PASOE + HTTP Authorization Header

Posted by danielb on 01-Nov-2016 23:15

We're currently implementing a public REST API, and are requiring it to be secured through OAuth. With WebSpeed, we were able to access all the HTTP headers for the request, and do custom validation/authentication/etc on those as required. However, with WebSpeed in PASOE, everything seems to come through fine except for the Authorization header (which carries the Bearer token for OAuth authentication).

I can find articles online about accessing the Authorization header from within a Java servlet in Tomcat, so I guessing that it isn't Tomcat itself that is stripping the header, but something in PASOE, or the configuration itself.

Has anyone had any luck getting the Authorization header available from within Webspeed, or implementing custom authentication modules within PASOE itself? 

It looks like we're stuck on Classic Webspeed until we can access this header. We can do obvious workarounds like using a custom header (X-CustomAuthentication), but that doesn't always play nicely with third-party applications.

OpenEdge General - Forum
Posted by Michael Jacobs on 02-Nov-2016 11:06

Daniel,

We are currently in the process of providing a secure facility within the Spring Security process that allows support for customized HTTP Authorization headers.  The goal is to offer this support without compromising the URL authorization, error handling, Client-Principal generation, and other Spring supported security features.

It is a fairly detailed subject and I wouldn't go into any of those details in the forum.  Would it be possible to set up a time when Peter and I could talk with you about our direction?

All Replies

Posted by Irfan on 01-Nov-2016 23:33

Hi Daniel,

In your PASOE Web Application, you can control the request and response headers using the CORS filter. In the CORS filter you can configure the headers in "responseHeaders" property  so that it can display those headers in your HTTP Response.

<b:bean id="OECORSFilter"

            class="com.progress.appserv.services.security.OECORSFilter" >

            <b:property name="responseHeaders" value="" />

      </b:bean>

Note: The CORS filter is available in <Web-App>/WEB-INF/oeablSecurity.<form/basic>.xml file. So modify it in the appSecurity xml file that you have configured for your Application.

Please give it a try and let us know if it serves your need.

Posted by Peter Judge on 02-Nov-2016 08:06

This is deliberate – the Authorization header is not passed into the ABL. The rationale is that PASOE should deal with authorisation.
 
You’re not the first to note and/or notice. I’m trying to think of the best next step –probably contact your account mgr or similar.
 
 
 

Posted by Michael Jacobs on 02-Nov-2016 11:06

Daniel,

We are currently in the process of providing a secure facility within the Spring Security process that allows support for customized HTTP Authorization headers.  The goal is to offer this support without compromising the URL authorization, error handling, Client-Principal generation, and other Spring supported security features.

It is a fairly detailed subject and I wouldn't go into any of those details in the forum.  Would it be possible to set up a time when Peter and I could talk with you about our direction?

Posted by danielb on 06-Nov-2016 21:41

Hi Mike,

Thanks - that would be great. I'll shoot you an email.

Cheers,

Daniel B.

This thread is closed