Container Permission for Form Filling + Form Data Listing
41 views
Skip to first unread message
PITS HKE
Sep 19, 2022, 6:01:50 AM9/19/22
to Orbeon Forms
Dear All,
Have successfully setup Keycloak for OIDC login for accessing to /fr/*. May I know path restriction like /fr/* will that be too weak or to strict? I’m not sure about all the paths so difficult to make the decision.
It is recommended to separate form builder from another container. However, How should I assure only one container has access to the Form Builder? Any particular changes needed to made to web.xml in Tomcat 9?
Thank you so so much.
Regards,
Jonathan
Alessandro Vernet
Sep 19, 2022, 7:08:56 PM9/19/22
to orb...@googlegroups.com
Hi Jonathan,
If all your users are authenticated (i.e. you don't have any anonymous users), then requiring users to be logged in for all the `/fr/*` paths is good enough. You don't necessarily have to have Form Builder in a separate container. You'll want to assign a specific role to users who will be allowed to use Form Builder, and require that role in your `form-builder-permissions.xml` (see link below). Does this make sense?
If all your users are authenticated (i.e. you don't have any anonymous users), then requiring users to be logged in for all the `/fr/*` paths is good enough. You don't necessarily have to have Form Builder in a separate container. You'll want to assign a specific role to users who will be allowed to use Form Builder, and require that role in your `form-builder-permissions.xml` (see link below). Does this make sense?
PITS HKE
Sep 20, 2022, 5:56:39 AM9/20/22
to Orbeon Forms
Hi Alex,
Good to see your message again. Good day to u!
There is a log constantly posed up as follows while the form builder cannot switched back to /fr/orbeon/builder/summary page. I guess the path for /orbeon/xforms-server needed to be secured too. Appreciate for your kind advice. Million thanks.
192.168.187.20 - a078316b-72fa-4621-be55-228840af3599 [20/Sep/2022:17:46:21 +0800] "POST /orbeon/xforms-server HTTP/1.0" 403 627
portion from web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>
Form Runner pages
</web-resource-name>
<url-pattern>
/fr/
</url-pattern>
<url-pattern>
/fr/orbeon/builder/*
</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>
it_ci
</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>
Form Runner
</web-resource-name>
<url-pattern>
/fr/auth
</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>
it_ci
</role-name>
</auth-constraint>
</security-constraint>
<!-- The following pages and services are allowed without constraints by default -->
<security-constraint>
<web-resource-collection>
<web-resource-name>
Form Runner services and public pages and resources
</web-resource-name>
<url-pattern>
/fr/service/*
</url-pattern>
<url-pattern>
/fr/style/*
</url-pattern>
<url-pattern>
/fr/not-found
</url-pattern>
<url-pattern>
/fr/error
</url-pattern>
<url-pattern>
/fr/login
</url-pattern>
<url-pattern>
/fr/login-error
</url-pattern>
</web-resource-collection>
</security-constraint>
Alessandro Vernet
Sep 20, 2022, 5:53:28 PM9/20/22
to orb...@googlegroups.com
Hi Jonathan,
You shouldn't have to secure `/xforms-server` in your `web.xml`. Are you seeing an issue if you don't? And when you click on "close", you're taken to the Form Builder summary page; does the user maybe not have access to that page?
-Alex
You shouldn't have to secure `/xforms-server` in your `web.xml`. Are you seeing an issue if you don't? And when you click on "close", you're taken to the Form Builder summary page; does the user maybe not have access to that page?
-Alex
--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orbeon+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/29b7bf47-845f-4b39-9576-1da1416d313dn%40googlegroups.com.
PITS HKE
Sep 20, 2022, 6:33:25 PM9/20/22
to orb...@googlegroups.com
Hi Alex,
This this web error shown as attached.
Thank you so so much.
Regards,
Jonathan
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/CANrzKk%3DMU8m%2BJsbN8ou5K-FykQPHVMm8WpP%3D7-O9vVk6Ka-jqw%40mail.gmail.com.
Alessandro Vernet
Sep 21, 2022, 4:34:48 PM9/21/22
to orb...@googlegroups.com
Jonathan, could you also show me the `<security-constraint>` element or elements you have in your `web.xml` when you get the error shown in the screenshot attached to your previous message?
-Alex
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/CAMpXccYpGmiABE_LQ08-r1zPQVZMq2wnZqeJQTKUr%2BpwJOU50A%40mail.gmail.com.
Alessandro Vernet
Sep 22, 2022, 5:32:33 PM9/22/22
to orb...@googlegroups.com
You're saying that setting the "web origins" in the Keycloak config solved the problem? In any way, excellent :).
-Alex
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/eb8d4852-b0b3-4e0a-a7cc-fff8e6c25df5n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages