List and download attachments from API and Liferay auth

Hi,

I have set permission permission for a form and embeded it in Liferay trough proxy orbeon portlet.
So the authentification is handled by Liferay, the orbeon backend access is just restrained by ip, no auth.
When I want to list attachments of a document,  Orbeon send me 403 response.
When I remove permissions, it works.

Do I need to set up auth to backend ?
I want to call the API from a different server.

-----------
Version: Orbeon 2016.1

Properties added for API acess :

<property
  as="xs:string"
  processor-name="oxf:page-flow"
  name="service-public-methods"
  value="GET HEAD"/>

 

Just checking:

- Have you setup proxy portlet to send information about the current user to Orbeon Forms? See "Send Liferay user" on [1].
- And have you setup the properties on the Orbeon Forms side to get the information about the current user from the headers set by the proxy portlet? For more on this, see [2].

[1] https://doc.orbeon.com/form-runner/link-embed/liferay-proxy-portlet.html#configure-the-proxy-portlet
[2] https://doc.orbeon.com/form-runner/link-embed/liferay-proxy-portlet.html#configuring-form-runner-to-use-liferay-user-information

Alex

Yes "Send Liferay user" is checked and the properties are the same as in the documentation.

Hi,

Since you are calling the service from a different server, the settings in Liferay are not relevant. There are two things which are relevant:

1. Whether the service are open to the outside world.

I think you have done this properly already, assuming that you are not doing a POST or a DELETE. For reference, by default Form Runner services are protected, and here is the doc:

    https://doc.orbeon.com/xml-platform/controller/authorization-of-pages-and-services.html

2. Whether you are providing, when calling the service, authentication headers which are accepted by the service.

The same headers which you configured to map Liferay headers should be passed.

Does this help?

-Erik