production version of Orbeon
49 views
Skip to first unread message
Andrzej Kaczówka
Nov 8, 2023, 6:51:19 AM11/8/23
to orb...@googlegroups.com
Hi,
I need an information how to configure orbeon config files to disable form runner, form builder pages (generally whole /orbeon/home page), I use only ORBEON.fr.API.embedForm function in my php script - any form must be available for any user without authentication.
I removed WEB-INF/lib/orbeon-form-builder.jar and builder is not available - that's ok but I don't know how to disable form runner (/orbeon/fr page) where there are all filled forms.
Please help.
Andrzej Kaczówka
Ta wiadomość i jakiekolwiek pliki przesłane wraz z nią, są poufne i przeznaczone wyłącznie do użytku osób i jednostek, do których wiadomość została adresowana. Jeśli wiadomość została otrzymana pomyłkowo, prosimy zawiadomić administratora systemu. Ta wiadomośc zawiera informacje poufne i jest przeznaczona wyłącznie dla wymienionej osoby. Jeśli nie jesteś wymienionym adresatem tej wiadomości, nie powinieneś jej rozpowszechniać, rozsyłać ani kopiować. Prosimy o natychmiastowe powiadomienie, za pośrednictwem poczty elektronicznej, nadawcy o pomyłkowym otrzymaniu tej wiadomości i usunięcie jej z komputera. Jeśli nie jesteś zamierzonym odbiorcą tej wiadomości, informujemy, że jej ujawnianie, kopiowanie, przesyłanie lub podejmowanie jakichkolwiek działań w związku z treścią tej wiadomości jest surowo wzbronione.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager.This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager.This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Alessandro Vernet
Nov 8, 2023, 10:50:22 PM11/8/23
to orb...@googlegroups.com
Hi Andrzej,
The demo forms are in the built-in eXist-db, so if you can get rid of those forms by removing eXist-db, which it seems you don't need anyway. Please let me know if this works for you.
https://doc.orbeon.com/configuration/advanced/production-war
-Alex
The demo forms are in the built-in eXist-db, so if you can get rid of those forms by removing eXist-db, which it seems you don't need anyway. Please let me know if this works for you.
https://doc.orbeon.com/configuration/advanced/production-war
-Alex
--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orbeon+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/CAA1AjTDbJDGatVoaX10s7ZXHQiBZtJVna105WEWgzdtfqc9twA%40mail.gmail.com.
Andrzej Kaczówka
Nov 9, 2023, 5:22:43 AM11/9/23
to orb...@googlegroups.com
Hi Alex,
Thanks for your reply.
Still I have a problem with the form runner which is available in <domain>/orbeon/fr/ url path.
In properties-local.xml I have:
<property
as="xs:boolean"
name="oxf.fr.persistence.exist.active"
value="false"/>
as="xs:boolean"
name="oxf.fr.persistence.exist.active"
value="false"/>
<property
as="xs:string"
name="oxf.fr.persistence.provider.*.*.*"
value="mysql"/>
as="xs:string"
name="oxf.fr.persistence.provider.*.*.*"
value="mysql"/>
I have created many forms which should be available through embed javascript only but not available by url page <domain>/orbeon/fr/.
Now, unfortunately any user can type a <domain>/orbeon/fr/ and view any filled form which is a big problem.
So I still need your help on how to configure it.
Best regards,
Andrzej
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/CANrzKkmUpRGqN96ZqcE2GZps_f7nxNwDq%2BJh4YsBvtBF6sb6qQ%40mail.gmail.com.
Alessandro Vernet
Nov 9, 2023, 4:43:04 PM11/9/23
to orb...@googlegroups.com
Hi Andrzej,
If you really don't want anyone to be able to access Form Runner, you could block such access with a `<security-constraint>` along the lines of what follows in the `web.xml` (and you would remove the existing `<security-constraint>`).
-Alex
If you really don't want anyone to be able to access Form Runner, you could block such access with a `<security-constraint>` along the lines of what follows in the `web.xml` (and you would remove the existing `<security-constraint>`).
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Access</web-resource-name>
<url-pattern>/fr/*</url-pattern>
</web-resource-collection>
</security-constraint>
Would this work for you?
-Alex
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/CAA1AjTD3_fHORpAVUObiqb307pKvT-zMbmJQ%3DXf9MZpFubWUFA%40mail.gmail.com.
Andrzej Kaczówka
Nov 10, 2023, 5:38:51 AM11/10/23
to orb...@googlegroups.com
Hi Alex,
Thanks for your reply.
