Logging Header-Driven Auth
45 views
Skip to first unread message
Aaron Spike
Aug 13, 2021, 12:30:26 PM8/13/21
to Orbeon Forms
I'm working with Orbeon Forms 2020.1.3.202105010041 PE in Tomcat 9. I'm attempting to switch from container-driven authentication to header-driven authentication using the a single JSON formatted credential header. I can confirm that the headers are being sent to Tomcat from my proxy. But when I attempt to access a restricted form I receive a 403. (Unrestricted forms work.) No matter how I change my logging.properties or log4j.xml files, I can't seem to see any messaging about how the credential header is being processed. How can I get better visibility into this process to solve my issues?
Aaron
Aaron Spike
Aug 16, 2021, 12:22:22 PM8/16/21
to Orbeon Forms
It turns out that I can see logs pertaining to header-driven authentication when I access an unrestricted form. This makes me think that I am misunderstanding the interaction between the form access restrictions set in the form builder and the URL-based access restrictions set in the web.xml.
Alessandro Vernet
Aug 16, 2021, 7:15:05 PM8/16/21
to Orbeon Forms
Hi Aaron,
The restrictions you put in the `web.xml` are related to the container-driven authentication. You can't use those when doing header-driven authentication. Where is the 403 coming from? Is it coming from Tomcat? If so, this could be explained by those restrictions you still have in the `web.xml`, while you're passing user info through headers, which Tomcat isn't aware of. And you'll let me know if I misunderstood your situation / question!
-Alex
The restrictions you put in the `web.xml` are related to the container-driven authentication. You can't use those when doing header-driven authentication. Where is the 403 coming from? Is it coming from Tomcat? If so, this could be explained by those restrictions you still have in the `web.xml`, while you're passing user info through headers, which Tomcat isn't aware of. And you'll let me know if I misunderstood your situation / question!
-Alex
Aaron Spike
Aug 17, 2021, 11:00:10 AM8/17/21
to Orbeon Forms
Yes, the 403 was coming from Tomcat. I was expecting the orbeon-form-runner-auth-servlet-filter to modify the request with the user and roles supplied in the headers. I have removed the restrictions from web.xml and placed them in my proxy configuration. Things appear to be working now. Though I would feel a lot better if I could get someone with more expertise to review my configuration.
Aaron Spike
Aug 17, 2021, 11:35:18 AM8/17/21
to Orbeon Forms
Does anything special need to happen to allow access to the form builder when using header-driven authentication?
Aaron Spike
Aug 17, 2021, 12:26:18 PM8/17/21
to Orbeon Forms
LIMITATION: Restrictions on the form name in form-builder-permissions.xml are at this point not supported; only restrictions on the app name are supported. This means that you should always use `form=""`. If you define a restriction on the form name, it won't be enforced at the time the form is created, allowing users to create, save, and publish a form with an undesirable name. However they then won't be able to see the form they created when going back to the summary page.*
I see a stray asterisk at the end of the paragraph in the documentation. To what is it referring? Or should the `forms=""` above actually be `forms="*"`?
Alessandro Vernet
Aug 17, 2021, 8:12:15 PM8/17/21
to Orbeon Forms
Hi Aaron,
I see a stray asterisk at the end of the paragraph in the documentation. To what is it referring? Or should the `forms=""` above actually be `forms="*"`?
Yes, that was a Markdown formatting issue! The whole paragraph was supposed to be in italic (starting and ending with a `*`, but the star in `forms="*"` was taken to be the end of the italic. This is now fixed (by removing the italic, which was superfluous). Thank you for noticing this.
Does anything special need to happen to allow access to the form builder when using header-driven authentication?
Nothing special; the setup in `form-builder-permissions.xml` is the same, whether you're using header-based or container-based authentication.
-Alex
Aaron Spike
Aug 18, 2021, 9:20:53 AM8/18/21
to Orbeon Forms
Thank you! Finding an appropriate Apache config was a bit of a slog, but I think I've gotten this working now.
Alessandro Vernet
Aug 18, 2021, 1:15:16 PM8/18/21
to Orbeon Forms
Excellent Aaron, I'm glad you got that header-based authentication working.
-Alex
This electronic communication, including any attached documents, may contain confidential and/or legally privileged information that is intended only for use by the recipient(s) named above. If you have received this communication in error, please notify the sender immediately and delete the communication and any attachments. Views expressed by the author do not necessarily represent those of Martin Luther College. --
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orbeon+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/b1559e62-ec79-45c6-88de-55641072b64fn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages