M
Michael Jacobs
Guest
We do recommend that you allow OE to create and seal Client-Principal security tokens, whether via the OE Database connection, PASOE, or the OE Authentication Gateway. The property OEClientPrincipalFilter.enabled exists in the PASOE configuration solely for the ability to turn it off for the rare exception case. The default is true to support the recommend practice. There are a number of properties in the oeablSecurity.properties file that allow for customization of the PASOE generated Client-Principal's contents. That configuration file exists in the protected area of the server where it is not accessible from clients or application code - therefore it can be trusted. Just a side-note: the use of the OE Authentication Gateway by PASOE to create and seal Client-Principal security tokens gives you even more security isolation and a greater ability to use ABL to affect the contents of the Client-Principal object To the business application, the origin and sealing of a Client-Principal becomes transparent. The generated Client-Principal token is pushed to the ABL Session on each client request - regardless of its origin. In the application it can be ignored, used by the business application, or used to control the OE database connection's user per the application's security model. More information, but if you looking at this aspect of PASOe it may help to have a broader view.
Continue reading...
Continue reading...