According to your instructions I did:
In WEB-INF/web.xml I removed below sections:
<!-- #AK# <security-constraint>
<web-resource-collection>
<web-resource-name>Form Runner</web-resource-name>
<url-pattern>/fr/auth</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>orbeon-user</role-name>
</auth-constraint>
</security-constraint>
-->
<!-- The following pages and services are allowed without constraints by default -->
<!-- #AK# <security-constraint>
<web-resource-collection>
<web-resource-name>Form Runner services and public pages and resources</web-resource-name>
<url-pattern>/fr/service/*</url-pattern>
<url-pattern>/fr/style/*</url-pattern>
<url-pattern>/fr/not-found</url-pattern>
<url-pattern>/fr/error</url-pattern>
<url-pattern>/fr/login</url-pattern>
<url-pattern>/fr/login-error</url-pattern>
</web-resource-collection>
</security-constraint>
-->
<web-resource-collection>
<web-resource-name>Form Runner</web-resource-name>
<url-pattern>/fr/auth</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>orbeon-user</role-name>
</auth-constraint>
</security-constraint>
-->
<!-- The following pages and services are allowed without constraints by default -->
<!-- #AK# <security-constraint>
<web-resource-collection>
<web-resource-name>Form Runner services and public pages and resources</web-resource-name>
<url-pattern>/fr/service/*</url-pattern>
<url-pattern>/fr/style/*</url-pattern>
<url-pattern>/fr/not-found</url-pattern>
<url-pattern>/fr/error</url-pattern>
<url-pattern>/fr/login</url-pattern>
<url-pattern>/fr/login-error</url-pattern>
</web-resource-collection>
</security-constraint>
-->
and added as follow:
<!-- AK 10.11.2023 -->
<!-- AK 10.11.2023 -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Access</web-resource-name>
<url-pattern>/fr/*</url-pattern>
</web-resource-collection>
</security-constraint>
Restart Tomcat, but <domain>/orbeon/fr url still works - display list of defined forms.
What else do I have to do?
I can attach a web.xml file if needed.
Best regards,
Andrzej
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/CANrzKknufyAu__%3Dbv65erMdZ31OJuVxd_St%3D6YhTOuqQ3CYeew%40mail.gmail.com.
Alessandro Vernet
Nov 13, 2023, 4:51:38 PM11/13/23
to orb...@googlegroups.com
Hi Andrzej,
My bad: my snippet was missing an `<auth-constraint/>` inside the `<security-constraint>`. So it should be:
My bad: my snippet was missing an `<auth-constraint/>` inside the `<security-constraint>`. So it should be:
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Access</web-resource-name>
<url-pattern>/fr/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Restricted Access</web-resource-name>
<url-pattern>/fr/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
</security-constraint>
Please let me know if this works for you.
-Alex
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/CAA1AjTC1X%2B%3DhVkRKSt_2Esv0YLMnMMpTt1rP1v86HNF1QKtZ_A%40mail.gmail.com.
Andrzej Kaczówka
Nov 14, 2023, 6:48:38 AM11/14/23
to orb...@googlegroups.com
Hi Alex,
Thanks for your reply.
I adopted changes and now the Form Runner is blocked. But except blocked url <domain>/orbeon/fr script php where I use embed form
ORBEON.fr.API.embedForm doesn't work either - it's forbidden.
I need to block the url to Form Runner but the form embed should work. How to solve this?
Andrzej
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/CANrzKk%3DJh0-Zu-wBeEVwz%3DL8aBTWCCgBLSAvTN-YKMEq-vUQsw%40mail.gmail.com.
Alessandro Vernet
Nov 14, 2023, 11:11:16 PM11/14/23
to orb...@googlegroups.com
Hi Andrzej,
If you are using the JavaScript Embedding API, I assume that you are in the situation described as "Option 1" in the diagram below, which is taken from the documentation (see 1st link below, and "Option 2" is new in 2023.1). In this case, you can simply place the Orbeon Forms server behind your firewall, so that it cannot be accessed directly by users. Or, if you do not have an easily configurable firewall, you can set up a Tomcat valve so that Tomcat only allows access from the IP of "Your App Server".
Does a solution along those lines work for you?
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/CAA1AjTA5mv4UZv30DeQO%2Bo%2BirG01vrcA-9kMfiGxWn2yGmb7%3Dw%40mail.gmail.com.
Message has been deleted
Message has been deleted
Alessandro Vernet
Nov 29, 2023, 5:06:10 PM11/29/23
to orb...@googlegroups.com
Hi Andrzej,
Did you get a chance to look into configuring a firewall or setting up a Tomcat valve to protect undesired access to Orbeon Forms, as suggested in my previous message?
-Alex
Did you get a chance to look into configuring a firewall or setting up a Tomcat valve to protect undesired access to Orbeon Forms, as suggested in my previous message?
-Alex
Andrzej Kaczówka
Dec 5, 2023, 6:19:31 AM12/5/23
to orb...@googlegroups.com
Hi Alex,
Sorry for the delay in replying.
I forwarded the problem to the person responsible for server configuration.
I was wondering if there isn't a simpler way to just block the page (/orbeon/fr) that displays the list of defined forms. This would solve my problem.
If not, I hope reconfiguring the server will solve the problem.
Kind regards,
Andrzej
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/CANrzKkm9NpEHaSmCzoDjD5DBEuW4LwmuAYyzUT3027XO-XZ4aA%40mail.gmail.com.
Alessandro Vernet
Dec 5, 2023, 1:48:34 PM12/5/23
to orb...@googlegroups.com
Hi Andrzej,
You could try the security constraint below, which is almost identical to the one above, just without the asterisk in the path. Hopefully that will do the trick.
You could try the security constraint below, which is almost identical to the one above, just without the asterisk in the path. Hopefully that will do the trick.
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Access</web-resource-name>
<url-pattern>/fr/</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
-Alex
</web-resource-collection>
<auth-constraint/>
</security-constraint>
-Alex
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/CAA1AjTDtiszV%3DQTi_G2psnC-nc5m%3DEEO8h6os5fZco%2BgWWsS1g%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages