: authurl, method: "POST", contentType: "application/x-www-form-urlencoded", headers: {accept: "application/json"}, data: data, success: function(response,status,x) { console.log(response,status,x); myCPO = response.access_token; refreshtoken = response.refresh_token; expireseconds = response.expires_in; $("#response").val(JSON.stringify(response)); CPODateTime = new Date(); ExpiresDateTime = new Date(CPODateTime + expireseconds); $("#tokenobtained").html(CPODateTime); $("#expiredatetime").html(ExpiresDateTime); } }; $.ajax(request); });
}
</script>
Edit: The markup above is playing havoc with the URLs in my script. Just replace the garbage with straight URLs to your app.
Thanks to all, I found that when I sent the j_username and j_password in as query string it worked. Seems strange that would be the case with a post request???
From Postman I was using the below without success. In the logs, the username and password were not being set:
curl --location --request POST 'localhost:8170/.../j_spring_security_check --header 'Accept: application/json' --form 'j_username=restuser' --form 'j_password=password'
Then out of morbid curiosity this morning tried:
curl --location --request POST 'localhost:8170/.../j_spring_security_check?j_username=restuser&j_password=password' 'Accept: application/json'
With query parameters I could see in the logs that the username and password were getting in correctly but had a different error:
c.p.a.s.s.OEClientPrincipalFilter - Error converting Spring token to OEAuthenticationToken: java.lang.IndexOutOfBoundsException: No group 1
I found a post by BartMille about the OEClientPrincipalFilter.domainRoleFilter being set when it didn't need to be. I checked my config and sure enough I had set it to ROLE_PSCUser. I'm not sure why, but remove it.
What a great feeling to see:
all of the frustration, head banging, foot stomping and swearing stopped when that first token was returned. At this point 7:43am I'm going home, as there is no point in working any longer I'm going to have a bigger success.
A special thanks to Mike J. He provided me with examples and answered many questions!
Was resolution to Steve's original question made? After I got my token generator up and running against local user.properties and also OERealm, I have the same situation where the properties in the generated sso token are blank.
Hi Blake & Steve,
This is a bug and I have logged one - ADAS-22494 . We exactly know why it would be happening and will let you know when we have a fix and how to proceed further.
Thanks Irfan, It's nice to know. Now I can stop banging my head trying to make it work.
FWIW.....just in case it wasn't clear, any attributes that get added to the CP from the OERealm class as additional properties don't make it to the SSO token. Not just static properties from the securities.properties file. Roles assigned in the OERealm class do appear to make it to the SSO
METHOD PUBLIC OVERRIDE CHARACTER GetAttribute ( INPUT piUserID AS INTEGER,
INPUT pcAttrName AS CHARACTER ):
DEFINE VARIABLE cValue AS CHARACTER NO-UNDO INITIAL ?.
IF NOT THIS-OBJECT:validateRequest("GetAttribute") THEN
MESSAGE "Unauthorized request".
ELSE
CASE pcAttrName:
WHEN OERealmDefs:REALM_ATTR_ENABLED THEN
ASSIGN
cValue = STRING(isActive(piUserID), "1/0").
WHEN OERealmDefs:REALM_ATTR_LOCKED THEN
ASSIGN
cValue = STRING(isLocked(piUserID), "1/0").
WHEN OERealmDefs:REALM_ATTR_EXPIRED THEN
ASSIGN
cValue = STRING(isExpired(piUserID), "1/0").
WHEN OERealmDefs:REALM_ATTR_ROLES THEN
ASSIGN
cValue = getUserRoles(piUserID).
WHEN OERealmDefs:REALM_ATTR_PROPERTIES THEN
DO:
cMyContextID = GUID (GENERATE-UUID).
DEFINE VARIABLE jsonObj AS JSONObject.
jsonObj = NEW JSONObject().
jsonObj:add("MyContextID",cMyContextID).
jsonObj:Write(cValue, false).
END.
OTHERWISE
ASSIGN
cValue = ?.
END CASE.
RETURN cValue.
end method.
METHOD PUBLIC OVERRIDE CHARACTER getUserRoles ( INPUT piUserID AS INTEGER ):
DEFINE VARIABLE lValidProdUser AS LOGICAL NO-UNDO.
RETURN "MyUser".
end method.