M
Michael Jacobs
Guest
Hello Paul, This is a good question - I may be able to help with some basic information to get started. Spring Security is a well known, stable, and very extensible authentication and authorization security stack used by the REST services. The Spring Security stack runs at the very beginning of every HTTP request delivered to the REST web application by the Tomcat server, where it first authenticates the client, and then authorizes them to access a given resource (URL) and action (GET,PUT,POST,DELETE). The Spring Security stack is comprised of a configurable sequence of various 'beans', that is controlled by a xml configuration file (appSecurity-xxxxx.xml) found in the web application's WEB-INF directory. For developers and admins who are not Spring experts, OpenEdge supplies a set of 'template' Spring configuration files to make it easier and provide a variety of internet and user account authentication types. The configuration is a balance between simplicity and extensibility to fit into a broad range of application and production site requirements. Inside the templates are 'beans' defined for OpenEdge extensions to standard Spring Security to supply support for things like SSO (using a Client-Principal) to the AppServer, using an ABL application's user account's for authentication, and others. Some applications can just specify which template to use and are done. However, the expectation is that many developer may need to customize a template for their particular application/production site use - and this is where the OpenEdge REST documentation comes in. The 90%+ of the REST service's Spring Security is standard, and is not documented by OpenEdge. I have found the Spring Security reference documentation very adequate, but not simple, at the following location: docs.spring.io/.../springsecurity.html That is where you will find the details that describe the xml configuration file's elements and attributes described for things such as controlling http client sessions, URL access controls, user account sources, and much more. In the example you supplied the author was illustrating how to call through to the Spring Security stack from a web UI page. You would do the equivalent authorization in the Spring Security configuration file for REST services. I hope that this brief background will help get you started. Mike Jacobs
Continue reading...
Continue reading...