Authenticated and non-authenticated forms in the same environment

classic Classic list List threaded Threaded
5 messages Options
SM7
Reply | Threaded
Open this post in threaded view
|

Authenticated and non-authenticated forms in the same environment

SM7
Hi,

I am trialling Orbeon Forms for an upcoming project.

The original requirements were to implement authentication for Form access.
I have configured tomcat to read from SQL Server "users" and "user_roles" tables, to authenticate a user's acces to a particular Form (or FormBuilder, or FormRunner).

I have now been asked to provide an environment with both authenticated forms and also the option to allow access to particular forms without entering a username/password.

I've attempted to append a username and password to a form URL as parameters, but this does not appear to work. Is this possible?
http://server.dev.local:1977/orbeon/fr/Application/Form/new?userNameCol=username&userCredCol=password

Alternatively, I could implement two instances of Orbeon on the server. One with user authentication enabled, and the other without authentication.  The Orbeon licencing appears to support multiple instances of the software on a server.

Are there any other alterantives to offering authenticated and non-authenticated form access?

Thanks

Reply | Threaded
Open this post in threaded view
|

Re: Authenticated and non-authenticated forms in the same environment

Eusebio
Hi,

You could control access on a form specific basis in the web.xml file.

You would have some unauthenticated pages where the security constraint doesn't define a role.

Then have some pages which are constrained to a specific role.
 
e.g. - the auth below is set to basic, but I have edited the constraints to show per form access.

 <security-constraint>
        <web-resource-collection>
            <web-resource-name>Form Runner pages</web-resource-name>
            <url-pattern>/fr/</url-pattern>
            <url-pattern>/fr/orbeon/builder/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>form-builder</role-name>
        </auth-constraint>
    </security-constraint>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Form Runner services and public pages and resources</web-resource-name>
            <url-pattern>/fr/service/*</url-pattern>
            <url-pattern>/fr/style/*</url-pattern>
            <url-pattern>/fr/not-found</url-pattern>
            <url-pattern>/fr/unauthorized</url-pattern>
            <url-pattern>/fr/error</url-pattern>
            <url-pattern>/fr/login</url-pattern>
            <url-pattern>/fr/login-error</url-pattern>
        </web-resource-collection>
    </security-constraint>
    <security-constraint>
       <web-resource-collection>
           <web-resource-name>Test_Resource</web-resource-name>
           <url-pattern>/fr/test_form/test/summary</url-pattern>
           <url-pattern>/fr/test_form/test/edit/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
           <role-name>notary</role-name>
           <role-name>form-builder</role-name>
       </auth-constraint>
   </security-constraint>
   <security-constraint>
      <web-resource-collection>
        <web-resource-name>test2</web-resource-name>
          <url-pattern>/fr/test2/form1/summary</url-pattern>
          <url-pattern>/fr/test2/form1/new</url-pattern>
          <url-pattern>/fr/test2/form1/edit/*</url-pattern>
        </web-resource-collection>
      <auth-constraint>
          <role-name>sql_users</role-name>
      </auth-constraint>
  </security-constraint>
      <login-config>
        <auth-method>BASIC</auth-method>
        <form-login-config>
            <form-login-page>/fr/login</form-login-page>
            <form-error-page>/fr/login-error</form-error-page>
        </form-login-config>
    </login-config>
    <security-role>
        <role-name>form-builder</role-name>
        <role-name>notary</role-name>
        <role-name>sql_users</role-name>
    </security-role>

Reply | Threaded
Open this post in threaded view
|

Re: Authenticated and non-authenticated forms in the same environment

Alessandro  Vernet
Administrator
In reply to this post by SM7
Hi,

You can certainly have both forms that require the user to be authenticated, and others that don't on the same server. If you're in that situation, as mentioned by Eusebio, you'll need to specify what forms require authentication in the web.xml. So your container (e.g. Tomcat), knows if a non-authenticated user should be allowed to access a page, or should instead be redirected to the login page first.

You can also define who can access the form in Form Builder. However, even when doing this, you'll still need to list those forms that require authentication in the web.xml, otherwise non-authenticated users trying to access a form they're not allowed to see will get a 403 ("forbidden"), instead of being redirected to the login page.

Finally, if you think it is simpler to have 2 instances of Orbeon Forms, one for authenticated users and one for non-authenticated users, you can indeed do so with just 1 PE subscription, as long as both instances run on the same server.

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
SM7
Reply | Threaded
Open this post in threaded view
|

Re: Authenticated and non-authenticated forms in the same environment

SM7
In reply to this post by Eusebio
Thanks for your help guys.
Your suggestions worked perfectly.
Reply | Threaded
Open this post in threaded view
|

Re: Authenticated and non-authenticated forms in the same environment

Alessandro  Vernet
Administrator
Cool, I am glad it helped, and thank you for confirming.

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet