Progress Application Server for OpenEdge (PASOE) Spring security configuration

Transcription

1 Progress Application Server for OpenEdge (PASOE) Spring security configuration

2 2017 Progress Software Corporation and/or one of its subsidiaries or affiliates. All rights reserved. These materials and all Progress software products are copyrighted and all rights are reserved by Progress Software Corporation. The information in these materials is subject to change without notice, and Progress Software Corporation assumes no responsibility for any errors that may appear therein. The references in these materials to specific platforms supported are subject to change. Corticon, DataDirect (and design), DataDirect Cloud, DataDirect Connect, DataDirect Connect64, DataDirect XML Converters, DataDirect XQuery, DataRPM, Deliver More Than Expected, Icenium, Kendo UI, Making Software Work Together, NativeScript, OpenEdge, Powered by Progress, Progress, Progress Software Developers Network, Rollbase, SequeLink, Sitefinity (and Design), SpeedScript, Stylus Studio, TeamPulse, Telerik, Telerik (and Design), Test Studio, and WebSpeed are registered trademarks of Progress Software Corporation or one of its affiliates or subsidiaries in the U.S. and/or other countries. Analytics360, AppServer, BusinessEdge, DataDirect Spy, SupportLink, DevCraft, Fiddler, JustCode, JustDecompile, JustMock, JustTrace, Kinvey, NativeScript Sidekick, OpenAccess, ProDataSet, Progress Results, Progress Software, ProVision, PSE Pro,Sitefinity, SmartBrowser, SmartComponent, SmartDataBrowser, SmartDataObjects, SmartDataView, SmartDialog, SmartFolder, SmartFrame, SmartObjects, SmartPanel, SmartQuery, SmartViewer, SmartWindow, and WebClient are trademarks or service marks of Progress Software Corporation and/or its subsidiaries or affiliates in the U.S. and other countries. Java is a registered trademark of Oracle and/or its affiliates. Any other marks contained herein may be trademarks of their respective owners. Please refer to the Release Notes applicable to the particular Progress product release for any third party acknowledgements required to be provided in the documentation associated with the Progress product. Author: Cheryl LaBarge clabarge@progress.com Contributors: Irfan Syed, Michael Jacobs, David Cleary, Roy Ellis

3 Spring Security Workshop For Progress Application Server for OpenEdge (PASOE) Cheryl LaBarge, Ruben Dröge, Chris Skeldon Progress November 15, 2017 Workshop Philosophy We can t make you an expert in 3 hours but we can give you a solid foundation 2 Progress 1

4 Learning new things 70% of learning is experiential It happens through daily tasks, challenges and practice. 20% of learning is social It happens with and through other people, like coworkers. 10% of learning is formal It happens through structured training courses and programs. 3 What will you learn: What is Spring security? How do I begin using it? How do I customize it? How do I troubleshoot issues? How can I switch to a different user provider? 4 Progress 2

5 What is Spring security? 5 What is Spring security? Spring security is a powerful and highly customizable authentication and access-control framework Built into PASOE Spring is automatically started when you start an instance All requests must go through the Spring security process to generate a security token User request PASOE 6 Progress 3

6 What is a security token? An object that contains both user credentials and additional information about the user's roles and capabilities Offers flexibility - I decide how to give them out Anonymous or check a flat file, LDAP, AD, OERealm, OpenEdge Authentication Gateway, etc. Sealed You can t transfer it to another person Expires* - limits the chance that others will use that credential 7 Spring security is always on! User requests access 1- Check Request Anonymous 2 -Authenticate Check User * For every request! No roles 3- Authorize URL Check Roles 4 - Generate a CLIENT-PRINCIPAL 8 Progress 4

7 1. Check your request What happens? Spring applies industry standard filters HTTPS filters HTTPS [SSL/TLS] client login filters CORS (Cross-origin resource sharing) filters CSRF (Cross site request forgery) filters Bottom line: Is the request compliant and reliable? For more detail on these topics, search the web or attend security sessions not the primary focus of this workshop. Spring is checking so you don t have to check! Additional steps are required to enable TLS, CORS, etc. but those are outside of Spring security External Threats 9 2. Authenticate - What happens? Spring checks your configuration files to decide What type of authentication? Direct login (user name & password) o Where do I find the user provider? Single Sign On (SSO) still check verify o Already authenticated Authentication Bottom line: Do I check the users credentials? If so, where to I find the right list to verify the users are who they say they are 10 Progress 5

8 3. Authorize What happens? Based on your configuration, Spring checks the following: Do we limit access to different types of application (REST, Web, etc.) Do we limit access to parts of the application Authorization (Accounting, Finance, Human Capital) Bottom line: Am I limiting access to my application based on the user s role in the organization Generate CLIENT-PRINCIPAL Why? Spring generates a security token OpenEdge generates a sealed CLIENT-PRINCIPAL Domains Domain access keys Bottom line: We transforms the Spring token into a CLIENT-PRINCIPAL to add ABL specific details Spring token CLIENT-PRINCIPAL 12 Progress 6

9 Which applications can use Spring security? User requests access Authentication Provider APSV SOAP REST WEB Static 13 Where can I store user account information? User requests access Authentication Provider APSV SOAP REST WEB Static None User.properties flat file ExtLocal LDAP - Lightweight Directory Access Protocol. AD Active Directory SAML OERealm OAG - OpenEdge Authentication Gateway SSO Single Sign-On OAuth2 14 Progress 7

10 How do I customize Spring Security Configuration files 11.6 uses.xml files 11.7.x uses two files oeablsecurity.properties oeablsecurity.csv Lesson learned xml files are error prone Properties and.csv file are easier to Edit Debug Migrate 15 Benefits of Spring to OpenEdge User requests access Applications First line of defense for access control Java industry standard DLC/servers/pasoe/common/lib Always on, always runs first Sits outside of your application Blocks request if authentication and authorization fail Always creates a security token Easy to use in existing code Automatically generates a CLIENT-PRINCIPAL from the Spring security token so you can use it in your existing applications Easy to configure Using properties files and.csv files OpenEdge handles 99% of details Can switch Authentication Providers easily 16 Progress 8

11 How do I begin using Spring Security 17 Surprise! You may already be using it! User requests access Authentication Provider 1- Check Request Anonymous yes 2 -Authenticate Check User yes User info * For every request! No roles yes 3- Authorize URL Check Roles yes 4 - Generate a CLIENT-PRINCIPAL 18 Progress 9

12 Our test application is REST Use a browser to call the ABL Application Ping service Success looks like this json Why use a simple ping service? To focus on Spring settings application 19 Try It 1: Experiencing the default client login model Progress 10

13 What did you learn? This is that 20% Social 21 Enabling security for REST, WEB, APSV and SOAP Spring security is automatically enabled for validating clients of REST and WEB applications You must update oeablsecurity.properties to enable Spring Security to validate clients of APSV and SOAP applications For APSV, set the apsv.security.enable property to basic. By default, the property is set to none. For SOAP, set the soap.security.enable property to basic. By default, the property is set to none. For more information, see the oeablsecurity.properties.readme file 22 Progress 11

14 Best Practice Use.properties and.csv files If you read about Spring Security you will find that Spring uses xml files to change behavior Don t use.xml Our updates could overwrite any changes in your xml files Bottom line: Keep it simple, always look through the properties we recommend if you need to change something chances are there s a property for that! 23 How do I find the right property? Each oeabl[.war] web application s URI space is divided into 5 individually configured Spring Security sub-spaces, arranged by transport We will be working with REST APSV SOAP REST WEB Static 24 Progress 12

15 How do I find the right property? Your transport determines has potential values for properties Example: client.login.model -method client uses to authenticate via HTTP messages Transport URI Path Login Models APSV apsv/** [ none ]; basic SOAP soap/** [ none ] ; basic REST rest/** [ anonymous ] ; basic ; form ; container ; sso ; oauth2 WEB web/** [ anonymous ] ; basic ; form ; container ; sso ; oauth2 Static files ** [ anonymous ] ; basic ; form ; container ; sso ; oauth2 25 How do I learn more about a specific properties? Readme file [Install]\servers\pasoe\conf Outlines oeablsecurity.properties.readme Hierarchy of.properties files Rules for setting property values Search for your property Documentation 26 Progress 13

16 What does the.csv file customize? Control URL access controls for web applications In 11.6 In Which file should I edit? Hierarchy of files Install oepas1 oepas1app Inventory Payments All Servers An Instance ABL Application Web Application Progress install is the superset includes all properties set defaults for all server instance [Install]/servers/pasoe/conf/oeablSecurity.properties and.csv Instance effects all ABL applications deployed on that instance [Instance-name]/conf/oeablSecurity.properties and.csv ABL Application level effects all web applications [Instancename]/ablapps/oepas1APP/conf/oeablSecurity.properties and.csv Web application controls on that branch of the business application [Instance-name]/webapps/inventory/WEB- INF/oeablSecurity.properties and.csv 28 Progress 14

17 How do I apply changes? You will need to restart the Progress Application Server for OpenEdge When you start the Progress Application Server for OpenEdge the property changes will take effect 29 Exploring authentication 30 Progress 15

18 Let s make a change requiring the user to login User requests access 1- Check Request Authentication Provider Anonymous yes 2 -Authenticate Check User yes User info * For every request! No roles yes 3- Authorize URL Check Roles yes 4 - Generate a CLIENT-PRINCIPAL 31 What will the user experience differently? Default value is anonymous To require a login use form 32 Progress 16

19 Setting the client.login.model property to form Default value is anonymous Require a username and password User.properties flat file located in C:\Progress\OpenEdge\servers\paso e\webapps\root\web-inf 33 Using form provides default login page The request is redirected to the login.jsp page The username and password are sent to Spring for authentication and authorization 34 Progress 17

20 What is the http.all.authmanager? User.properties flat file located in C:\Progress\OpenEdge\servers \pasoe\webapps\root\web-inf 35 Try It 2: Exploring Authentication Progress 18

21 What did you learn? This is that 20% Social 37 Using form adds additional security When you use form, Progress Application Server for OpenEdge receives a client session that persists You have explicit login and logout Did anyone open an new tab and retry the ping? o What happened? This can be bad because. If you are just stateless request then you use basic or single sign on 38 Progress 19

22 Exploring Authorization 39 Checking roles User requests access 1- Check Request yes 2 -Authenticate Check User Anonymous yes User info Authentication Provider 3- Authorize URL No roles yes Check Roles yes 4 - Generate the CLIENT-PRINCIPAL 40 Progress 20

23 How does a direct login handle the request? URL access control file located in instancename/webapps/web-app-name/web-inf/oeablsecurity.csv file contains the roles Intercept-url for each transport type Default for REST is ROLE_PSCUser APSV SOAP REST WEB Static 41 Dissecting the entry ## Intercept-url definitions for the REST transport URIs ## "/rest/**","*","hasanyrole('role_pscuser')" Pattern - URL pattern (wildcards and regular expressions) 2. Method HTTP access method 3. Access - Role[s] that are allowed access to the resource 42 Progress 21

24 Changing the role Use the ROLE_PSCAdmin Change role to ROLE_PSCAdmin 43 Try It 3: Exploring Authorization Progress 22

25 What did you learn? This is that 20% Social 45 Using a CLIENT- PRINCIPAL 46 Progress 23

26 Using a CLIENT-PRINCIPAL User requests access Authentication Provider 1- Check Request Anonymous yes 2 -Authenticate Check User yes User info * For every request! No roles yes 3- Authorize URL Check Roles yes 4 - Generate a CLIENT-PRINCIPAL 47 Using a CLIENT-PRINCIPAL CLIENT-PRINCIPAL refresher Using a server startup procedure Lab startup procedure review Using a client request activate procedure Lab activate procedure review 48 Progress 24

27 CLIENT-PRINCIPAL refresher Define a handle DEFINE VARIABLE HCP AS HANDLE NO-UNDO. Get the CLIENT-PRINCIPAL from the current request hcp = SESSION:CURRENT-REQUEST-INFO:GetClientPrincipal(). Retrieve attributes MESSAGE " ID: '" + hcp:qualified-user-id + "'". MESSAGE " session-id:" hcp:session-id. MESSAGE " state:" hcp:login-state. MESSAGE " roles: " + hcp:roles. MESSAGE " domain: " + hcp:domain-name. Use to access the database SET-DB-CLIENT(hCP). 49 Using a server startup procedure.p Automatically executed as procedure within each server session when the PAS for OpenEdge session first starts If it completes with an error, PAS for OpenEdge instance startup fails and the PAS for OpenEdge session is terminated oeprop AppServer.Agent.sessionStartupProc=IdmStartup.p 50 Progress 25

28 Startup procedure loads the domains Load domains or any persistent information for the server 51 Using a client request activate procedure User requests access Event procedures that allow you to manage the initialization and cleanup of a client's request in both unbound session-managed and session-free models oeprop AppServer.Agent.sessionActivateProc=IdmActivate.p 52 Progress 26

29 What might you do during activation? In this lab: We create a variable to look at the CLIENT-PRINCIPAL for the current request and validate the seal, if it is an invalid CLIENT- PRINCIPAL we raise an error - Remember to clean up after yourself,we delete the handle when we are done 53 Restart the server to see your changes You will need to restart the Progress Application Server for OpenEdge When you start the Progress Application Server for OpenEdge the property changes will take effect 54 Progress 27

30 Where did the messages go? C:\OpenEdge\WRK\oepas1\logs\oepas1.agent.log StartupProc message Activate client request message 55 Try It 4: Using a CLIENT- PRINCIPAL Progress 28

31 What did you learn? This is that 20% Social 57 Troubleshooting with logs 58 Progress 29

32 Where to look when it goes wrong Bad user Immediate feedback 401 Unauthorized Authentication failed 59 Default logging Log files provide general error messages but not all details 1. Agent log 2.Session manager 60 Progress 30

33 Troubleshooting during development <logger name= org.springframework level= DEBUG WARNING: Generates HUGE log files for development use only!!! 61 How do you apply changes? You will need to restart the Progress Application Server for OpenEdge When you start the Progress Application Server for OpenEdge the logging.xml file 62 Progress 31

34 Catching authentication errors Same bad user Not found More details with DEBUG level logging Don t leave on in Production, debugging only during development 63 Catching authorization errors A user doesn t have the right role More details Role checked Access denied 64 Progress 32

35 Catching configuration errors Manual edits are error prone, how let s look an example Extra quote Client.login.model=form Failed 65 Catching configuration errors (continued) There it is. form There it is again 66 Progress 33

36 Try It 5: Troubleshooting with logs What did you learn? This is that 20% Social 68 Progress 34

37 Using LDAP 69 Configuring to use LDAP with WEB transport User requests access.p LDAP - Lightweight Directory Access Protocol APSV SOAP REST WEB Static 70 Progress 35

38 For training purposes, LDAP is configured If your LDAP isn t configured, that s another training class OpenEdge developers will need to 1. Define database domains 2. Create registry entry for domains 3. Set properties to use LDAP and domains 4. Configure authorization to use domains Add database domains We ve preloaded domains for you In the lab, you will just view those domains Run ListLDAPDomains.p 72 Progress 36

39 2. Registry domains Use gendomreg to create an encrypted registry file seal the domain in the CLIENT-PRINCIPAL ldapreg.bin You will load that file into the registery 73 Setting properties LDAP details oeablsecurity.properties Only properties you need, at the right level Easy to switch to LDAP Client.login.model is still form LDAP details 74 Progress 37

40 3. Setting properties Domain details oeablsecurity.properties Only properties you need, at the right level Set domain registryfile Set domainrolefilter to include all PSC roles 75 Configure authorization to use domains oeablsecurity.csv with addition roles Intercept-url for WEB transport URIs LDAP REQUIRES UPPERCASE ROLE NAMES Added all three roles 76 Progress 38

41 Set handler property Use the oeprop command to use a DataObjectHandler to handle web requests oeprop +oepas1.root.web.handler1= OpenEdge.Web.DataObject.DataObjectHandler : /pdo/{service} Warning: Commands must appear on a single line If you copy and paste from Try It document, you will need to fix the quotes 77 Optional customizing your login.html page Using proenv, copy the login.html from the work directory to replace the default one copy %WRKDIR%\loginPage.html %WRKDIR%\oepas1\webapps\ROOT\static\ 78 Progress 39

42 The sample application Custom page Employee.html Logout to terminate session 79 Using sample stylesheet Custom style sheet mystyle.css 80 Progress 40

43 Review the pasoe1.agent log Domain as part of ID Domain 81 Application flow Login Logout Work! 82 Progress 41

44 Review the localhost_access_log.yyyy-mm-ddd log login logout 83 Try It 6: Using LDAP Progress 42

45 What did you learn? This is that 20% Social 85 Using SSO 86 Progress 43

46 Direct Logins vs. Single Sign-on Direct logins require users to supply a user name and password for authentication and authorization Single Sign-On (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials SSO is a common procedure in enterprises, where a client accesses multiple resources connected to a local area network (LAN) 87 SSO typically works across servers ROOT Payments PASOE1 PASOE2 88 Progress 44

47 For this lab you will use a single server SSOProd Producer ROOT Consumer PASOE1 Payments Consumer 89 The user is authenticated someplace! User requests access LDAP SSO Single Sign-On Producer APSV SOAP REST WEB Static 90 Progress 45

48 Configure the SSOProd (Producer) application Deploy a SSOProd application tcman deploy a SSOProd %DLC%\servers\pasoe\extras\oeabl.war Customize with properties 91 Producer s oeablsecurities.properties Existing LDAP and CP details Additional SSO Token details 92 Progress 46

49 Deploying the Payments application (SSO Consumer) Deploy the Payments application tcman deploy a Payments %DLC%\servers\pasoe\extras\oeabl.war Customize with properties 93 Consumer s oeablsecurities.properties Client login model is irrelevant Consumer only cares about a valid CLIENT-PRINCIPAL ROOT and Payments are consumers 94 Progress 47

50 SSO tokens have a default timeout 3600 ROOT Payments PASOE1 PASOE2 95 Generating HTTP SSO access_token POST Accept: application/json j_username=ldap_admin&j_password=password { "access_token":"akaaaqaaaazbre1jtgaaoaacaaaabmlzewvkaacqaasaaaaiaaaaafn1fq4amaamaaaaagamakaaggaaaa9tu09by2nlc3nub2tl bgaaoaanaaaadljptevfufndqurnsu4aakaadwaaadk3oeu5mjrdqzq4rtverdzfmzhcnzy4mkyznzi5otjdrdg3mku2rjvdrde1oc5wyxnfru1fq VBVRwAA0AAQAAAACAAAAABZ9SS+AMAAFAAAACEAoAAUAAAAGXNjb3BlAGZpbmFuY2UsSW52ZW50b3J5AAAA0AAXAAAACP////////8QANAAGwAAAAj/////// //EADQABwAAAAIAAAAAAzicA8AsAAVAAAAEG58KQdb3rMLXeF8UPWIzZY=", "refresh_token":"faab8dba b9fe-7767e6eb256e.oepas1", "token_type":"oecp", "expires_in":3600 } Token lifetime Token used to generate a new access_token for the same clientprincipal generated for the user base64 encoded client-principal token 96 Progress 48

51 Performing SSO using OECP access_token GET Authorization: OECP <access_token> GET Authorization: OECP AKAAAQAAAAZBRE1JTgAAoAACAAAABmlzeWVkAACQAAsAAAAIAAAAAFn1Fq4AMAAMAAAAAgAMAKAAGgAAAA9TU09BY2Nlc3NUb2tlbg AAoAANAAAADlJPTEVfUFNDQURNSU4AAKAADwAAADk3OEU5MjRDQzQ4RTVERDZFMzhCNzY4MkYzNzI5OTJDRDg3MkU2RjVDRDE1OC 5wYXNfRU1FQVBVRwAA0AAQAAAACAAAAABZ9SS+AMAAFAAAACEAoAAUAAAAGXNjb3BlAGZpbmFuY2UsSW52ZW50b3J5AAAA0AAXA AAACP////////8QANAAGwAAAAj/////////EADQABwAAAAIAAAAAAzicA8AsAAVAAAAEG58KQdb3rMLXeF8UPWIzZY= 97 Refresh button demonstrates refreshing 98 Progress 49

52 Generating a new access_token by using a refresh_token POST Accept: application/json {"token_type":"oecp","refresh_token":"faab8dba b9fe-7767e6eb256e.oepas1"} {"access_token":"akaaaqaaaazbre1jtgaaoaacaaaabmlzewvkaacqaasaaaaiaaaaafn1k8uamaamaaaaagamakaaggaaaa9 TU09BY2Nlc3NUb2tlbgAAoAANAAAADlJPTEVfUFNDQURNSU4AAKAADwAAADkzRUREN0FFQjQ3NzBCMTBDODc4MzI5NzhFMzdDNDIyOD Q5OTZGNkQxMEUzNi5wYXNfRU1FQVBVRwAA0AAQAAAACAAAAABZ9TnVAMAAFAAAACEAoAAUAAAAGXNjb3BlAGZpbmFuY2UsSW52Z W50b3J5AAAA0AAXAAAACP////////8QANAAGwAAAAj/////////EADQABwAAAAIAAAAAAzicA8AsAAVAAAAEEYKU+LXqrl Ug+FU6aoc4r8=", "refresh_token":"9301bf02-7a52-485b-b24d-6182d28307a9.oepas1", "token_type":"oecp", "expires_in":3600} 99 Configuring logging In the current release you will need to copy logging.xml to each application so that they match This is a known issue and scheduled for an upcoming release SSOProd Producer Logging.xml ROOT Consumer Payments Consumer 100 Progress 50

53 Try It 7: Using SSO What did you learn? This is that 20% Social 102 Progress 51

54 Using the OpenEdge Authentication Gateway Security Token Service (STS) 103 Using Security Token Service (STS) User requests access OpenEdge Authentication Gateway Security Token Service APSV SOAP REST WEB Static 104 Progress 52

55 Authentication Gateway requires Client\Server keys S Require a Server Key S Require a Server Key C Install as client key 105 Installing the client key The server key will be given to you by the Authentication Gateway server administrator On the client machine enter the following: proenv> stskeyutil install -file c:\stsclientkey\oests-key.ecp -url Enter the password as password Once created you will delete the server key so only the generated file remains 106 Progress 53

56 Try your key before you lock your application You can use the authenticate command to test authenticating users proenv> stsclientutil -url -cmd authenticate -nohostverify -user password password C S 107 Customize the properties to use STS Authentication Provider is now sts Same stsurl you tested with the authenticate command WARNING: For the training we have nohostverify=true only to avoid the extra steps for configuring certificates because that is not Spring specific 108 Progress 54

57 Restart the server to see your changes You will need to restart the Progress Application Server for OpenEdge When you start the Progress Application Server for OpenEdge the property changes will take effect 109 Run a program to show sts domain 110 Progress 55

58 Test the application 111 Try It 8: Using STS Progress 56

59 What did you learn? This is that 20% Social 113 What you did today! Demonstrated that the Spring security process always runs first and lives outside of your applications. Customized Spring behavior Prosperities files (oeablsecurity.properities) Access control files (oeablsecurity.csv) Tracked down access errors and configuration problems using log files Configured different Authentication Providers LDAP SSO STS 114 Progress 57

60 Where can I learn more General resources Installation oeablsecurity.properties.readme Documentation Spring Security Models and templates Education Progress Application Server for OpenEdge Administration Introduction to Progress Application Server OpenEdge for Developers Communities Whitepaper PAS for OpenEdge WebSpeed with OERealm Security (OpenEdge 11.6+) Sample coming soon PASOE Support for JWT and oauth2 - Samples What s new in OpenEdge Service Pack : New Information Guide ABL application PING service Using the OpenEdge Authentication Gateway for Authentication Authentication with OAuth2 and JWT Extending OpenEdge SSO to Web Applications 115 Before you go securing the ping Once you decide on the ping service s URI, you should add appropriate access controls into the webapp s oeablsecurity.csv. Set the access control to turnoff the ping in production /web/_oepingservice/*, GET, hasrole( PSCUser ) 116 Progress 58

61 Each participant will be given a wrist band as they enter the room Each participant will get a cheat card 118 Progress 59

62 Definition Authentication Is a valid user accessing your application? Requires verifying credentials with a Authentication Provider. Definition CLIENT-PRINCIPAL ABL security token. Once created, sealed and validated it is used the users credentials for accessing application and data. Authorization Does the user have permission to access a specific part of your application? Are you in the finance department? If yes, you can run the financial reports and see salaries. Spring Security Token Provides authentication and access-control information. Configuration files - Two main files are used to configure Spring oeablsecurity.properties - sets Spring properties without using xml oeablsecurity.cvs defines authorization through access controls. Domains ABL database configuration that control access application work in conjunction with authorization to limit access to your application. Authentication Provider A third party source where you validate that a user is who they say they are. Examples include LDAP, AD, STS, etc. Logs Troubleshoot problems and collect details from requests made by valid and potentially uninvited users. 119 Spring security is always on! User requests access 1- Check Request Anonymous 2 -Authenticate Check User * For every request! No roles 3- Authorize URL Check Roles 4 - Generate a CLIENT-PRINCIPAL 120 Progress 60

63 Progress 61

64 About Progress Progress (NASDAQ: PRGS) offers the leading platform for developing and deploying mission-critical business applications. Progress empowers enterprises and ISVs to build and deliver cognitive-first applications, that harness big data to derive business insights and competitive advantage. Progress offers leading technologies for easily building powerful user interfaces across any type of device, a reliable, scalable and secure backend platform to deploy modern applications, leading data connectivity to all sources, and award-winning predictive analytics that brings the power of machine learning to any organization. Over 1,700 independent software vendors, 80,000 enterprise customers, and two million developers rely on Progress to power their applications. Learn about Progress at or Worldwide Headquarters Progress, 14 Oak Park, Bedford, MA USA Tel: Fax: On the Web at: Find us on facebook.com/progresssw twitter.com/progresssw youtube.com/progresssw For regional international office locations and contact information, please go to Progress, OpenEdge and Corticon are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. Any other trademarks contained herein are the property of their respective owners.