PASOE provides certain context about a request to an AVM session via the SESSION's CURRENT-REQUEST-INFO atttribute (which contains an instance of Progress.Lang.OERequestInfo).

Information about a client request is primarily contained in the AdapterType and ProcedureName. For REST and APSV clients, the latter contains the application's procedure and/or class that's invoked. For the WEB transport, it's always the same: "Progress.Web.InternalWebHandler&HandleRequest" , which is provided by OE.

This does not provide enough (any?) insight into the request. The complete web request is available (typically via an instance of the OpenEdge.Web.WebRequest class) but this data is not available in a session's activate procedure.

The activate event is the recommended event to perform authentication, authorization and other shared/common functions before any application business logic is run. Since the activate event is run before any business logic, without any changes needed to that business logic, it should be possible to perform a first-pass authorization in the activatge event procedure.

Not all customers will perform such authorization, and not all customers will use the same data for authorization. Customers should be able to configure which data is useful to them in an activate procedure, using a property of the ABL application.

Best case: The complete web request object as passed into method HandleRequest in web handlers.

At least we would need:

* the requested URI (complete, including schema, host, path and query strings)

* the HTTP method (verb)

* the requested URI (complete, including schema, host, path and query strings)

* one or more header values

* one or more form fields

* the typename of the webhandler called

* the URI template used to determine the webhandler to use

* other information